Administration of identity & access must level up due to cloud.

First of all, I’ll define what I mean by cloud in 10 words: cloud is outsourcing some layer of services from you infrastructure. This thought comes after meeting a large healthcare organization that’s putting their “back office” operations in an MSP. This is having a significant impact on how they are viewing administration of IT. When you own operations and administration, you can easily blend the two. If you have an administrative issue that would be made easier by shifting something about the operations of your IT resources, you do it. But when operations is a black box, then you actually have to make your administration solve all your challenges. That is new for many.

This organization is putting most of the non-clinical systems in an MSP, or in the cloud if you prefer, and that means there are many IAM challenges. Where do accounts originate? Who controls the authoritative data about users? Because so many clinical and other applications require it, they are keeping much of the directory infrastructure in house. How do changes flow in both directions when there are automated process and human admins and operators on both sides? How can all the changes from both ends be tracked? How can the state, the changes and the policies be kept in line with regulatory requirements? It’s a daunting set of challenges.

Right now they have their hands full just making it all happen. And they have plenty of parties (each site, the central IT organization, various consulting organizations, all the vendors) that are all involved in the project as it’s ongoing. When I sat down with them and many of these parties, it was hard enough just playing catch up to see who was responsible for what. We were there to discuss many of the pains they are experiencing in the phase they are in now and where Quest can help. What I immediately started to envision were the pains of the next phase. I think Quest can help with those, too, but I’m hoping they were receptive to my suggestions about it all. My basic message was that they are going to have to arm their administrators with a new kind of toolset and those administrators were going to have to have a new, leveled up approach. They were going to have to think less like technologists and more like data architects. What will matter most going forward is having very sound and robust models for data, policies and processes. Otherwise they would fall back into old ways of thinking and likely find themselves without the ability to make those level of changes to the MSP hosted systems. Or, even worse, waste time fighting with the MSP to change operational details – a fight where they finance both sides of the battle and take both sides’ losses as well.

Identity Vendor Soup – Gartner IAM Summit 2009 part 1

Since there is so much to say about Gartner IAM Summit 2009, I wanted to break it up a bit. The first thing I wanted to do was get the vendor stuff out of the way. When I get to the topical stuff I’m sure some vendors will be involved, but there is much to say about what happened in exhibition hall.

Possibly the most talked about thing on the floor was the size comparison of the Oracle and Sun booths. Oracle had the biggest possible booth and, predictably, Sun had the very smallest. Sun was literally on the far wall alongside niche players and new entrants. Of course this just makes sense, but everyone was talking about it. I should have taken pictures. To add to this drama, the announcement about the EU’s objections to the merger was made while we were at the show and that just set people off talking about it all again after the booth comparison finally died down. The most sensible thoughts were all centered around the wisdom that it would be years before anything really happened to Sun’s IAM offerings. In fact, Gartner even said as much during the session about the magic quadrant. Yet many people were convinced, all wisdom aside, that this merger was going to be about Oracle raking Sun customers over the coals.

Aside from the Oracle and Sun drama, the show floor was not too exciting. Gartner always has a way of making sure their clients know the show is all about them – this time was no exception. All the booths were in the basement. That said, they only served lunch and drinks by the booths; so there was a captive audience at times. It seemed to me, watching the other attendees, that most folks didn’t really spend a lot of time talking to vendors. From my place in the center of the floor at the Quest booth, I could see pretty much everything. There was only 6 hours of booth time, and I’d say only half of that was really about vendor time (the other half was eating time). The people who came to our booth were either interested in something very specific, or on a mission to talk to everyone a bit and get the lay of the land.

The busiest booth seemed to be Aveksa’s. Sailpoint and Cyber-Ark got some good traffic, too. No surprises there. They are all in the sweet spots of their fields. The only booths I couldn’t see were Oracle and Novell. Of course, those were the biggest booths and they were right at the entrance of the floor. I’m assuming they got some good traffic just because of that.

It seemed to me the best user/vendor interactions were side meetings, which there were tons of, and the use cases that the vendors sponsored. That’s one of the very cool things about Gartner’s shows. The user is in the focus and everything is designed to make sure that it stays that way.

Next post in a few days (or sooner) and it will concentrate on what I took away from the sessions.

M&A and divestitures in the light of IAM and security

i was at the Technology Managers Forum security conference today (http://www.techforum.com/sf2009_1/index.html). it was a really good event packed with a lot of engaged people. we held a panel about M&A and divestitures and had a really good conversation. the conclusion is that planning and policy, like with so many other things, is the key to doing any of this well. but everyone also acknowledged that especially in today’s fast paced divestures and M&A driven by market conditions instead of business growth, there isn’t always time for the best plan and having a decisive direction and good tools is the only substitute.

we only had 45 minutes so we didn’t get into a heck of a lot of details. but i was wishing we had triple that by the end because the audience was participating and so many good threads were started and then cut off in the end. i’m sure we’ll get another chance to dive deeper.

feel free to post thoughts here and we can talk it out…