Saturday, March 24, 2007

Novell joins Identity monitoring scrum

I mentioned IBM, CA and Oracle's forays into the monitoring of their Identity Management products here, here, here and here. Now Novell's adding to the scrum, but their focus is different from the other vendors mentioned above. In their announcement, Novell says that:
"Tight integration with Sentinel from Novell gives Identity Manager 3.5 the capability to provide critical feedback of system, network and application event activity within the context of an identity."

What this means is that Novell's definition of monitoring here is more along the lines of the business context monitoring I talk about in this post...which does not seem to be explicitly being addressed by IBM, CA or Oracle in their Identity monitoring offerings. I also mentioned in this post that each vendor has taken a different approach with their respective offerings. Novell looks to have taken yet another different approach to the others by focusing on compliance and identity based monitoring rather than infrastructure monitoring. If you combine all the focus areas of these 4 vendors, you have a pretty complete identity monitoring offering. Unfortunately, no single vendor has a satisfactory solution that covers all the important parts of monitoring their Identity Management suite.

To get a better understanding of what Novell seems to be doing with their monitoring integration between Sentinel and their Identity Manager, have a look at the solutions from SailPoint Technologies and IBM Consul. These focus very much on the identity centric compliance of enterprise systems. IBM only acquired Consul late last year so they're still "blue-rinsing" the products. Once that is done, they'll be placed into the Tivoli software portfolio and no doubt integrated with the IBM Tivoli Security products to give the business context identity centric functionality so sorely lacking at the moment in all the identity suites (although Novell looks to be addressing this now). Of course, once "blue-rinsed", IBM will claim that the Consul products integrate natively with the Identity Management portfolio. Perhaps this will be partially true, but I don't expect this to be 100% until the next release of the Consul products (probably renamed and properly released under the Tivoli banner by then).

The identity monitoring scrum is getting more crowded, but this is simply in reaction to what the market has been asking for in the past few years. It's about time the vendors started listening. What about Sun and BMC and HP? They're behind the 8 ball at this stage. To be fair, BMC has started to move in this direction with their announcement of having their systems management solutions line up with ITIL and COBIT, but these aren't identity centric. They are systems management and infrastructure centric.

Monday, March 19, 2007

Moving to London

I announced at the end of January that I would be moving from Sydney to London. That day has come. I'll be boarding a flight later tonight (it's the early hours of Monday morning here in Sydney) bound for Heathrow airport.

I will more than likely be wrestling with the logistics of moving and may not get the time to post as often as I normally do. Apologies if this occurs. Hopefully I'll get myself settled in London sooner rather than later so things can get back to normal.

Friday, March 16, 2007

Oracle Identity Architect sets the record straight himself

I made a post yesterday about Oracle's Identity Management product architect Nishant Kaushik's blog post relating to IBM Tivoli Identity Manager (ITIM) and its reconciliation behaviour, specifically around pattern matching during automatic adoption of accounts.

My point was that ITIM does indeed support pattern matching. Nishant had come to the incorrect conclusion based on a presentation given by IBM's Stuart McIrvine at this year's RSA Conference and mentioned in his post that ITIM does not support this while Oracle Identity Manager (OIM) does.

I went on to say that I posted a comment on Nishant's blog attempting to correct the misconception, but could not for the life of me find the comment until I searched for it using Google.

Today I have to give credit to Nishant for setting the record straight publically in his latest post. He even quotes straight from my comments, including my not so subtle dig at IBM for sending someone without the deep product knowledge required to respond adequately to technical questions.

Good on you Nishant. There's one problem though...I still can't find those comments very easily!

UPDATE: Nishant's just updated his blog with this post where he mentions that he knows there are a few gremlins in the system. This includes my observation about comments not appearing against the relevant posts. In other words, he didn't do it on purpose. The software is just acting up. I assume he'll try to figure out what's going on and get it fixed eventually.

Thursday, March 15, 2007

Securent bandwagon getting heavier

One of the most widely read posts on this blog is my rant on entitlement management and Securent. If you've read it, you might have also noticed my "conversation" with their CEO Rajiv Gupta in the comments (incidentally, I never did get a response to the last email I sent him asking for a clarification - but I'm sure he has better things to do than debate the point with me...like marketing his product for example).

