Earl Perkins

On the list of major annoyances for me are the trite media “sound bites” that you often here on television or online, mostly by politicians, where they attempt to get their idea across in 5 seconds or less with a memorable turn of words. These phrases are decidedly unable to articulate the nature of the problem or the solution, but they sound great and make the speaker appear (emphasis on appear) intelligent. They do very little to advance the debate on issues, and in fact they often obscure complex issues that resist trite and easy answers. In other words, they hide ‘the big nasty’.

In case you haven’t noticed, I’ve just stooped to the very level that annoys me: I’ve created my own flippant phrase for a complex issue. In identity and access management, there are some complex technologies, processes, and skills that are used to fulfill IAM’s mission. The complexity is often in three major areas: the user experience, the workflow experience, and the connectivity experience. Any, some, or all of these could be considered big nasties, because they require much effort to plan, build, and operate for the enterprise. However, rather than considering the act of hiding these nasties as a bad thing, I submit that hiding the big nasty in IAM can actually be a good thing, not an annoyance. In fact, it is the one of the most critical steps that IAM vendors and service providers can take today to confirm that the discipline is maturing.

Hiding the big nasty in IAM has two dimensions. The first aim is to educate. For many years, we’ve attempted to define IAM for the enterprise in technology terms– we are always using geeky words to try and describe to executive management and others about what it is and why they need it, but the myriad blank stares and/or dozing in meetings when this occurs should be a clue that it isn’t working. We aren’t hiding the big nasty. Instead, we should be stepping back, looking at the big picture, and striking the balance between being accurate enough with our descriptions and good enough with our turn of phrase to bring the main concepts into focus for them. That ability is actually a job skill that should be required in IAM and security teams today. As much as the idea annoys me, we need a phrase-maker that gets complex, nasty concepts across quickly and effectively to the right audiences.

The second dimension in hiding the big nasty comes in the IAM solutions themselves, where the user experience itself is simplified to the point where skill set demands are reduced at ALL levels: the level that creates the user interfaces for business users, the level that develops workflow for automating process, and the level that designs and integrates IAM components across the IT software and service architecture. We need to hide the big nasty from all of them, so they can get their jobs done before most of us die of old age. That’s a job for IAM vendors and service providers. Consider harnessing all of that skill you have in marketing cures for IAM nirvana and spin them instead into product development and delivery.

Ok, maybe I’m getting a little carried away there (and am annoying in the process). But hiding the big nasty could go a long way toward building the credibility that IAM so desperately needs in a cynical buying world. The less nasty you see, the more successful you’ll be.

Oh no, a trite phrase arises, in rhyme no less. How annoying is that?

2 Comments »

Category: IAM     Tags:

Share

Tweet

Well, here we are. Identity and access management as a discipline has been here in various guises for decades now, starting from early and simple administration of passwords to the present day of access management, identity administration, and an assortment of technologies that supposedly help enterprises (and citizens/consumers/partners/fill-in-the-blank) to have a consistent experience with managing and using identities. In all of this time, with the introduction of products, processes, practices, and people into the act, why don’t we we take a step back and do a reality check on what has been accomplished?

I’m not here to bash IAM product or service vendors. That isn’t my job. As an analyst, I’m supposed to— well, analyze. I try to look at the historical record and make some conclusions about what has happened and some guesses as to what will happen. If my view of reality isn’t rosy or satisfying, it is because of what we find as researchers during analysis, not because we have something against the IAM market response to customer need. For IAM, the reality is that we have made some progress. It has been in fits and starts, with notable successes and failures, but in general we’ve progressed from a necessary evil to playing an important role in securing an enterprise and its business assets.

The reality is that our vision of IAM as a ‘gatekeeper’ has been somewhat realized. We know how to establish an access architecture and technology set that does a good job at determining whether or not someone has the initial right/privilege/permission/entitlement/claim/fill-in-the-blank to enter our IT/business kingdom and letting them in if they have it. The kingdom, anyway. Going further with those entitlements to allow entry into specific, mission-critical areas (e.g. sensitive business information, key applications) remains problematic, and allowing a lot of different players (e.g. partners, suppliers, third-parties, other strangers) into our kingdom is still a work in progress (e.g. federation), but we’re getting there.

