Friday, January 27, 2012

Useful TIM tips and tricks

I ran into a page full of useful TIM tips and tricks that I thought I should share: IBM Tivoli Identity Manager How To

Sunday, January 15, 2012

Challengers: Forgerock

One very interesting trend over the last couple of years is the rise of a number of challengers in the IAM space that has unsettled the oligopoly of IBM/Oracle/CA. Sailpoint, Aveksa and Courion keeps scoring very well in the waves and quadrants but there is also a number of smaller companies that simply don't have the market presence to be noted by Gartner and Forester and I thought it could be interesting to take a look at some of the companies that I think have an interesting viewpoint or interesting products.

First up is Forgerock. Forgerock largely consists of ex Sun employees that left during or just after the Oracle take over. Forgerock has managed to pick up some of the very brightest Sun talents as well as some of the most interesting concepts and ideas from the now defunct Sun IDM community.

Forgerock's main differentiator is the fact that their products are open source. The company has also been very good at leveraging various open source products as a part of their platform which has resulted in the creation of a quite rich product stack in a short period of time. The open source philosophy plus a very impressive list of implementation partners also means that the long term product support is safe which is one of the major issues with buying an IDM product from a small player.

The stack consists of four major components:
  • OpenAM
  • OpenDJ
  • OpenIDM
  • OpenICF
OpenAM supplies or will shortly supply most of the functionality that you would like to see in an SSO product including federation and risk based authentication. The product currently supports an agent based approach for policy enforcement with a reverse proxy becoming available during Q1 2012.

OpenDJ gives you a competent Java based LDAP server with a very interesting web service interface.

OpenIDM offers a very flexible provisioning platform with lifecycle events, workflow support (BPMN 2.0 based), password synchronization, self service interface as well as auditing and reporting support. The main strengths is the flexibility and modularity offered by the OSGI based framework.

OpenICF is a framework to create connectors with a quite impressive list of currently available connectors.

If you look at the components the main strength is that they are Java based, very flexible and service oriented from the ground up and has integrations with some very interesting open source products. There is no legacy core that consists of tons of magic built on top of a data model with three letter table names or a huge install footprint (you all know what products I am talking of).

The main issue with Forgerock is the same thing that doomed Sun. It is a technology and engineering driven company that builds excellent products which is great if you are an end user company is mature enough to take a flexible platform and shape it to what you need. Forgerock has managed to cultivate a very impressive list of implementation partners but most of the partners are small boutique shops. Most of the products still need a bit more depth and lacks flashy user interfaces so if you are looking to implement an IAG solution or a massive cloud provisioning solution against a very tight timetable you should probably look elsewhere.

On the other hand if you are a technologically mature company or are comfortable with trusting a system integrator to do your technology work for you Forgerock offers a very competitive IAM platform that can be customized to fit your needs without breaking the core application. In the end it is much easier to build a nice front end for a stable, flexible and strong back end than doing the reverse exercise.

Thursday, January 12, 2012

IAG magic quadrants and no more Tivoli

A new year has started and as all new years 2012 will certainly bring some interesting new changes.

Gartner published their new Magic Quadrants and this year they invented a new one in the form of "Identity and Access Governance". If you want the report you can get it from Sailpoint. The report really doesn't contain very much information that wasn't made public in the Gartner IAM summit back in November.

Aveksa and Sailpoint continues to lead with Oracle just behind them. It is really fun to see smaller vendors unsettling the larger players. The main surprise is probably that IBM is totally out of the race with essentially no products at all in this space.

I would say that this is not entirely accurate as you can achieve the same functionality as in Sailpoint or Aveksa using a combination of ITIM, a custom request and approval front end and the new IBM Security Role and Policy Manager (IBM RaPM). This would of course require a lot of work so clearly for most new customers the Sailpoint or Aveksa solution looks quite tasty and it is clear that IBM has some catching up to do.

IBM is also renaming most or all their Tivoli products and making their latest acquisition Q1 labs the centerpiece in a new security group. Using a SIEM tool as the center of your security suite is a novel idea and the Q1 user interface is very slick so this may be just the right move for IBM.

The name change will make googling for Tim and Tam information substantially harder as IIM and IAM are already kind of occupied. Makes you long for the good old days of 2011....