They've been getting more and more positive press coverage lately (here, here, here and here). And this week one of the louder voices in the identity community also jumped on the bandwagon. Dave Kearns made mention of Securent in this NetworkWorld article a few days ago. Again, it was positive.

I'll say one thing. Their marketing department is doing a great job of positioning Securent in a positive light in the marketplace. I have yet to see any negative buzz relating to them (apart from my rant). They've also recently announced the expansion of their leadership team so they are obviously doing very well.

I have nothing against Securent and their place in the market. More power to them for attacking the niche of authorisation management and realising it's been the poor cousin to identity management for awhile. Shame on IBM, CA, Sun, Oracle, BMC et al for not realising the potential and doing something about it...from a marketing standpoint (actually CA sort of have, but they only made a half hearted attempt and have not gotten any mindshare).

And that's exactly my point. Securent are winning on marketing. Their decision to use "entitlement management" to differentiate themselves from the pack has been a masterstroke. The less informed amongst us seem to think just because it's not a term they've heard before, it must be new. It's not. Like I've been saying over and over again, it's just authorisation/access management re-badged. Anyone who believes otherwise has been "marketed".

Watch out for Oracle Systems Management

Oracle's just released a new version of their Oracle Enterprise Manager. Oracle President Charles Phillips said:
"We've been in the management business for awhile but I think we were more narrowly focused in the past," Phillips said. "We've probably undersold this product. It's been selling on its own on the back of other deals."

I've commented on this in the past but this looks to be the first deliberate public step towards stomping on the toes of IBM, CA, BMC and HP. Prior to this, they've been rather quiet about their systems management capabilities. The new release claims to cover management of SOA, identity management, change management, process orchestration, key performance indicators, patch management and Oracle's CRM application stack. This is in addition to prior capabilities in monitoring and managing their core middleware and database products.

I don't claim to be an expert on this Oracle product family but at face value, it looks like they mean business. Where they lose out to the incumbents (IBM, CA, BMC, HP) is in the area of network and infrastructure management and monitoring. Where they have a distinct advantage however, is in the area of their application management and monitoring capabilities - particularly with regards to their CRM stack. They fact they own the software means that they should be able to manage it better than anyone else. I say "should" because I've seen companies make hopeless attempts at trying to add value to their own software products and having their lunch eaten by smaller niche players who do a better job (of course, when this happens the large vendor usually just acquires the smaller player).

I doubt it'll take Oracle too much time to catch up with the others in the infrastructure and network space. Why? Because it's a mature market and the best practice solutions and processes are out there...as are the expertise. In other words, Oracle don't need to spend a lot of time figuring out how to do infrastructure and network management. They can either hire the right people or more likely just acquire the mature niche technologies out there. When this happens, the others better watch out because they are going to have their hands full with Oracle in the systems management space. Want evidence of Oracle's prior track record of executing successfully on something very similar? Just take a look at what they did with their Identity Management capabilities.

Setting the record straight on Oracle Identity Architect's blog

Those of you that read Oracle's Identity Management product architect Nishant Kaushik's blog may have recently read this post where he comments on the behaviour or IBM Tivoli Identity Manager's (ITIM) reconciliation function and contrasts it with Oracle Identity Manager (OIM).

Nishant had attended the RSA conference and sat in on a session titled "Delivering Security Integration with Compliance" by IBM's Stuart McIrvine. The following question was asked by an attendee:
"How do you figure out and correlate the account [say account 'jsmith2345'] with the identity [John Smith] it belongs to".

Apparently Stuart's answer was:
"It is based on matching of a common attribute tracked on both the account and the identity. This could be an employee id, a social security number or some other attribute that makes sense."

Nishant's critique on ITIM was that it should really support pattern recognition based matching like OIM does. I have news for readers...ITIM does. I'm not here to defend ITIM. Remember, I no longer work for IBM. I just happen to be in a position where I know ITIM inside out and felt the need to set the record straight.

I actually did attempt to do this by commenting on Nishant's blog in response to his post about a month ago. I waited and wondered why it didn't appear. I was about to rant about how Oracle suppresses information that does not aid OIM's case until our good friend Google found my response here.