The reality of administering the identities themselves and governing that process is still problematic. It’s just plain hard, actually, because we’re trying to define an identity for use in the business lexicon, directly, not through the IT translator. We’re actually inviting and engaging the business in direct participation in the creation, maintenance, retirement, reporting, tracking of identities for which they are personally responsible. In many respects, that scares them. It was better when most of that nasty, administrative stuff was hidden from them (more on that later). But unfortunately, with great power comes great responsibility. As the individual business user becomes more engaged in matters related to sensitive data integrity or customer data privacy or managing different forms of risk throughout their business processes, they keep running into the pesky IAM problem. The reality of IAM is that it is a pain for everyone, equally: whether the business user comes from the human resources group, the supply chain department, the customer relationship management division, all of them have IAM to worry about in some capacity. It is the horizontal commonality in a vertical world.

Work continues on taking IAM to the next stage, where formal, structured methodologies, processes, and organizational requirements are identified and employed where required in maturing enterprises. Identity and access governance (IAG), that step closer to structure, methodology, process, and organization, is heating up now, joining the ‘toolkit’ for IAM. A reality check there reveals that IAG is like Thursday’s child: it has far to go. But it comes closest in the IAM realm to addressing the business user directly, and that’s a good thing. We’ll watch closely to see what transpires.

Gartner’s annual IAM Summit in San Diego, CA 14-16 November, 2011 will have as the summit theme “IAM Reality Check: Solutions and Practices for Successful Business”. I think there all of us (you, analysts, vendors, and others) can compare notes as ‘gatekeeper veterans’ to see what has been the reality of your experiences to date, and ponder your roles for tomorrow. We could use a reality check about now, I think.

Comments Off

Category: IAM Uncategorized     Tags:

Share

Tweet

It is embarrassing to have waited so long to write something in our blog when so much is happening in our industry. I really have no good excuse, so let’s get to the reason for this one. Or rather I should say “reasons”, since I’d like to talk about a few different topics. Consider it catching up, if you will.

First, let’s talk about Novell. By now many of you have heard that the acquisition of Novell is now complete, and that there are already some changes occurring as a result. I know that in earlier blogs and in advice to our clients that are also Novell customers I counseled against taking action too hastily, but instead let this process be completed so we can assess the impacts on your own planning. It’s evident that there are some impacts now to consider.

The Novell Identity and Security Management (ISM) division will report to Jay Gardner’s NetIQ group, both in reporting and in brand. Jay will report to Jeff Hawn along with Bob Flynn, a veteran Attachmate official who has been appointed as Novell business unit President and General Manager. This truly signals the end of one era, and part of me is sad to see that happen (no insult intended to Jay or Bob). There are no doubt pros and cons that can be debated about whether Attachmate is making the right organization and branding decision, but the bottom line is that it will ultimately affect aspects of Novell product development and support organization, from where the employees will reside, who stays with Novell, where headquarters will now be located (i.e. Houston, Texas), and what will ultimately be the roadmap for Novell products. Sure, I can read what is being produced as announcements, and there have been briefings to large Novell clients about the future, but shifting from one corporate culture to the next leaves fingerprints, so let’s be realistic.

There are definite synergies (I’ve always hated that word, but it’s appropriate here) in the Novell IAM products and the NetIQ products, and some overlap, and combined development, planning, and sales is logical. Whenever such consolidations happen, you watch carefully to see how much Novell talent decides to stay vs. how much decides to leave. You also watch who is put in charge and what their history is. It helps customers to gauge impact on long-term plans using Novell products.

I believe that there will be impacts on the both the future products and existing product support as a result of the restructuring: some good, some not so good. While few disagree that Novell has very solid and capable IAM solutions, those same people will argue that immediately prior to the acquisition announcement Novell was attempting to map an IAM future for itself to create a credible competitive opportunity, and was struggling to do so. Its efforts to combine their SIEM and IAM strategies had mixed results, though made strategic sense. Their plan for identity and access governance (IAG) with the Aveksa agreement was yielding results, but was not characteristic of the Novell approach in incorporating functionality such as that into a common, homogeneous architecture (such an architecture is past its time now, since the story of the IAM market has been one of acquisition and a kaleidoscope of archtiectures). These efforts, though much better than the old days of UnixWare and WordPerfect, still did not realize the results that Novell had hoped.

