Sunday, September 4, 2011

RMAR is the word!

If you have been in the IAM space for a while you kind of recognize the waves that regularly hits the industry. One example is the provisioning wave that started picking up speed back in 2004-2005 when most provisioning vendors were simple startups with a few customers and rather rudimentary products. Over the next 24 months each major player (IBM, Sun, Oracle, CA) built or acquired a product in the space which in turn meant that suddenly the sales and marketing resources that were available to sell the products increased by a factor 10-100. Unfortunately the delivery capability of the professional services organizations didn't really grow as fast which lead to some "unfortunate" implementation projects some of whom I was part of.

Go forward a couple of years to 2006-2007 and the hot product is now role management. The same pattern plays out again. Sun buys Vauu RBACx, Oracle buys Bridgestream, IBM stays on the sideline and uses partnerships. There are a couple of independent players that aligns to the big boys (Aveksa, Sailpoint) but when the economy started to fall apart things started to look bleak for the independents and they were forced to shed staff and to cut down on R&D as their customers no longer could afford to start new projects or even keep already initiated projects moving.

A few more years forward and we are now in mid 2011 and Forrester is publishing a new and shiny Role Management and access recertification wave (get it at Sailpoint) that places Aveksa and Sailpoint as the leaders. Certainly not the result I would have expected back in 2008 so I would like to congratulate both Aveksa and Sailpoint to their placement. They have done a very impressive job and shown that a relatively small independent shop can outperform the big boys. Well done!

One major change in the market place is that the role management and access recertification is getting more and more exposure as a central part of any IAM strategy. Gartner prefers the term IAI (Identity and Access Intelligence) and our Germanic friends at Kuppinger Cole uses GRC (Governance, Risk and Compliance). Andras actually doesn't coin his own TLA or eTLA in the report which I am very disappointed about. Doesn't RMAR sound like something that would conquer the world?

The Forrester take on the subject is that:
As a security and risk leader, if you only have one dollar to spend on identity management, spend it on access governance.
Undoubtedly a very strong endorsement of the area that will result in lots of end user companies spending even more money in this area.

If we look at the competitive landscape what does this wave mean. Sailpoint and Aveksa are of course going to get a very substantial boost. They both have really good and mature products so I am not so surprised that they fared very well.

When it comes to the players that fared less well I am not surprised at all about IBM's ranking. IBM is in the process of bringing a brand new product to the market and their current offering really is close to non existing. I got a sneak peak at the new IBM role manager at Pulse this spring and I am quite convinced that IBM  will be a top player once this hits the market in later 2011 or early 2012 but at the moment they deserve the scoring.

I am in a way surprised about the Oracle's scoring. Oracle has been trying to come up with a viable offering for a long time and after a couple of false starts (first an internal product that was killed before hitting the market, then Bridgestream/ORM (which was killed after a quite bad showing in the market) they finally got a good product in form of OIA (ex Vauu RBACx, ex Sun Role Manager). Perhaps the many name changes of the product gives a clue about why it no longer is a top notch offering? If you take a good product and spend a couple of years integrating it into a major IAM vendors stack (Sun) and that then promptly gets acquired by another major IAM vendor (Oracle). The new owner spends another couple of years integrating the product into their stack and at the end the world simply has move on and what was a good product is now just run of the mill.

The most interesting conclusion is perhaps that the era of when the base for any IAM strategy was implementation of one of the huge provisioning centered IAM stacks (Oracle, Sun (RIP), IBM and CA) may be over. Perhaps we are entering a world where provisioning isn't the center piece and where the independent players takes a bigger part of the market? Another alternative is of course that Larry gets fed up and buys Sailpoint, CA buys Aveksa and the IAM stacks gets one more mandatory component.

(Full disclosure note: my wife was one of the editors of this report)

No comments:

Post a Comment