While this isn't exactly suppressing information, it is still not good enough in my opinion because it's almost impossible to find unless you're specifically looking for it like I was. My observation of Nishant's blog is that he seems to route all comments relating to his posts into his discussion forum. If you look at his posts, it looks like no one's commenting (the footers all say "comment[0]"). Not exactly useful because there's no easy way to track the comment thread from the original post. Heck, I can't even find a link to the discussion forum itself. Maybe I'm not looking hard enough.

I seriously doubt Nishant reads my blog so if anyone knows him please pass this message on. I'd email him, but I have a feeling it'll be ignored.

UPDATE: I received an email from Nishant shortly after publishing this post. The email was sent in reply to my comment on his blog which I mentioned above (looks like he gets an email everytime someone posts a comment). So maybe he doesn't ignore emails...he just takes a very long time to answer them...or maybe you need to make a blog post which provides him with a compelling reason to act :-)

Thursday, March 08, 2007

CA and BEA IAM partnership half assed

CA and BEA have announced a strategic partnership to integrate CA's Identity and Access Management suite with BEA's WebLogic and AquaLogic products. You may have noticed I called this a "half assed" step. In other words, I don't think it'll be particularly successful. Let's analyse it shall we...

First of all, each has a product that competes with the other in the security and identity space. CA has its Embedded Entitlements Manager while BEA has its AquaLogic Enterprise Security product (don't get me started on what a stupid, generic name this is - did they seriously pay someone to think up the name? I hope not!). What's a customer to do? Pick one over the other? I want to be a fly on the wall when BEA and CA go to a customer pitching the combined solution and the customer asks about entitlement management (just another name for authorisation management - see my thoughts on this here) and what product they should use to fit in well with the proposed, combined, "nicely integrated" CA/BEA solution. Is each side going to stab the other in the back and tell the customer in side conversations why they should go with CA? Or BEA? Not a good look guys...especially when trying to present a unified front.

Secondly, this statement from the press release is just stupid:
"CA will include WebLogic Server Premium Edition evaluation license with CA Identity Manager as the application server of choice for CA IAM technology."

If you want someone to use your solution, give them a full version. Evaluation licenses suck. And when you give out an evaluation license when trying to get someone to use it, that's just stupid. So maybe BEA doesn't want people using the WebLogic server without paying for it. Here's the solution. Limit it for use with CA Identity Manager and CA Access Manager. If they want to extend the use of the WebLogic server, then they can pay for the right to do so. Here's what's going to happen if you stick to this limitation:
Customer: I want to buy CA Identity Manager and CA Access Manager based on that quote you gave me.
CA Sales Rep: Cool. Thanks very much. Now, our strategic partnership with BEA means that our products work best with WebLogic and it will be best for you to use it.
Customer: Ok. So I can just run this on WebLogic when I deploy it right? No strings attached.
CA Sales Rep: Actually, you get an evaluation license so you can probably run it in development and when you decide to move forward into production, you'll need the full license.
Customer: What do you mean full licence?
CA Sales Rep: You'll need to purchase it from BEA.
Customer: Isn't that included in the quote you gave me?
CA Sales Rep: No. You'll need to talk to BEA about that.
Customer: Why didn't you include it in the quote?
CA Sales Rep: We wanted to keep your costs down and give you a choice of application servers...but I'm just telling you it works best with WebLogic.
Customer: Ok, what if I don't have the budget to buy WebLogic licenses?
CA Sales Rep: Oh, our solutions work nicely with other application servers that we support too. You don't need to worry about that.
Customer (feeling a little cheated): Ok, but you're telling me I really should be paying more money to run it on WebLogic because it runs better?
CA Sales Rep (sensing he may lose the sale): Oh I didn't mean that. It just has more integrated pieces but we don't enforce that you run it on WebLogic. Our products are extremely stable on other application server platforms.

What do CA and BEA get here? A customer feeling cheated, CA trying to save the sale by cutting BEA out of it and BEA not knowing any better and losing a potential sale...not to mention gaining some negative perceptions from the customer as a result. If they had been up front about using BEA, the situation would probably be better for all (including the customer) from a relationship standpoint...but it would cost more. So, if you're a CA Sales Rep, what do you do? More than likely, you don't put it in your quote!