It is logical to assume that by looking at the track record of NetIQ and the work done by Mr. Gardner and Mr. Flynn will provide an indirect indication of life with a combined NetIQ and Novell. The technology Attachmate has acquired with the Novell acquisition is sound and will continue to provide value to both existing and new clients. However, don’t underestimate the eventual impact of a change this dramatic on the culture of a company that once went head-to-head with Microsoft and won for a while. To the clients and the audience I spoke to throughout 2010 and early this year, we now know more about the changes at Novell to help make a better decision in our dealings with them going forward.

Comments Off

Category: IAM Strategic Planning     Tags: Security-Summit-NA

Share

Tweet

When organizations are deep into an identity and access management initiative, it is difficult to stay focused on the fundamentals of why you started such an effort in the first place. IAM can be a lot of things to a lot of people. Some of those things can be relatively simple and the solution to it simple as well. Unfortunately, most IAM needs are not simple. But how does an organization maintain focus day after day, month after month, as an IAM program progresses? How does a leader keep an IAM initiative oriented to its strategic goals?

When I think about the reasons for IAM’s existence, there are 3 words that keep coming to my mind: control, observe, and inform. Let me tell you what I think they mean in the context of IAM.

Control: from the time I first started looking at IAM as an analyst, a large part of the technology, process, and skill sets involved the control of access– to networks, platforms, applications, data, and services. This concept of control is integral to IAM, and is the original reason why IAM first started looking like a discipline rather than just a loose collection of technologies to address tactical needs. Whether it is controlling access, controlling the creation and life cycle of identities, or controlling privacy (primarily through controlling access), deploying and managing access control is fundamental to your IAM project;

Observe: to control access or anything else in IAM, you have to know what is going on. You have to collect information about the control event itself, logging information about it for later analysis and use. You have to observe the changes in identity data that occur as day-to-day administration touches the data, monitoring process and workflow to ensure timely completion of IAM activities. In IAM, logging and monitoring are key functions in enabling observation.

Inform: it isn’t enough only to collect information through and for observation– you have to use that information. In IAM, compliance with policy and regulation require that reporting is provided from the control and observation of identities and access. It is necessary to inform key stakeholders and participants in IAM on what exactly is happening, whether the purpose is to improve the IAM process itself, or to inform the business with key identity-indexed knowledge to make good decisions.

Control, observe, and inform. Keep these themes in mind when you’re striving to create an optimum IAM experience in your organization. That way you will be able to see the entire forest, rather than just the trees.

1 Comment »

Category: Uncategorized     Tags:

Share

Tweet

 Let me introduce to everyone a great colleague of mine, Andrew Walls. Among other topics he covers, he is our resident Active Directory specialist. He has kindly consented to contribute to the blog– I know you will like it.
Earl Perkins

————————————————————————————-

By Andrew Walls

Active Directory is everywhere. This is both a testimonial to the success of Microsoft’s product management strategy and a challenge for any enterprise that wants to build a unified AD environment. Consolidation of AD forests and domains is the single most frequent topic raised in inquiry concerning Active Directory. Commercial organizations, governments and educational organizations are all looking for a more efficient approach to managing AD and providing AD services to their internal clients. The complexity of some AD environments is staggering. Many commercial organizations are operating >10 Forests with multiple domains in each forest and a complex network of trust relationships. Quite a number of governments are operating >50 forests with who knows how many domains. To date, the most complex environment I have encountered is at a global organization with 138 forests operating on every major release of AD since Windows NT.

There are good reasons for this infestation of AD. When AD was first released, it was seen as an extension of Windows Workgroups and was implemented as a departmental, localized solution. As the years have gone by, AD has become an enterprise solution but many organizations are still managing it as a departmental solution. This legacy architecture keeps a lot of AD administrators employed and enables departments to act as a separate fiefdom within the overall enterprise. Although this local autonomy has some benefit, the complexity produced by multiple, unique AD implementations can prevent, or drastically increase the cost of, deployments of new, enterprise wide software and work processes.

The allure of a single AD forest with a simple domain design is not fool’s gold. There are real benefits to be found in a consolidated AD environment. A shared AD infrastructure enables user mobility, common user provisioning processes, consolidated reporting, unified management of machines, etc. The reasons for consolidation are clear, but there are significant barriers to success.

