Friday, July 16, 2010

IAM exam results so far: 9%


I just finished a customer tour in Calgary, Canada. I met three customers a day for three days. All significant customers. Of those 9 customers here’s what they were using for identity management in their environment:
  • Sun’s Identity Manager: 6 customers
  • Novell DirXML: 2 customers
  • Novell Identity Manager: 1 customer
The customers who were using Novell DirXML were looking to migrate to something else. Yes, they were using Novell DirXML – not Novell Identity Manager. The customer who was running Novell Identity Manager was quite happy with it and planned to continue to use it. The DirXML customers were migrating because they were migrating from Novell anyway. All the customers who were using Sun’s identity manager were unhappy and either had thrown out Sun or were in the process of finding an alternative. None of the Sun customers was looking at Oracle.

What were the common threads across these 8 customers?
  • We never progressed further than the proof-of-concept. We didn’t POC our whole environment and when we tried to expand the POC scope into production we failed. We never saw the ROI we were promised.
  • Every time we needed a change to the product we had to pay far too much.
  • Everything required too much care and feeding to ensure the product was working.
  • We needed specialized talent to keep it running.
  • The consultants treated Active Directory as if it was only an LDAP directory. They did not understand Active Directory.
  • Every time we need to change the structure of Active Directory we had to pay to re-code all of the scripts that were written.
  • I was paying more in maintenance and re-programming the product than the cost of hiring a few people to do it manually. So I hired some staff and threw the product out.
 This was a great illustration to me of how far our little industry segment needs to improve. None of these customers were trying to do anything fancy. They had fancy plans originally but they were failing on basic provisioning or password management and were never able to progress further. It also further reinforced my view that there’s a great opportunity for a solution that doesn’t require a couple of busloads of consultants to get it (and keep it) running. A solution that delivers immediate value. A solution that customers are happy to have. A solution that is my dream…

11 comments:

Adam said...

I am actively looking for a IAM solution currently. I was wondering if you could provide any insight into products that your clients are using and happy with...

OpenSSO seems to be at the top of my list right now.

Would love to hear your thoughts.

adamgetchell said...

Looking at tying Active Directory to MIT kerberos for auth using FIM 2010, ADFS 2.0, or something relevant. Pointers appreciated too!

Adam Getchell said...

Looking for a simple account synch between MIT Kerberos and Active Directory. Looking at FIM 2010, ADFS 2.0, or other relevant products (not Sun Identity Manager). Pointers appreciated.

Victoria Lomax said...

I'd also love to hear more insights into what those products aren't doing for people and what is working for people.

I'm convinced there must be an easier way to deal with these kind of problems but the current range of products seem to be more aligned to driving professional services revenue then actually just working for users.

Jackson Shaw said...

@Adam - What are you trying to accomplish? Active Directory is a Kerberos KDC itself. Why maintain both?

@Victoria - Unfortunately, I believe you are totally correct. The current generation of IAM products are aligned to drive services revenue. I agree that some services revenue will be required in most situations but not by a factor of 7-10X times the license revenue. Customers are being killed by the services costs.

v2amol said...

I think there's an interesting debate to be had there. Is it the companies driving revenue or the users themselves. In my experience users want everything to be brought into the IAM product which is no small task and will always mean time/money/custom development.

The only way to reduce this overhead is to make this process easier/cheaper or to take a pragmatic approach and only solve the cheap and easy problems. One customer I spoke to had over 100 custom applications they wanted to provision to none of which had an API nor any simple way of integrating. Does it make sense to try and automate this and bring it into the fold or could we use technology to simply efficiently manage the process e.g. automatically emailing someone to ask them to create/edit something in a workflow type of approach.

Just wondered if you had any thoughts on how this could be made cheaper or easier for people. Surely we have the technology to solve these problems it's just how we chose to use it (or not use it).

bhooper27 said...

I am a Systems Consultant working for a Fortune 250 Insurance/Finance Company. We are currently using Sun Identity Manager (v 8.1.0.7) in production for provisioning base access via HR Transactions for employees and contractors to Active Directory, RACF, Exchange, and Home Directory.

We have been in production since 2008, and originally started with Sun Identity Manager v7.1

As a result of the Oracle/Sun acquisition we are currently examining our options. One of the biggest challenges we face is addressing how we keep building momentum with our Identity and Access Management program and insulate ourselves from situations such as these which will require us to rip and replace.

Jackson Shaw said...

@bhoopper27 - You have a valid point and I think that if you and your team have shown value to everyone then you probably don't have anything to worry about.

The customers that I talk to that have problems have generally had them because their "goals" haven't been realized - for whatever reason.

adamgetchell said...

Well, I am at a University so I don't have the option of replacing the central campus KDC with my domain controllers/DCs. This is unfortunately a common occurence at a University; the entity controlling the central resources don't architect it in such a way as to make it useful for Active Directory.

Radovan Semancik said...

The high cost of services needed to deploy IDM solution are not based in bad IDM products. I agree that the products are not excellent (especially some of them), but majority of the cost is generated by the customer. More exactly with the chaos that governs most of the customer's current IDM processes. Humans can handle chaos surprisingly well, but computers cannot. If you try to automate, you must clean up the chaos. And that is the most difficult part of IDM projects. Technology is a piece of cake.

Neil said...

With respect, this sounds like a classic project management issue. i.e. ill defined scope, costs, benefits, risks etc etc.

The business no doubt expected the moon, the earth and the stars whilst the reality was very, very different!

We in IT need to be smarter about setting expectations.