If you turn the tables and look at what BEA would do from a sales standpoint, they would probably do the same thing. Say that they work best with CA if a customer wants identity management, but that they could easily run another vendor's product (assuming the other vendor supports WebLogic). The BEA sales rep doesn't care - they just want the sales revenue.

The ONLY way this is going to work is if BEA chooses to ONLY support CA as a vendor (in this space) and CA chooses to ONLY support running their software on WebLogic. I really don't see this happening from a business standpoint. It would limit their routes to market and seriously handcuff their sales force. There are probably sales incentives in place to try to make this work, but if you're a sales rep and had to choose between having a 25% chance of a sale involving CA and BEA but gave you more commission and a 50% chance of a sale which didn't include the other vendor and gave you a little less commission, which would you pick? Almost all sales reps would go with option 2!

Another area of focus for this partnership involves engineering and development. The press release states:
"The two companies plan to validate and further extend integration between CA SiteMinder and BEA WebLogic and AquaLogic technologies, while also collaborating on identity and access management standards."

All this means is that they'll have regular calls, meetings and group hugs. They'll share a few APIs around and that'll be it. Sure, some APIs shared are probably not public APIs, but anyone with a decompiler can figure out what these are. They may get some priority support when they can't figure something out and will be able to have access to the guys who know what they're talking about in the engineering teams. But ultimately, these are still 2 different companies. The "open the doors, lift up the kimono" policies only go so far. The "super secret" stuff and strategic discussions will not go beyond company walls. So CA and BEA will simply treat each other like they do other ISVs. The difference is that they probably have a secret "Bat Phone" where they can call each other. That's about it.

The last area of focus is apparently on sales and marketing where they will:
"Implement marketing and sales programs to communicate the value proposition of their joint solutions to current and prospective customers and proactively team together on customer opportunities."

It sounds like someone in marketing wrote that statement alright. It means nothing. Ok so CA and BEA will throw some money in the pool and pay some agency to come up with something for them jointly? As for their ability to proactively team on customer opportunities, I think I've already outlined earlier in this post how that will go.

And to finally prove to everyone exactly why this won't work, they had someone from legal go through the press release and add this gem to the end of the statement:

"Some of the statements in this press release are forward-looking, including the statements regarding the plans, goals, completion, implementation, benefits, and details of the relationship between BEA and CA; the companies' further investment in development efforts, product delivery, validation and extension of products and other goals related to this relationship; and the ability of BEA's and CA's partnership to reduce customer costs and improve customer performance. Actual results could differ materially from those expressed in any forward-looking statements."

Way to instill confidence in the market guys...especially while you're trying to convince everyone this will work. If you're not sure if it'll work, why announce it? Why not go behind closed doors and nut it all out...do sound joint marketing and sales calls and see how it works? Don't announce something and then shove a disclaimer in there that says "hey, don't sue us if it doesn't pan out. Even we're not sure if it'll pan out."

Even within companies that own all the technology involved, these issues I've mentioned above happen. The difference is that someone in a position of power within the company can sort the issues out. I worked for IBM...I know what can happen. But I also know that higher powers that be can usually fix the politics...even if the sales guys aren't happy about it. It's usually about what makes the customer happy. If it means some sales guys aren't happy, so be it. I mention IBM because if we're talking about Identity and Access Management suites and Application Server/SOA technologies working together, IBM has Tivoli and WebSphere. Similarly, Oracle has their Identity and Access Management suite and the Oracle Application Server. The story also rings true for Sun.

This may be CA and BEA trying to catch up to the pack that is IBM, Oracle and Sun. That's the only thing that makes sense. CA doesn't have a footprint in the SOA/application space. BEA doesn't do Identity and Access Management. The pieces fit if you take a 100,000 foot view. Analysing it further however, the picture is not so rosy.

If CA and BEA want to make this work properly, one of them has to buy the other one. Hey, it makes sense doesn't it? They each have the pieces that the other is missing. Is this where they're headed? Is this announcement a prelude of things to come? Wouldn't surprise me one bit in the acquisition hungry technology world of today.

