Are We Ready For Managed Identity Services?

There have
been several announcements recently around identity management as a
managed service:

  • Oracle
    and Wipro are going to market together with managed services supporting Oracle’s entire portfolio of identity
    management products.
  • Covisint
    launched its Trusted Identity Broker, an outsourced service that helps organizations quickly deploy
    federation and connect to partners through Covisint’s established and
    successful federation hub.
  • Mycroft
    merged with Talisen
    and the new company, Mycroft Talisen, is blending identity management system
    integration with outsourced operations. For those who don’t know these
    companies, Mycroft is a boutique
    integrator focusing on identity management, and has been involved in some of
    the more envelope-pushing deployments, though it is their expertise and
    efficiency in implementations for the rank and file that have brought them the
    greatest success. Talisen
    provides managed services in Network and
    Security Systems Management, and consulting in BPM and IT Process/ITIL.

Each has a
different perspective on the challenges of identity and the value proposition
they offer; and that difference is worth examining. Here’s what
each provider brings to the table:

  • Wipro’s core competency is in operations. They offer support for the
    entire Oracle Identity Suite, but most of its experience is in Web SSO (a
    market in which it used to compete with its own product). This would seem to
    work best for organizations that already have an outsourcing relationship with
    Wipro, and those who are are specifically interested in (or indifferent to)
    using Oracle’s identity products.
  • Mycroft Talisen’s core competency is in implementation from the
    standpoint of integration and customization. It brings identity management
    expertise that covers all products and are vendor agnostic – it has a
    solid track record for all the major brands and products, and experience with
    many others. Its implementation expertise also takes form in managing the scope
    of application integration and business process design efforts. All its
    implementations are grounded in what Mycroft calls "Base Builds" for
    the various products that are on the market.  The approach speeds delivery
    and directs clients’ time and money to those things that are specific to their
    environments rather than to what has been repeatedly solved in the field.
  • Covisint’s competencies are in implementation from the standpoint of application
    integration and in the related area of federation interoperability. It’s
    technology expertise gets federation projects up and running more quickly from
    an application integration standpoint, while it addresses clients’ partner
    interoperability and the business trust issues through its role in managing a
    trusted network of connected organizations. Early interest and easy
    opportunities will likely come suppliers or partners of Covisint’s automotive
    clients. There are many other opportunities for market expansion – financial
    services, healthcare, insurance, government – that can follow, but in each
    vertical they will face the hurdle of finding an anchor tenant.

But what is
the real barrier to identity management adoption that managed
services removes? And which provider is in the best position to remove it?

  • Is
    Covisint right? Is federation adoption so disappointingly slow because
    companies are worried about competing standards? That is indeed a real concern.
    But the inability of most to draft a convincing business case, lack of solid
    identity infrastructure built out, and lack of eager partners with whom to
    federate, are the principal market inhibitors working here.
  • Is Wipro right? Is the operational overhead
    in maintaining a functionally rich identity management infrastructure holding
    back the market? Very doubtful. Otherwise, we’d see many functioning projects
    abandoned, scaled back, or already handed over to Wipro and other firms
    competent at wringing efficiencies out of working systems.
  • Is Mycroft Talisen right? Is it the unexpectedly or unacceptably high
    initial costs around application integration, systems integration, and
    business process and policy modeling that repeatedly cause organizations to
    reset initial expectations, miss project goals, or abandon their identity
    management endeavors altogether. I certainly think so. The operational
    component is needed and perhaps attractive, but the initial complexity and cost
    which are the inhibitors for IM adoption.

So my bet
is on Mycroft Talisen. And hats off to them for coming together with just the
right vision, with just the right approach, at just the right time. Their
combined expertise in id mgmt implementation and managed services/operational
support are just what’s needed to show the way towards identity management for
the masses. They certainly aren’t the only ones focusing on expanding the
market pie by making identity management more digestible, rather than just
selling more products: I see PwC’s precanned business processes for identity
management performing a similar value in a related realm.