1. Politics- Let’s face it, the big problem with AD consolidation is political. No one likes to give up local control of users and machines to a centralized bureaucracy. From a technical perspective, a consolidated AD model is clearly a more elegant approach to AD management. From the perspective of local versus centralized control, the best model is not so clear.
2. Cost justification- It is very hard to write a business case for an AD consolidation project. Does consolidation reduce costs? Maybe, but probably not by much. You might be able to produce minor reductions in license costs but, consolidation rarely results in AD administrators being laid off. On the other hand, the actual consolidation project can cost a considerable amount. I have reviewed AD consolidation proposals from systems integrators that range in price from ~$200k to over $5million. The benefits derived from consolidation tend to be qualitative rather than quantitative. User portability, shared GAL (Global Address List) and consolidated reporting enhance productivity, but can you measure that enhancement in dollars?
3. Complexity- An AD consolidation has to unite and rationalize the ID formats, password policy objects, user groups, group policy objects, schema designs and application integration methods that have grown and spread through all of the existing AD environments. At times, this can feel like spring cleaning at the Aegean stables. Of course, if you miss something, users will not be able to log in, or find their fileshares, or access applications. No pressure.

How do you avoid all of this? You fight proliferation of AD at every turn and realize that consolidation is not a onetime event. The optimal design for AD is a single domain within a single forest. Any deviation from this approach should be justified on the basis of operational requirements that a unified model cannot possibly support (I have yet to see such a requirement except for deployment of AD in an internet-facing DMZ). There is no avoiding the pain of consolidation when your existing environment is already fragmented, but once you build the core AD environment, you should not have to repeat that pain.  Many clients that experience regular mergers and acquisitions have established defined processes with time lines for integrating new subsidiaries into the collective (Resistance is futile! Your AD will be absorbed within six months of merge date). 

It is never too early to start on consolidation. The pain of consolidation increases the longer you wait to grapple with the situation. Take the bull by the horns and develop a strategy for consolidation now (full consolidation can take years to complete in very complex environments) and get started on implementation right away. While you are consolidating the existing AD environments do not allow any new domains or forests to be created!

1 Comment »

Category: Uncategorized     Tags:

Share

Tweet

If you’ve been following some of our recent Gartner summits or research (as well as earlier blogs) you may have noticed a theme that has been expressed around “intelligence”, namely identity and access intelligence (IAI). At first glance, you may look at this and say “So what? This is just another name for printing up a compliance report, or collecting information about an access-related breach. Why do we need to name it something different?” I can certainly understand that sentiment. It seems like we (analyst firms, the media, vendors) always seem to be looking for a way to rename something so that it looks new and exciting– and so you’ll buy whatever is being sold under the new label

With IAI, that isn’t our point. Oh, of course we’d like to sell more research, but Gartner and other firms also seek to be advocates for clients. That not only helps us because you’re more likely to buy from us if our advice is good, but it also helps you, the client. IAI is not about technology. It was never our intention to imply that in presentations or research. IAI should actually be the result of a culture change within IT and the enterprise. It should be the output of a shift in the way work is done, the way decisions are made, the way we actually USE what we know in IAM to best effect. It should be the goal that we strive for in IAM, the prerequisite to do effective access control, the means by which we can make (for example) better HR, project management, and risk  decisions, the measurable and real proof that accountability and transparency are occurring.

IAI can be the result of a change in mindset of what we do with the information at hand. Believe me, it won’t be the first time that enterprise have tried to tackle this– good intelligence is hard to find, difficult to create, and still harder to maintain as a discipline. It can involve speaking to people you’ve never spoken to before, using tools that you never knew were available, acquiring skills that aren’t in your usual training agenda. Building a center of excellence around IAI actually means becoming part of an enterprise security intelligence program. And THAT subsequently means becoming part of a business intelligence program. I think you can see the pattern.

Some of the clients I have spoken to have said “well that sounds great, but I just want to provision a new employee. I don’t have time for all of this fancy analytics stuff.” What is ironic is those same clients staff up, train, and organize to do the basics like provisioning, build and deliver the reports necessary for operations and compliance, and establish the relationships with the business to ensure the results of provisioning are felt. Whether they know it or not, they’re already involved in all of the same steps that, with just a little more effort, can expand the intelligence they have to work with to get provisioning done, and then some. Again, it is a change in mindset on how we use what we have to do what we do better.