Tuesday, March 06, 2007

Access Card Australia gets new boss

I mentioned in my post here that the Australia Access Card project was now being headed up by Senator Ian Campbell, taking over from Joe Hockey. Well, Senator Campbell resigned over the weekend after becoming embroiled in the latest political controversy doing the rounds on the news in Australia involving former West Australian premier Brian Burke. He is being replaced by Senator Chris Ellison, who was formerly Justice and Customs minister.

Chris Ellison of course, was in charge of Australian Customs' CMR project, which ran into all sorts of problems (some details here, here and here). Senator Ellison's involvement with CMR, the constant chopping and changing of Access Card bosses and the technical and politically complex nature of the whole Access Card concept does not augur well for a successful roll out.

Saturday, March 03, 2007

Password resets still the most common reason to call the help desk

Most of us in the security and identity management industry could be forgiven for thinking that many companies are getting their heads around the fact that password management is a real overhead for their help desks to deal with and are doing something about it. It's probably because we often see customers who have bought software as a way to solve the password management problem or are at least being proactive about it.

Not so according to the survey mentioned in this article. Seems many organisations are still experiencing password resets as being the most common reason for help desk calls. Maybe the figures have dropped over the past few years as a result of more solutions being implemented, but obviously not enough to knock it off top spot.

At least it keeps those of us in this industry in a job (although I don't currently have one at the moment - but that's by choice and circumstance).

Thursday, March 01, 2007

CA jumps on the identity monitoring bandwagon

CA's just released an update to their Wily Introscope application management software with their Wily Manager for SiteMinder Web Access Manager. It is supposed to:
  • Monitor SiteMinder policy server and agent performance and availability.

  • Correlate Web application performance with SiteMinder performance.

  • Determine if SiteMinder is impacting performance.

  • Facilitate collaboration between application support and security team.

According to CA it:
"provides comprehensive, real-time metrics such as: average response time for login; successes, failures, and errors per measurement period; and socket availability for SiteMinder processes. Wily Manager for SiteMinder collects this information from SiteMinder Policy Servers and SiteMinder agents for all Web server and application server transactions into a single view that enables application support and security specialists to collaborate and better understand how authentication performance affects their Web applications."

It's also interesting to note that this functionality was built into their Wily Technology infrastructure (which CA acquired in early 2006) instead of their Unicenter infrastructure. Looking through their systems management portfolio however, it makes sense as the Wily products focus on web applications while Unicenter focuses on the traditional enterprise architecture components such as networks, mainframes and midrange servers.

It looks to be a much more focused monitoring offering than IBM's (which I blogged about here) and Oracle's (which I blogged about here) from an access management product perspective. It addresses a few things that customers have commonly asked for in the past, most notably the need to figure out how much impact the security infrastructure is having on the performance of their applications. None of the vendors have been able to give a satisfactory answer here. At least now, CA can monitor it.

That's not to say CA are ahead of Oracle and IBM. They've just chosen to focus on another aspect of monitoring their Identity and Access Management infrastructure. Strategically, the three vendors look to have taken the following approaches:
  • Oracle - Sink their teeth deeper into becoming a Systems Management vendor and do this by releasing a fully functioning (that's debatable as I have yet to see it in action) software product for their Identity and Access Management suite, which is proving to be an area of focus for the security market and as a result is gaining mind share and respect for Oracle in the security space.
  • IBM - Address a customer need by addressing the issue at a high level and providing basic functionality. They have not released a full product yet because the functionality provided does not warrant such a move and doing so would see a backlash from customers and unfavourable views from the industry. This is also why they have released this integration component free (assuming customers already have the relevant Tivoli products required at either end). They have probably released this in preparation for a bigger, more fully featured release of their monitoring suite focusing on the Identity and Access Management products.
  • CA - Address a specific need of their customer base and do it better than their competitors while giving up some of the selling advantages of being more general in their approach like IBM have done.
These are 3 very different approaches and each has its reasons for doing so. The point to make here is that these 3 big vendors are finally realising that they need to address this pressing customer requirement that they've been putting off for so long. The one who executes the best strategy will have a HUGE advantage in the Identity and Access Management arena.