To that,
all vendors and providers should look with some envy, but more with
appreciation. It’s a sad fact that after all this time, identity management
remains a set of technologies attainable only to the privileged few willing and
able to invest so much time, effort, and money. This is why it’s so frustrating
for us at Forrester to watch all these excellent thinkers and developers
focusing on such speculative concepts like user-centric identity when, more than
10 years after LDAP, most applications are still not even directory enabled and
the state of most organization’s identity data infrastructure remains one of
ghastly disarray. The promise of identity hasn’t been held back by vision or
technology, but by plain old market execution. Vendors too often reach for the
promise of the next big thing like children in front of a shiny new toy,
leaving customers with last year’s tattered and faded technologies that
fall far short of sustainability.

If Mycroft
Talisen succeeds, and we think they will, it won’t cause major disruptions or
displacements in the vendor or services landscape. Let’s put this in
perspective: I don't expect Mycroft Talisen to reach Infosys-level
proportions. But many vendors and services firms will watch, learn, and
emulate. Managed identity services is precisely what we need to start expanding the addressable market for
identity management beyond the Global 2000 to a market more than ten times that
size. And for that, we heartily applaud each of these three vendors in
taking the first credible steps.


re: Are We Ready For Managed Identity Services?

Having worked with Mycroft in the past, I too am excited to see them merge with Talisen. One of the biggest issues I see with Identity Management from a deployment perspective that I have been harping on for some time is around reflecting the Right Process in a deployment. Having provisioned about 1M users, time and time again I saw the focus being on the as-is process being reflected in the shiny new toy deployment vs. focusing on a key value of identity management which is to embed the Right Process into the new application and provide auditability and automation to everyday business process. The PwC's of the world understand this, however there is more revenue in discovery of current process then mapping new process then doing the build. My recommendation is spend the time on the to-be process (Right process) and save some time and money and get a successful project under your belt.

re: Are We Ready For Managed Identity Services?

You're absolutely right about how companies often take the wrong approach to implementation. Too often, organizations think that mirroring current processes into new identity systems is actually the easy way to get started, when it's not. They fail to recognize or appreciate the effort it takes to redesign and improve processes once they are codified into these systems.This holds even more true when outsourcing identity management. Many outsourcers are quite capable of fork-lifting existing processes into their managed environment. But rarely are they well equipped to transform these processes into something more rational and streamlined, and codify this into an agile identity system.We at Forrester always recommend undertaking the effort first to update and improve your processes first before implementation, regardless of whether you're outsourcing or not. But if you are, most outsourcers lack the expertise in helping with that endeavor and aren't as capable here as they are in simply offloading the environment as it stands.

re: Are We Ready For Managed Identity Services?

Hey Jonathan:Long time no talk. I agree wholeheartly with you on the notion that a managed identity services offering is the next evolutionary stage, and a trend that will start to manifest in the coming months. I predict that you will see service "layering" starting to show up, whereby several services could be combined to address common business cases related to identity managed, for example federation combined with identity verification services. But I think that there are barriers to entry that span beyond the identity enabling of applications, which by the way, I also concur, has been hindrance in the wide adoption of identity management solutions (it is somewhat similar to the dependency on oil as our main source of energy, even when there are more efficient, cost-effective and safer energy sources). The barriers I refer to are the legal and risk management frameworks, ranging from liability, SLA and privacy. the real issue in my view is that the IDaaS model will only take off once we have defined the right risk management framework, such that companies (beyond the Global 2000), can entrust a 3rd party to manage the electronic identities of their employees from a business perspective. For a company that has business in Germany for instance, this will be a difficult hurdle. Quickly you will see similar hurdles.Nonetheless, these hurdles can be mitigated, so long as the right focus and critical mass is applied to addressing them, in parallel to identity enabling applications of course.

re: Are We Ready For Managed Identity Services?

