Looking back to look forward: Thoughts on HP acquiring of Trustgenix

So another player in the identity market has been absorbed. HP
is acquiring Trustgenix Reading Andre’s blog entry on this subject got me a nostalgic. Maybe its the season. Maybe its the leftover turkey’s tryptophan.

Being part of the 1st generation of user provisioning tools in the market, and having been acquired by a “suite” vendor, I’ve had a ringside seat to watch the industry expand and contract. There was the first wave of expansion with Access360, Business Layers, Waveset, BMC for provisioning and Oblix, Netegrity, Securant, DASCOM, Entegrity for web access control. There was Courion and M-Tech for password management. Among the meta-directory group you had iPlanet, Novell, Siemens, Zoomit. OctectString and RadiantLogic were there for virtual directory services. Then there was the first major market contraction. The bubble had burst. We had blown through our cash. The dreams we had of making a squillion dollars vanished… now we had to actually work for our money. In this first major contraction, we saw CA eat Netegrity who ate Business Layers. IBM swallowed Access360, DASCOM, and Metamerge while Sun consumed Waveset. RSA bought Securant. Microsoft got Zoomit. Oracle bought Oblix and, recently, Thor and OctectString. (The ink has barely dried on this one but I consider the tail end of the first market contraction.)

As the first market contraction was going on, the second wave of expansion was beginning. This centered around web services, federation, SOA, and the like. In this second wave, there are players like: Trustgenix, PingIdentity, Sxip, SOA Software, Layer 7, Symlabs. We have started to see the second contraction as HP acquires Trustgenix. There will be more to come. The real question is will the identity suite vendors buy companies from this wave, or more traditional middleware vendors snatch these players up? Federation and web services deals more with a business interaction as it happens. They deal with identity issues on the fly. Vendors from the first wave focused on the setup and tear down of identity around the business interaction. The BEA Weblogics and IBM Webspheres of the world deal with business interactions in flight and probably are more interested in the second wave vendors than the pure identity suite vendors.

What’s going on now? The third wave of identity is rolling along now. The third wave focuses on activity in applications, information governance, identity in the network, and role / privilege analysis. Here we find us, Eurikify, Bridgestream, Prodigen, TIzor, Consul, Virsa, and others. This wave brings a new perspective, an identity-focused perspective, to old subjects like network and application activity. This new perspective was long in coming.

Where is this market going? We have yet to see a second and third wave of contraction in the market, and we are bound to. The quest for the complete identity suite is winding down as vendors realize how hard it is to stitch together all the peices they need. Instead of unifying policy tools, we’ll get unified reporting in the name of compliance. Business orchestration tools will consume a lot of the federated and SOA players out there.

As one vendors gets absorbed into another, new ones spring up. We are starting see a lot of activity reputation, portable identity, Identity 2.0, etc. As this market matures, it keeps getting more and more interesting.

Technorati Tag:

Why I don’t travel for major holidays or How the FBI stole Christmas (and our privacy)

Bruce Schneier posted an essay he wrote on Surveillance and Oversight over on his blog.  He compares the FBI’s actions over a potential terrorist threat during Christmas 2003 to the response to a potential riot by the Rotterdam police force.  He illustrates how the FBI’s lack of judicial oversight coupled with FISA warrants and national security letters leads to its ability to consume massive amounts of data about people without their consent and knowledge.

I used to say, it didn’t really matter what the government collected about me as I wasn’t that interesting.  But at some point, something just snapped inside, and I have become fiercely protective of my data and distrustful of the government’s ability to do the right thing with that data.  I am still not that interesting, but that doesn’t mean I want the FBI hoovering up bits of me from hotels, credit card companies, airlines, and libraries.

Okay so we don’t have an explicit Constitutional right to privacy.  The Supreme Court’s ruling have help establish privacy as a basic human right.  We certainly don’t have an explicit Constitutional right to anonymity.  Yes, there are cases around various aspects of anonymity, but nothing overly definitive and nothing explicit.  It would be interesting for someone to write a history of anonymity.  I’d love to see a time-line of when we lost our ability to be anonymous citizens, tourists, and customers.

As Turkey Day approaches, let us be thankful for for what privacy we have, that there are people still interested in our digital and personal freedoms, and that you paid cash for that turkey.

Ian Glazer

Technorati Tags:   ,

Attack of the YAMS: Thoughts on the Role Management Panel at Digital ID World

I was thinking about the role management panel at Digital ID World in New York this weekend. My first reaction to the panel discussion, which consisted of BearingPoint, Prodigen, Bridgestream, and Thor, was that roles are finally growing up. The idea that roles require lifecycle management just as identities do is, at first, a little shocking but then makes a great deal of sense. Working in the enterprise provisioning market for years, I got used to hearing how hard it was to complete a role deployment. At the same time you had Burton Group and others professing the value of roles. Customers were fighting both the difficulties in deploying identity management solutions as well as the difficulties in understand and leveraging roles. As the industry provided better automation for the provisioning problem, we saw deployment times go down. But, roles were still tough to deal with. We are now seeing tools to help truly automated the role lifecycle management problem.

One of the points that was agreed upon by the panel members was that business roles are separate from IT roles. Who I am in a company is very different than my privilege sets in target systems. Some provisioning products attempt to make this distinction. By elevating roles to a discipline that truly needs its own tooling, we will be able to manage that distinction far better than we can today. I do wonder if potential customers will still look at roles as too difficult and not address them appropriately. “Roles are hard. See… they have to have tools to deal with them,” I can hear a potential buyer say. To this, I often respond with a wink, “IT would be simple if we didn’t have end-users.”

My concern with role lifecycle management is not with the concept itself. I think this is a space that was long in coming. My concern is role lifecycle management is yet another “Management” or YAM. Our industry is full of YAMs. We’ve got the access YAM, provisioning YAM, strong authentication YAM, network security YAM, federation YAM. As we look forward to 2006, I think we are going to see pushback against YAMs. Customers are growing weary of yet another policy tool, yet another reporting tool, and another YAM. I think that some of the false hope in the past market consolidation and the IdM suite vendors was that they would cut down on the YAMs. The dream of a single tool that translated business goals and regulations into their various IdM components: access, privacy, provisioning, etc, has yet to be realized. I worry that the number of YAMs keeps increasing without unfiying language and tooling. I worry that the industry is over-specializing without having generalist tools to link these specializations together.

It’s good to see these vendors working together to tackle the role lifecycle management problem from different sides. In their own way, they are fighting the YAMs. We need more impromptu collaborations between solution vendors, deployment specialists, and visionaries. We need less YAMs.

With Thanksgiving fast upon us, I leave you with a yam recipe that will leave your guests in a food coma. If we can’t help fight YAMs in our products, we can at least fight yams one fork at a time!

Technorati Tags: