Why does your organisation buy enterprise security software?

The answer might seem obvious, but it's not.

I had a very interesting chat with Eurekify founder Dr. Ron Rymon the other day about a multitude of things including the GRC market at large as a follow up to my post last week regarding CA. One thing I didn't mention was CA's agreement with Eurekify to resell their Enterprise Role Management product, but you'll find it within the comments in response to the post. Ron also reminded me that Eurekify has a GRC solution offering of their own. A lot of people think of Eurekify as just a role management company because that's what they're best known for. Eurekify specific discussions aside, one of the things we spoke about was the various reasons behind why organisations buy GRC software. This got me thinking a little more, which brings me to the point I'm trying to make.

I went into some amount of detail about approaches and drivers to GRC but one thing I didn't talk very much about was the reality of the situation in some organisations and their attitudes towards security related activities (I'm including compliance here). I've found in my experience that it is the attitude and corporate culture that will ultimately determine if a particular piece of security software is the right solution for the organisation from a decision making and purchasing standpoint. If you are the sales guy, you need to very quickly qualify the opportunity as follows:

1. Is the organisation interested in implementing a security solution to solve real business and IT problems or do they want to "tick check boxes" within a form so they can satisfy specific audit requirements?
2. Is the software product you are selling a tactical or strategic one?
   

Most sales guys will answer question 2 by saying "of course my solution is a strategic one!". Don't kid yourself. You know what it really is so you need to sell it accordingly. I should probably explain the difference between a strategic and tactical software product:

• Tactical - typically a point solution that does one or two things very well. e.g. an encryption product.
• Strategic - a platform or infrastructure solution that solves a larger, high level issue that is of business significance and affects more people (or parts of the organisation). e.g. an Identity & Access Management suite.
  

Taking a very simplistic view in this case, your qualification matrix looks like this:

	Tactical	Strategic
Solution approach	need partners	in
Tick check boxes	in	out

If you are selling a tactical solution, your best bet is to go for organisations trying to tick check boxes that the auditors said to tick. e.g. an auditor might say "if you encrypt all your disks and superglue all your USB ports rendering them unusable, I'll tick the PCI-compliance box for your organisation". If you are selling a strategic solution, go for the organisations that actually want to address an issue properly and more holistically. In other words, they are more interested in proper security. That's not to say you can't go for the strategic sale if you have a tactical solution. You just need to partner with the right vendors to give the organisation a "best of breed" solution.

The thing we need to examine is why so many organisations think ticking check boxes = good security? I'll talk about that another day. I've already written one long essay this week.

For now, ask yourself:

1. If you're in sales - are these guys ticking boxes or addressing security?
   
2. If you work in an environment that buys software - do we tick boxes or do we address security issues?
   

It'll save everyone a lot of wasted time and money.

IBM the leader in Identity and Access Management

I didn't say it...not lately anyway (I've previously said it many many many many many times in front of customers). At least now I can prove I wasn't lying :)

IBM are the worldwide Enterprise Identity and Access Management vendor in terms of revenue share according to analyst firm IDC.

They may not be for long however. Oracle just became a very formidable opponent with their acquisition of Bharosa yesterday. Don't get me wrong. I'm not saying Oracle wasn't formidable before the acquisition. But the issue now is that Bharosa does things that IBM's suite does not.

That's right. I said it. An IBM competitor has useful functionality that IBM Tivoli does not provide (here comes all the abuse from my ex-IBM colleagues).

More on this later.

IBM responds to Oracle with Mickey Mouse monitoring tool

Before I start, I should point out that just because I no longer work for IBM does not mean I dislike IBM. I still have a great respect for "Big Blue" and will continue to do so until they do something that radically changes my mind. I say that up front because I'm about to be somewhat critical of them. I've always had my criticisms of the company, but now I can raise them in a public forum (instead of privately discussing them with my colleagues) without fear of having management "give me a stern talking to"...now I just have to put up with comments from my former colleagues. But a little healthy discussion never hurt anyone.

I am referring to the new monitoring offering from IBM Tivoli, specifically around the Identity and Access Manager products. The monitoring offerings can be found here and here. I'll probably get a little grief about this from those of you I know from IBM. Hey, I'm entitled to my opinion aren't I? Especially as I talked about Oracle's offering earlier this month.

Before I move on, I'll take a little detour and talk about IBM from a marketing standpoint. I used the term "respond" in the title to this post, but I'm not sure that's the case. I was simply referring to what the average person would perceive it as. As far as marketing and image is concerned, perception is the truth. Oracle made their announcement early in February. According to IBM's pages, the monitoring offerings were released mid to late January, which is before Oracle's announcement.

So it looks like it was being developed at the same time as Oracle, unless IBM have managed to trick those of us delving deeper into believing this is the case by listing the release dates in January. I don't know because even internally within IBM, there was no announcement to the greater community until my last week at IBM (week ending February 16)...and I worked for the field sales team whose job it is to sell the software and use announcements like this as "value add selling points". And herein lies the problem with IBM marketing when it comes to Identity and Access Management. If they do such a poor job of communicating this information internally (in a timely manner), how are they to do this effectively to the external audience? This lends itself to a belief I've had for as long as I've worked in this area.

The biggest barrier to sales and building a long term pipeline (even one that the sales people cannot see) and dare I say shortening the sales cycle (apologies for using all these sales "buzzwords") is that IBM is behind the eight ball when it comes to mind share in the Identity and Access Management arena. When it comes to enterprise identity, the press is filled with references to Oracle. When it comes to user centric identity, it's all Microsoft (and occasionally smaller niche players like Sxip and JanRain). Lately, even Symantec's getting into the act.

It never used to surprise me when people would look at me with bewilderment when I told them IBM was one of the leading vendors in this space. It still doesn't surprise me. IBM's PR and marketing machine does an extremely piss weak (i.e. very poor) job of talking up its Identity market leadership. It spends too much time harping on about Linux, Open Source, SOA and the services offerings from Global Business Services and Global Technology Services (at least I think that's what they're called now - they keep changing the names and re-organising the business units, and I have first hand experience that confirms how confusing it is even for employees). Even with these headline messages, they send out mixed signals!

Now that I've got that out of the way, back to the topic at hand. I'll be the first to admit that I don't know the deep technical details of what Oracle's offering actually does. I only know what I've read at a high level. At face value, it looks like Oracle's offering does more than IBM's. I won't outline the details because you can go read about it yourselves (unfortunately, the only link I can provide is this one to the announcement - Oracle's site is so crap that I couldn't find any specific information about their monitoring offering for identity management). I linked to IBM's offering earlier in this post but here are the links again if you don't want to scroll (here and here).

The monitoring offering from IBM tracks the following in Tivoli Identity Manager (TIM):

• Server availability and server process activity
• memory usage characteristics: heap size before and after garbage collection, max heap size, garbage collection time
• workflow queue backlog
• user page response times
• tablespace usage
• logged error messages

And the following in Tivoli Access Manager (TAM):

• Server availability and server process activity
• WebSEAL statistics
• Junction statistics
• response times
• workload

Here's why I think these features are "Mickey Mouse" in nature. Most customers I know who have implemented TIM and/or TAM and want to monitor the identity infrastructure has had to implement it themselves (because as I have previously said, there was no actual solution provided by IBM for it). How did they do it? Shell scripts that take a day or so to write. Pretty trivial stuff because they just wanted to monitor infrastructure statistics like performance, server load, response times, table space usage etc. But hang on, that looks like what IBM's just provided as the monitoring offering! All IBM have done is hooked it into the IBM Tivoli Monitoring product set via the Tivoli Universal Agent! If I were a customer, I'd still write my own and let my shell script feed the data into the relevant standard monitoring infrastructure within the organisation's environment.

Of course, IBM usually doesn't do things without a few good reasons. In this case, it is possibly for the following reasons:

• They knew what Oracle was doing and didn't want to be seen as falling behind.
• IBM customers have been calling out for a monitoring solution to deal with the IBM Identity Suite for over 2 years and they decided to finally address it (in a half hearted sort of way). In other words, the sales team can finally say "yes" without looking guilty when customers ask if there's a monitoring solution for the Tivoli Identity and Access Management suite.
  
• It's a good way to up-sell customers who have the Tivoli Identity suite and get them to consider the Tivoli Monitoring suite.