Frank,While I agree with your layered approach consumer based Identity Services (lower legal weights assigned to lower risk identity services), I believe it's important to distinguish between 1) intra-enterprise SOA-like IDaaS architectures, 2) outsourcing parts of homogeneous enterprise identity ecosystems and 3) consumer identity provider services.For 1) and 2) privacy frameworks are important but not crucial to exist - organizations can handle legal issues on their own in contracts with employees and partners.For 3), the global quest for mutually acceptable legal frameworks is continuing. Liberty Alliance's Identity Governance Framework is clearly a step in this direction - we expect more regulation in this space to emerge.In the United States 3rd party Identity Providers for consumers will likely include banks and other financial institutions. Our quick polls with our clients indicate that consumers are willing to pay for reliable Identity Provider service, provided that identities are accepted by Relying Parties.In the European Union, local and state governments already administering widely accepted phyisical identity tokens (ID Cards) will provide identities. Commercial payment card companies (Visa, MasterCard or AmEx) could also act as identity proxies by providing 3rd party trust networks between identity providers and service providers.

re: Are We Ready For Managed Identity Services?

Andras:I appreciate your comments but do not exactly agree with your views on points 1 and 2, and without going too far, I will illustrate with a real example from the pharmaceutical space: the independent investigators community. Pharmaceutical companies need to engage with independent doctors and researchers in new drug trials. I guess you could say that they are "partners" to the pharma company in this case, but these are often independent professionals, not affiliated in a true B2B capacity. Now, given the sensitivity of the process, you can imagine that a) ensuring that their identity as a valid user for this process is vetted, and b) that wherever possible and to encourage participation, the process from recruitment to completion is done with minimal disruption of the busy schedule of the individual investigator (hence the existance of SAFE). Now, factor in that this may be done in multiple countries, and by many pharma companies hitting the same user population.This example in my view exemplifies why the legal and risk mitigation frameworks are vital in order for managed identity services to stand, particularly in sensitive B2B scenarios such as the one I just described. Clearly if the sole purpose was internal consumption only (i.e. B2E), then this risk is mitigated already, as you pointed out.I agree 100% on point 3 and your comments around communities of, and often government-mandated and operated, identity providers. This is already the case, and the model is quickly approaching the B2B and G2B spaces.Clearly this is an interesting topic of discussion.

re: Are We Ready For Managed Identity Services?

My comments on the implementation issues as a barrier are directed at the managed services model here. Most commonly, organizations select a managed service versus in-house because of cost, time, and resource constraints: outsourcers value prop is that they can do it cheaper, they can take off your plate many aspects of the project that would otherwise take up your attention, and they have the expertise that you may lack internally to implement the product. With identity management, there's so much more IT integration and business process analysis that this goes beyond the core competency of outsourcers. My original post was meant to highlight this: we see the implementation expense is the significant aspect, not the operational expense.There are also opportunities that come with managed identity services, or needs that can more easily be filled when identity management is operated as a managed service. ID proofing of partners, contractors or independent agents is one such need. We see this most obviously with federation (and what Covisint is doing) since this is usually about interoperability and the integration across two different organizations, not simply the integration of two products/systems. Here, the play to trust and facilitating the codification of trust into a digital environment is important. Naturally, if other aspects of identity management also extend beyond the enteprise -- eg, security administration (ie, provisioning) and authentication (ie, credentialing) -- then issues of trust and verification also come into play, and the Identity Management service providers can augment their base-level offerings with such additional services.Another area I'm seeing interest in augemented solutions is auditing & reporting. The main identity management products have some basic level auditing and reporting but don't provide as deep an insight as many companies would like. It would be natural (even if not simple) for an Identity Management service provider to add extra reporting, event management and BI tools tailored for the identity systems they host.

re: Are We Ready For Managed Identity Services?

Jonathan,Not to revive a dead thread...but was wondering what your thoughts are about Ian Yip's managed identity services survey: ( ?