Security & Risk Management
HomeAbout This BlogForrester Research

« CIOs Entitlement Management Worries | Main | Two faces of Identity as a Service (IDaaS) »

Posted by Jonathan Penn on August 6, 2007

Are We Ready For Managed Identity Services?

There have been several announcements recently around identity management as a managed service:

  • Oracle and Wipro are going to market together with managed services supporting Oracle’s entire portfolio of identity management products.
  • Covisint launched its Trusted Identity Broker, an outsourced service that helps organizations quickly deploy federation and connect to partners through Covisint’s established and successful federation hub.
  • Mycroft merged with Talisen and the new company, Mycroft Talisen, is blending identity management system integration with outsourced operations. For those who don’t know these companies, Mycroft is a boutique integrator focusing on identity management, and has been involved in some of the more envelope-pushing deployments, though it is their expertise and efficiency in implementations for the rank and file that have brought them the greatest success. Talisen provides managed services in Network and Security Systems Management, and consulting in BPM and IT Process/ITIL.

Each has a different perspective on the challenges of identity and the value proposition they offer; and that difference is worth examining. Here’s what each provider brings to the table:

  • Wipro’s core competency is in operations. They offer support for the entire Oracle Identity Suite, but most of its experience is in Web SSO (a market in which it used to compete with its own product). This would seem to work best for organizations that already have an outsourcing relationship with Wipro, and those who are are specifically interested in (or indifferent to) using Oracle’s identity products.
  • Mycroft Talisen’s core competency is in implementation from the standpoint of integration and customization. It brings identity management expertise that covers all products and are vendor agnostic – it has a solid track record for all the major brands and products, and experience with many others. Its implementation expertise also takes form in managing the scope of application integration and business process design efforts. All its implementations are grounded in what Mycroft calls "Base Builds" for the various products that are on the market.  The approach speeds delivery and directs clients’ time and money to those things that are specific to their environments rather than to what has been repeatedly solved in the field.
  • Covisint’s competencies are in implementation from the standpoint of application integration and in the related area of federation interoperability. It’s technology expertise gets federation projects up and running more quickly from an application integration standpoint, while it addresses clients’ partner interoperability and the business trust issues through its role in managing a trusted network of connected organizations. Early interest and easy opportunities will likely come suppliers or partners of Covisint’s automotive clients. There are many other opportunities for market expansion – financial services, healthcare, insurance, government – that can follow, but in each vertical they will face the hurdle of finding an anchor tenant.

But what is the real barrier to identity management adoption that managed services removes? And which provider is in the best position to remove it?

  • Is Covisint right? Is federation adoption so disappointingly slow because companies are worried about competing standards? That is indeed a real concern. But the inability of most to draft a convincing business case, lack of solid identity infrastructure built out, and lack of eager partners with whom to federate, are the principal market inhibitors working here.
  • Is Wipro right? Is the operational overhead in maintaining a functionally rich identity management infrastructure holding back the market? Very doubtful. Otherwise, we’d see many functioning projects abandoned, scaled back, or already handed over to Wipro and other firms competent at wringing efficiencies out of working systems.
  • Is Mycroft Talisen right? Is it the unexpectedly or unacceptably high initial costs around application integration, systems integration, and business process and policy modeling that repeatedly cause organizations to reset initial expectations, miss project goals, or abandon their identity management endeavors altogether. I certainly think so. The operational component is needed and perhaps attractive, but the initial complexity and cost which are the inhibitors for IM adoption.

So my bet is on Mycroft Talisen. And hats off to them for coming together with just the right vision, with just the right approach, at just the right time. Their combined expertise in id mgmt implementation and managed services/operational support are just what’s needed to show the way towards identity management for the masses. They certainly aren’t the only ones focusing on expanding the market pie by making identity management more digestible, rather than just selling more products: I see PwC’s precanned business processes for identity management performing a similar value in a related realm.

To that, all vendors and providers should look with some envy, but more with appreciation. It’s a sad fact that after all this time, identity management remains a set of technologies attainable only to the privileged few willing and able to invest so much time, effort, and money. This is why it’s so frustrating for us at Forrester to watch all these excellent thinkers and developers focusing on such speculative concepts like user-centric identity when, more than 10 years after LDAP, most applications are still not even directory enabled and the state of most organization’s identity data infrastructure remains one of ghastly disarray. The promise of identity hasn’t been held back by vision or technology, but by plain old market execution. Vendors too often reach for the promise of the next big thing like children in front of a shiny new toy, leaving customers with last year’s tattered and faded technologies that fall far short of sustainability.

If Mycroft Talisen succeeds, and we think they will, it won’t cause major disruptions or displacements in the vendor or services landscape. Let’s put this in perspective: I don't expect Mycroft Talisen to reach Infosys-level proportions. But many vendors and services firms will watch, learn, and emulate. Managed identity services is precisely what we need to start expanding the addressable market for identity management beyond the Global 2000 to a market more than ten times that size. And for that, we heartily applaud each of these three vendors in taking the first credible steps.

Posted by Jonathan Penn at 10:33 AM in Identity and access management |

Digg This | Save to del.icio.us

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8341c50bf53ef00e39820b8c18833

Listed below are links to weblogs that reference Are We Ready For Managed Identity Services?:

Comments

Having worked with Mycroft in the past, I too am excited to see them merge with Talisen. One of the biggest issues I see with Identity Management from a deployment perspective that I have been harping on for some time is around reflecting the Right Process in a deployment. Having provisioned about 1M users, time and time again I saw the focus being on the as-is process being reflected in the shiny new toy deployment vs. focusing on a key value of identity management which is to embed the Right Process into the new application and provide auditability and automation to everyday business process. The PwC's of the world understand this, however there is more revenue in discovery of current process then mapping new process then doing the build. My recommendation is spend the time on the to-be process (Right process) and save some time and money and get a successful project under your belt.

Posted by: Mark Mac Auley | August 07, 2007 at 07:29 AM

You're absolutely right about how companies often take the wrong approach to implementation. Too often, organizations think that mirroring current processes into new identity systems is actually the easy way to get started, when it's not. They fail to recognize or appreciate the effort it takes to redesign and improve processes once they are codified into these systems.
This holds even more true when outsourcing identity management. Many outsourcers are quite capable of fork-lifting existing processes into their managed environment. But rarely are they well equipped to transform these processes into something more rational and streamlined, and codify this into an agile identity system.
We at Forrester always recommend undertaking the effort first to update and improve your processes first before implementation, regardless of whether you're outsourcing or not. But if you are, most outsourcers lack the expertise in helping with that endeavor and aren't as capable here as they are in simply offloading the environment as it stands.

Posted by: Jonathan Penn | August 16, 2007 at 07:14 PM

Hey Jonathan:
Long time no talk. I agree wholeheartly with you on the notion that a managed identity services offering is the next evolutionary stage, and a trend that will start to manifest in the coming months. I predict that you will see service "layering" starting to show up, whereby several services could be combined to address common business cases related to identity managed, for example federation combined with identity verification services. But I think that there are barriers to entry that span beyond the identity enabling of applications, which by the way, I also concur, has been hindrance in the wide adoption of identity management solutions (it is somewhat similar to the dependency on oil as our main source of energy, even when there are more efficient, cost-effective and safer energy sources). The barriers I refer to are the legal and risk management frameworks, ranging from liability, SLA and privacy. the real issue in my view is that the IDaaS model will only take off once we have defined the right risk management framework, such that companies (beyond the Global 2000), can entrust a 3rd party to manage the electronic identities of their employees from a business perspective. For a company that has business in Germany for instance, this will be a difficult hurdle. Quickly you will see similar hurdles.
Nonetheless, these hurdles can be mitigated, so long as the right focus and critical mass is applied to addressing them, in parallel to identity enabling applications of course.

Posted by: Frank Villavicencio | September 10, 2007 at 08:46 PM

Frank,

While I agree with your layered approach consumer based Identity Services (lower legal weights assigned to lower risk identity services), I believe it's important to distinguish between 1) intra-enterprise SOA-like IDaaS architectures, 2) outsourcing parts of homogeneous enterprise identity ecosystems and 3) consumer identity provider services.

For 1) and 2) privacy frameworks are important but not crucial to exist - organizations can handle legal issues on their own in contracts with employees and partners.

For 3), the global quest for mutually acceptable legal frameworks is continuing. Liberty Alliance's Identity Governance Framework is clearly a step in this direction - we expect more regulation in this space to emerge.

In the United States 3rd party Identity Providers for consumers will likely include banks and other financial institutions. Our quick polls with our clients indicate that consumers are willing to pay for reliable Identity Provider service, provided that identities are accepted by Relying Parties.

In the European Union, local and state governments already administering widely accepted phyisical identity tokens (ID Cards) will provide identities. Commercial payment card companies (Visa, MasterCard or AmEx) could also act as identity proxies by providing 3rd party trust networks between identity providers and service providers.

Posted by: Andras Cser | September 11, 2007 at 12:58 PM

Andras:
I appreciate your comments but do not exactly agree with your views on points 1 and 2, and without going too far, I will illustrate with a real example from the pharmaceutical space: the independent investigators community. Pharmaceutical companies need to engage with independent doctors and researchers in new drug trials. I guess you could say that they are "partners" to the pharma company in this case, but these are often independent professionals, not affiliated in a true B2B capacity. Now, given the sensitivity of the process, you can imagine that a) ensuring that their identity as a valid user for this process is vetted, and b) that wherever possible and to encourage participation, the process from recruitment to completion is done with minimal disruption of the busy schedule of the individual investigator (hence the existance of SAFE). Now, factor in that this may be done in multiple countries, and by many pharma companies hitting the same user population.
This example in my view exemplifies why the legal and risk mitigation frameworks are vital in order for managed identity services to stand, particularly in sensitive B2B scenarios such as the one I just described. Clearly if the sole purpose was internal consumption only (i.e. B2E), then this risk is mitigated already, as you pointed out.
I agree 100% on point 3 and your comments around communities of, and often government-mandated and operated, identity providers. This is already the case, and the model is quickly approaching the B2B and G2B spaces.
Clearly this is an interesting topic of discussion.

Posted by: Frank Villavicencio | September 11, 2007 at 09:59 PM

My comments on the implementation issues as a barrier are directed at the managed services model here. Most commonly, organizations select a managed service versus in-house because of cost, time, and resource constraints: outsourcers value prop is that they can do it cheaper, they can take off your plate many aspects of the project that would otherwise take up your attention, and they have the expertise that you may lack internally to implement the product. With identity management, there's so much more IT integration and business process analysis that this goes beyond the core competency of outsourcers. My original post was meant to highlight this: we see the implementation expense is the significant aspect, not the operational expense.
There are also opportunities that come with managed identity services, or needs that can more easily be filled when identity management is operated as a managed service. ID proofing of partners, contractors or independent agents is one such need. We see this most obviously with federation (and what Covisint is doing) since this is usually about interoperability and the integration across two different organizations, not simply the integration of two products/systems. Here, the play to trust and facilitating the codification of trust into a digital environment is important. Naturally, if other aspects of identity management also extend beyond the enteprise -- eg, security administration (ie, provisioning) and authentication (ie, credentialing) -- then issues of trust and verification also come into play, and the Identity Management service providers can augment their base-level offerings with such additional services.
Another area I'm seeing interest in augemented solutions is auditing & reporting. The main identity management products have some basic level auditing and reporting but don't provide as deep an insight as many companies would like. It would be natural (even if not simple) for an Identity Management service provider to add extra reporting, event management and BI tools tailored for the identity systems they host.

Posted by: Jonathan Penn | September 12, 2007 at 12:59 PM

Jonathan,
Not to revive a dead thread...but was wondering what your thoughts are about Ian Yip's managed identity services survey: (http://www.surveygizmo.com/s/68286/ian-yips-managed-identity-services-survey) ?

Posted by: Ash | September 28, 2008 at 03:29 PM

The comments to this entry are closed.

Enter your email address:

Delivered by FeedBurner

Search this blog

SRM Podcasts

Forrester SR&M Links

Categories

Recent Posts

Archives

More...

Research Documents

Forrester Blogs

Entire contents ©2009 Forrester Research, Inc. All rights reserved. Forrester® is a registered trademark belonging to Forrester Research, Inc. Any use of the Forrester name is subject to Forrester's Citation Policy, available at www.forrester.com. The content on this Weblog is available for your informational and non-commercial use only. Usage by a company or organization for promotional, sales or advertising purposes must adhere to Forrester's Citation Policy and must be approved by the Forrester Citation Team. The views expressed by outside contributors and links to outside websites do not represent the views of Forrester, its management or employees. All content on this Weblog has been made available on an "as-is" basis, and Forrester shall not be liable for any direct or indirect damages arising out of use of this Weblog.