Of course, that's not to say it doesn't have any real benefits. Problem is, I can only see 2:

• Customers no longer have to write their own shell scripts to do this.
• IBM services teams and IBM business partners no longer have to write scripts when they deploy the Tivoli Security products to deal with monitoring. Of course, any good services team will have already written the scripts and should just re-use as much of it as possible, so one could argue whether this is a benefit here. It's probably more beneficial for teams who are new at deploying the products.
  

As for the biggest barriers to adoption:

• This is useless to me unless I have IBM Tivoli Monitoring.
• I cannot modify the solution for my own needs...at least not easily.
• Where is the monitoring offering for the underlying identity infrastructure? By that I mean the most important software support component used by TIM and TAM - IBM Tivoli Directory Server (TDS)! TDS is the LDAP component so one could argue that you could go find some open source alternative or find some LDAP monitoring solution out there. This defeats the whole purpose doesn't it? IBM's solution lets you monitor TIM and TAM for "infrastructure things" but doesn't actually let you monitor the core software components supporting the applications. So the answer is to use the new offering for TIM and TAM but go build your own or buy something else to monitor TDS? Sounds rather nonsensical to me. I may be over reacting here because monitoring an LDAP is not difficult. It's common and pretty standard practice. TDS even has a section of the LDAP tree that can be queried for monitoring stats. Problem here is that I've still got to somehow feed that into my monitoring solution. Back to writing scripts I guess! To illustrate this point, let me just point one thing out. TIM and TAM don't work without TDS. Enough said.
• It only monitors trivial infrastructure metrics. There is nothing that will give me the business context I need, which is often the biggest reason to monitor the security and identity infrastructure.

Here's a few examples of what I mean when I say business context monitoring:

• Repeated failed authentication attempts.
• Tracking a user's session to alert of suspicious behaviour.
• Alerting of requests for access to "sensitive" parts of the environment (systems or additional access to what a user already has).
• Real time alerts of additional access privileges that do not meet defined security policies (an email to a person hoping they'll see it soon doesn't cut it I'm afraid).
  

The list is endless...and will be very different for each company, especially when dealing with business processes around auditing and compliance. Don't get me wrong. IBM Tivoli (and possibly even Oracle) has the products in place to address these needs. There just hasn't been a combined solution that solves these issues easily. There's too much services and customisation work involved and not enough "cookie cutter" approaches to make life easier for end users and services teams. And here is where both Oracle and IBM have not addressed a real need.

Identity & Access Management products and customers - a list

A common question from people interested in the Enterprise Identity & Access Management space is "which customers use this product"? So I thought I'd take a step towards helping figure this out.

I've compiled a list of products and the customers using them. This is not a full list. It is simply one I compiled using publically available information on the web. Each entry in the list should have a link to the relevant article I found.

I'll have a permanent link on the right side of my blog so it's always available. I figured it was better than relying on people having to dig up this post to get to the list everytime (unless you've bookmarked the list directly of course).

Increased competition in the Enterprise Identity Management space

The recent spate of announcements made by the large Enterprise Identity Management (IDM) vendors has made the competitive landscape very interesting for the suite vendors (IBM, Oracle, CA, BMC, Sun, HP).

Oracle just released (OK so it was in August, but that's still quite recent) version 10g release 3 of their IDM suite with much more tightly integrated components and increased functionality.

The very recent Gartner Identity and Access Management summit has also yielded announcements from HP and CA. HP has announced increased functionality in their suite, although I'm not convinced they are that integrated yet. Their focus has not been on their IDM business and as a result, they've taken a little longer to integrate all their acquisitions. CA announced new versions of the major products in their suite. They coupled this with the announcement of an OEM agreement with Ping Identity to incorporate their federation technology into the eTrust SiteMinder product. They're also further along in their acquisition integration journey than some of the other vendors so by now they have probably gotten their act together and have an integrated suite to rival IBM. It'll be interesting to see what happens in the next year or so in this space with IBM yet to announce new versions of their products this year (other than the new Tivoli Federated Identity Manager Business Gateway for SMB).

Next move, IBM? Or maybe some kind soul will finally integrate Sun's suite for them as they've pretty much "Open Sourced" everything. They can only hope.