So what am I saying here? Just that this isn’t yet another round of renaming reporting and dashboarding, moving around people, process, and technology like pieces on a chessboard. This can be the “real deal” if we understand that the end result is intelligence to make our identity-based decisions (IT or business) better.

Comments Off

Category: Uncategorized     Tags:

Share

Tweet

An interesting thing begins to happen when you’re assigned the job of researching and analyzing identity and access management. If you aren’t careful, you can begin to lose sight of just why IAM is actually being done, and more importantly, for whom? I’ve always had this uncomfortable feeling that as an analyst, as vendors, and even as buyers we don’t take the time to sort out just exactly who is doing the managing and who is doing the using. That sounds intuitively obvious, or as an old colleague of mine used to say: “it is quite intuitively obvious to the most casual observer at the merest cursory glance”. But if you step back and examine this thing called IAM critically and with an outsider’s eyes, some interesting things come to mind.

First, is IAM a set of products with owners? If so, what are the responsibilities these owners have in insuring that management of identity and access actually happens? Or do they just “own” the products, much like an enterprise application owner would. Personally, I don’t believe IAM is a set of products, but let’s assume for the purposes of this discussion that it is. In many enterprises, IT would be the owners (what a shock). In this sense, to own might mean to manage the versions and releases of the products, the software presence on the server or servers, the customization that occurred to get the software to run, the databases and directories needed, and the SLA that outlined the expectations of the software’s performance and availability. I’m sure I’m forgetting other things being an owner might entail, but you have the gist of it. You notice, however, that this describes managing the products, not the elements it is chartered to deliver.

All of that is managing the products, not really managing identities and access. Let’s try a different lens to view IAM. Perhaps IAM is a set of processes in an enterprise that delivers the right kind of access to the right applications for the right people at the right time– a lot of “rights”, as it were. In that sense, there may some kind of access process to be owned by someone, as well as an administration process. Again, guess who probably gets that responsibility? Yep– IT, though some administration of identity might actually be done by some other parties like HR.

Now there is this idea of an intelligence process too, where you can use information from the access and administration experience, properly analyzed and formatted, to make different kinds of IT AND business decisions. Compliance reporting is an example of this. When that happens, who is doing the managing of identity and access? if consumers of identity and access intelligence need those identities to change or those accesses to be modified as a result of what the intelligence tells them, they are actually beginning to manage, as it were.

What’s the point of this rambling? I would like you to consider what the management of identity and access really means, and who is really doing the management. I want you to separate ownership of products and resources from the actual management experience (as many of you have). I want you to take up a different lens to view the act of managing identity and truly see that, in a process, there are many managers. There may actually be process owners that will manage not only the process itself, but the inputs and outputs from that process. There may be intelligence consumers that will manage the identities because they know now how they’re being used, and what they’re being used for, and under what circumstances. And of course, there will be custodians that will manage the repositories or raw and refined identity information, from directories to entitlement catalogs, to ensure that the use of identity to perform access is an effective, secure experience. Managers are also stakeholders in the success of IAM, particularly when those managers are also the consumers of IAM.

So the next time you have a discussion about identity and access management, spend some time thinking about how many managers can you fit into the picture and who they really are.

1 Comment »

Category: Uncategorized     Tags:

Share

Tweet

I watched throughout December 2010 at all of the “predictions” and “projections” for the coming year, and was somewhat depressed. I am not that good at making predictions, an unwise admission as an analyst. It’s fun as long as no one takes you seriously, otherwise it can be a problem. I am however a lover of history, and what history teaches us about the possible future. Maybe if I apply history as a predictor, we can make some general assumptions about 2011 that could be useful.

2010 certainly saw some changes in the market landscape, with a number of acquisitions specific to identity and access. I expect more this year, even one or two large and significant ones. I also believe the acquisitions will start quickly– after all, year-end is an artificial demarcation point for many enterprises, and won’t slow them down. Digesting the existing acquisitions will consume a lot of energy in 2011– there is likely to be some “mid-course” corrections in the earlier 2010 acquisitions as the new owners come to terms with the reality of integration and the results of sales training on the new products.

The administration side of IAM will come into its own in 2011. Provisioning and access certification grew in 2010 and will grow more, though I think provisioning is starting to undergo architectural transformations as it matures, becoming less of a focus after this year than some of the higher-order features and “business-adjacent” components of IAM (such as certification, analytics, etc.). The intelligence derived from identity access and administration will become more valuable (for the business anyway) than the functions of access and administration. Different faces and different audiences will see and hear about IAM this year, and will participate more in decisions affecting products and services.

