Sunday, November 27, 2011

IAG vs provisioning

November has been a very busy month which has resulted in very few posts.

A part of the busyness was a trip to San Diego to visit the Gartner IAM 2011 conference. Overall the conference was great fun and I met lots and lots of old friends. Going to IAM conferences is a bit like going to a high school reunion. The food was also excellent and as the conference was held in a small hotel I actually got to go outside and get some fresh air every now and then. This is a rare luxury in the standard Las Vegas located gathering.

In my opinion the overall trend was a continuation of the direction that was announced in last years Gartner IAM magic quadrants. You could also see the same trend in the Forrester Role Management and access recertification wave. The concept has gotten a brand new TLA in form of IAG (I still like RMAR) and will now have it's own little quadrant.

So what is IAG? Well the core concept revolves around the simple fact that it seems to be very hard to get ROI on conventional provisioning driven IAM projects. In theory IAM projects are supposed to provide ROI based on the fact that they lower operational costs. In practice this has turned out to be an illusive goal.

As we all like to stay employed we now have to figure out something else to sell to the business and this new is now service catalogs, access recertification, transparency and governance. The core user needs to switch from an IT department gnome (a.k.a. the sysadmin) to the actual business users.

What does this mean for the applications? Primarily it means that they need to be prettier and easier to use. The Amazon shopping cart analogy seems to be very popular for access requests as well as credit score like risk assessment numbers. Access recertification as well as approval workflows needs to be very appeticing as well as easy to use by non IT users. Enterprise role management seems to have fallen out of fashion and we are back handling entitlements albeit nicer named entitlement with better tans (i.e. no AD group names like fap0503dfg).

The current leaders in this space seems to be Aveksa and Sailpoint but the big boys are starting to notice and are trying to catch up. IBM has some very interesting stuff coming out very soon in general availability in the role space (although they may change the branding of that specific functionality now that roles aren't cool anymore). Oracle just updated Oracle Identity Analytics and I am sure that there is more to come soon.