As the year begins to draw to a close, I have been talking to a number of IAM vendors about their plans for the future. They in turn have been talking to me about Gartner’s view of customers future IAM plans. We often compare notes on what their customers are saying vs. what Gartner hears customers from everywhere saying. All of this information is funneled into the planning process for roadmaps for 2010 and beyond.
These kinds of talks are intriguing for me, because they not only reveal what IAM vendors think are the ‘next big thing’ to conquer in this market, it also forces analyst and vendor alike to really think outside of the box on how to solve them. This is a classic example of trying to determine whether there is another way to address core customer concerns rather than the way we have been addressing it. Maybe a little heresy is needed here: sometimes you don’t give customers what they want, you give them what they need– IF you can be relatively sure of the real need vs. the perceived need.
Take a look at the history of IAM. What are the key problems that have been around for decades that are constant, even though there may have been two or three different attempts by vendors to address them? What has changed to (a) make new problems or (b) make the old problems worse? What is available now that can address the new face these problems present without layering or adding on a new application to the IAM portfolio or a new series of services yet again for customers to buy?
Some IAM vendors believe that one constant problem is ensuring secure access to important data– period. In their view, data is the atomic target, i.e. the smallest building block IAM must address as a distinct element when delivering services to access it securely. They also believe that the changes in business that have caused that data to be so ‘dispersed’ and so varied from its original starting point (e.g. extracts of databases, content created from different data elements) and how it can be accessed in so many ways (e.g. mobile, desktop, laptop) that this mission of securing access is more complex than ever.
Other vendors believe that the key to really effective IAM is knowing everything about the access event, i.e. having the pulse of identity and access events so that assessing secure access is straightforward and thorough, that reporting who has access to what, when, where and how can be done and done quickly, that finding bad guys doing bad things faster and stopping them faster is true IAM strategy. They obsess over how their products and services might create monitoring and reporting capabilities for identity actions to address such concerns. And doing that while making money too and while customers don’t go bankrupt buying the solutions.
So are these both truly chronic problems? I think the answer to that is easy– yes! And these aren’t the only old problems that remain unsolved– I’m sure the conversations on how to solve these and others will continue.
I have one last musing, if you don’t mind. My colleagues and I were discussing the results of these vendor conversations and comparing them with our research, and we noticed how much alike the IAM market is to other IT markets. You see folks with specific ideas about how to solve specific IAM concerns (a “problem-let”?), and out of that arises an IAM startup that produces (with its solutions) one view of solving those specific concerns. If enough of them try to solve the same concerns, a market is born. Eventually a consolidation occurs where those concerns may be combined with related IAM concerns and an IAM suite is born. You can use whatever analogy suits you (e.g. big fish eating small fish, cells that combine into organs) but you see this cycle repeated quite often. This is free enterprise at its finest.
But vendors and analysts alike also think perhaps there is a limit to how this model serves the ultimate goal of solving long-term, chronic core problems that IAM is supposed to address. Are we really being efficient (or effective) in the way we solve chronic problems by being so focused on specific concerns that we fail to uncover a more elegant means to solve the larger problem? I’m not coming down on the side of suite vendors, and I’m not advocating some kind of monolithic think tank to bring entrepreneurs together to discuss how their particular solutions fit a broader picture, but as a customer it wouldn’t hurt next time you talk to any IAM vendor to get their opinion on the “grand vision” of IAM as delivered by their solutions. The answer may surprise (or scare) you.
And now that I’ve probably depressed everyone, Happy Holidays!