And speaking of services– I continue to have hope for the entrepreneurs that believe there is a viable alternative means of delivering IAM, through software as a service, in cloud computing environments and/or for cloud-based services. 2011 is a big pioneer year, i.e. those customers brave enough to cross the new prairie without ending up face down and sprouting arrows, those willing to upgrade or extend existing IAM with IAM as a service, or those that have never used IAM formally but are ready to make a move without mortgaging their homes. It began in 2010, but will continue in 2011. Acquisitions in 2011 will also reflect the evolving view of who will own such services, whether traditional IAM product vendors, traditional IT service providers, or someone new. There will be some surprise owners before 2011 is done.

We should also watch for government-driven changes in IAM in 2011, from industry-specific regulatory changes to the need for the IAM industry to address public-sector concerns of cost, availability, and function. Higher education and state/local governments (internationally) are particularly interested in broadening the field of options in IAM to the point where the more traditional monolithic IAM projects costing great sums of money are becoming increasingly hard to justify. Health care and energy/utility industries are also bringing added focus to the maturation of products and services tailored for them. Some IAM acquisitions and feature changes introduced in 2010 reflect this focus and trend.

2011 will be the year that more mature IAM users will rethink the role of IAM in their enterprise, relegating functions of IAM to a broader IT and information security architecture and design and beginnning the process of “inclusion”, i.e. absorbing IAM functions and responsibilities into IT rather than treating them separately from IT in general and information security in particular. This is a program maturity phase that optimizes IAM capability and has it assume its earned role in IT and the business.

Wait a minute. I thought I said that I was no good at prediction. Forget everything written here. After all– who can predict the future?  Happy New Year, or as the curse goes: may you live in interesting times.

Comments Off

Category: Uncategorized     Tags:

Share

Tweet

As the details of Attachmate’s acquisition of Novell become available, I wanted to add a few more observations to the discussion.

First, I’m struck by the level and intensity of interest in the acquisition itself. While Novell has been in the industry for many years (founded in 1979!), its revenues and relative size seem out of proportion to the level of speculation and analysis that I’ve seen in the past 24 hours. Of course, being an analyst that has covered Novell for almost a decade, perhaps I’m too close to this. But so are many others, ranging from ISV channel watchers to Linux pundits, from analysts in email/collaboration to systems resource management. As a result, there’s a lot to read today, each from many different perspectives. Finding your way to a broad view of Novell becomes increasingly difficult– we seem to view the company as the sum of its parts rather than a whole. And therein may lie one of the swan songs of the company. While Novell executives were striving to weave these separate stories together into a business view of “intelligent workload management”, it remained difficult to give up the legacy, tactical solution messages that had served them well in the past.

Novell underwent a series of transformations in its lifetime, and in doing so entered many facets of IT through acquisition and development. The company essentially remade itself several times in an attempt to remain relevant to the market. In doing so, it amassed an impressive array of patents across many different IT infrastructure disciplines, in operating systems, security, storage, and networking, to name a few. Of the stories about the acquisition, this one is particularly intriguing. I can understand the goal of Attachmate in acquiring and utilizing mature and established solutions. I can also understand their desire to avail themselves of Novell’s cloud strategy and efforts to grow the systems resource management space. But it’s the patent deal that I find truly interesting.

There is much speculation occurring at present in exactly what is in the 800+ patents that the consortium of companies CPTN Holdings will purchase. Of course, CPTN Holdings didn’t exist before November 2010, so you have to wonder who knew what and when they knew it (baby boomers, do you remember this phrase?). The role of Microsoft in this is becoming more interesting as this sale develops. Time (and SEC filings) will provide a clearer answer. It makes open source and Linux users of all stripes nervous, though, until we know more. It is disconcerting to see the volatility of open source support increasing after the acquisition of Sun Microsystems by Oracle, and now this acquisition. While one tries to remain optimistic, my cynical view of markets tends to prepare for the worst instead of hoping for the best.

In the midst of all of this of course is the identity and access management impact. I see challenges for Quest Software ahead, since they often go head-to-head with Attachmate-NetIQ for Microsoft centric administration customers. I see some relief for the “Big Three” in IAM now, CA, IBM Tivoli, and Oracle, now that a spoiler in many ways may be out for a bit during the ‘absorption’ phase of acquisition. I see advantages for smaller and more nimble players such as Courion, as well as obvious beneficiaries like Microsoft. What will be interesting to see in the days ahead is the impact this has on Novell partners: Verizon in cloud security, VMWare in virtuatization, SAP in IAM, and Deloitte in IAM consulting and system integration. One would expect Attachmate not to shoot the goose that lays golden eggs, but you never know.

And there remains the unspoken question on whether the sales are over.

Other than that, it is pretty quiet going into the holiday period. Remember, there’s till more days left in the year for more acquisition excitement in the IAM industry.

Gartner is preparing an Event note on this topic that will consolidate the analysis of literally dozens of analysts that have covered and do cover Novell and Attachmate as a whole. It should be released within weeks. In the meantime, Novell customers should be calm and not take hasty action. Be prepared to make your feelings known to Attachmate on a variety of topics, not the least of which is ongoing maintenance and support contracts for existing Novell deployments. This was a problem area in the Oracle-Sun acquisition, and it is often a sore point in most acquisitions. Observe the split of Novell among Attachmate divisions carefully to determine the impact on roadmaps you may have that combined Novell solutions in the past. Stay tuned for more speculation and analysis in the days ahead.

And buckle your seatbelts.

Happy Thanksgiving!

3 Comments »

Category: Uncategorized     Tags:

Share

Tweet

I knew that I would have to write this blog at some point in 2010, but I didn’t know when.

Attachmate’s acquisition of Novell for $2.2B signals the end to an era. Novell represents one of the original key players in the network operating system and identity management period from the early 1990s until today. In fact, one could make an interesting case that the company made Microsoft what it is today through the early market battle between Novell NetWare and Microsoft Windows Server. We all know how that battle ended, but in the long run Windows Server was a better product because of it.

Novell had significant and continued influence on many vendors, ranging from the identity and access management to the Linux market, from email to virtualization, and of course security. In most of those cases the company made a good to excellent showing of technology and was quick to improve upon it and in some cases to outpace its competitors both in terms of vision and architecture.

But not in execution.

Each time there were innovations to be parleyed into market share, the execution failed to materialize. There were a number of causes: timing, marketing, acquisition missteps, and others. It often seemed to be the wrong place at the wrong time, or experienced a confluence of bad partners and bad economies. When it seemed that they might be able to recover from these ‘curses’, another would take its place.

But what remained consistent throughout most of Novell’s existence was by and large the technical quality of most of its products. In spite of considerable turnover throughout the ranks of the company over the past decade, product quality and innovation remained consistent. That could not be said of the legendary Novell customer support, which suffered over the past years following the Cambridge Technology Partner acquisition and subsequent divestiture. While a services partnership change was the right thing to do, execution again led to some problems with that support.

Many decisions will lie ahead for Attachmate, including product positioning and branding, management restructuring, possible division sales. It will be a period of transition for the Novell employee and the Novell faithful.

What is clear is that the breadth and number of customers ensures that many of the products will live on in an Attachmate universe– if they stay there. For IAM, a world-class directory, provisioning, access management, and SIEM portfolio (among other elements) will continue for its customers, though you may expect some delays in feature updates while organization, product engineering and product management concerns within Attachmate are worked out. Of course, I thought that way with many of Sun’s solutions until they were acquired by Oracle. But this is not an aquisition that has such broad product overlaps. It affords Novell products a greater chance at survival.

The final irony of the announcement is that CPTN Holdings is a consortium of technology companies organized by Microsoft! So $450 million of Novell IP is likely to make its way through CPTN to Microsoft. It isn’t yet clear what that IP is, but it will be revealed in the days ahead. If that isn’t ironic enough, Attachmate is backed by private equity firms Francisco Partners, Golden Gate Capital and Thoma Bravo. Attachmate’s offer of $6.10 per share followed the $5.75 a share offer earlier in the year by investment firm Elliott Management Corporation, one of Novell’s largest shareholders. Novell rejected that offer then, but as part of this deal, Elliott is to become an equity shareholder in Attachmate. One way or another, Elliott participated in the final phases of Novell’s acquisition.

3 Comments »

Category: Uncategorized     Tags:

Share

Tweet