Friday, March 30, 2007

Choosing an Identity Management Platform

So yeah, I'm obviously biased towards an answer here, but I get this question a lot and many are surprised by my methods of recommending a platform - yeah I said it, a platform, not a product.  Let's first discuss what it means to be an Identity Management Platform.

Product, Platform or Suite

There are a plethora of products on the market today, sometimes referred to as boutique vendors which specialize in doing one thing very well; they are either provisioning or password synchronization specialists with synchronization and integration functionality added as an afterthought.  Some of the larger IdM suites purchased boutique solutions to round out their feature set or gain depth in a particular market segment.  This tends to make the suite's just a collection of individual products with specific strengths, little integration amongst themselves, and plenty of overlap. 

In contrast, a platform is something you can build on which implies a solid foundation.  But what makes for a solid foundation for Identity Management?  Let's come back to that in a minute...

Evaluation Time

We frequently come across customers who wish to evaluate several different products before settling on a solution.  They also love to dictate the requirements for the evaluation citing the features they think are most important in a solution which are invariably pulled from marketing materials provided by one of the vendors which stilts the results towards one product or another.  Let's get one thing straight, every one of the major players in the market today are equally capable at solving the requirements of IdM solutions today or they wouldn't be successful.  Even the boutique products do what they claim to do so I say for the sake of argument that all IdM products are equally able to get the job done.  And don't just take my word for it, according to InfoWorld's IDM Shootout back in 2005, all of their products evaluated completed the tasks set before them:

All of the solutions we tested met our essential requirements, but important differences emerged. Some products worked well on the back end but lacked a unified management and reporting interface. Others presented the slick front end but a problematic foundation. Moreover, some vendors did a better job than others of tying together the multiple tools for identity management into a single, unified solution.

That being said, what can we use to distinguish one from another?

I take a bit of criticism because I tend to distill all of those fluffy evaluation requirements down to just two:

  1. What is your company's primary development platform?
  2. Based on the answer for the former, choose the vendor with the best synchronization engine that supports your development standards

If you're a big J2EE shop then a Microsoft IdM solution isn't going to be for you, and likewise if you're a big .NET shop then a Novell IdM solution is going to be a poor fit. 

The Synchronization Engine

At the heart of all of the available solutions is an engine which is ultimately responsible for reading data in from one source, manipulating it and feeding it to other subscribing targets.  They come in all shapes and sizes with various backend models (DBMS vs Directory) and differing data paradigms (event based vs state based).  The engine is the true workhorse under the pretty veneer, so choose wisely.  It's much easier to build say, password synchronization on top of a robust sync engine than it is to build a robust sync engine behind an excellent password management portal.  The extensibility of that engine and the development flexibility for customizing how that engine processes data becomes the fundamental component of the equation.  So, why am I tying so much importance to the development standards?

The Identity Management Platform

Remember when I said that all IdM products were equally capable of satisfying your requirements?  It's also true that no products or solutions on the market encompass either a total solution or a full out-of-the-box solution.  All solutions require customization and tailoring for your unique business rules.  You see, it's nice and easy to require a product to connect to all of your data sources, but it's a completely different thing to expect any product to understand your business and even if those neat specialized provisioning tools solve all of your immediate needs, what they provide in robust account provisioning they lack in total flexibility.  It's the flexibility that is ultimately the most important goal for any solution and how do you achieve flexibility?  You guessed it, by having a platform that allows for complete customization - one that can grow and evolve with your evolving business needs.  It's important to note here that the InfoWorld challenge did not include extensibility as a weighted metric in their evaluation. 

People, Not Products

So, don't be fooled by fancy interfaces, glitzy wizards and hefty price tags because at the end of the day, it's not about what looks good now - it's about what is still going to be relevant in several years after the next big compliance mandate is applied shifting the focus of your IT compliance strategies yet again.  Invest in a platform with a robust sync engine - one that is capable of being easily extended and that is in line with the greater development standards of your company.  Furthermore, investing in a platform allows you to invest in the people that drive and define that platform - your developers, architects, and analysts.



Brad, I think you nailed this one. The reality of most of these projects is that the IDM solution has to be tailored to meet the needs of each environment. You cannot just install the product, or platform, and expect that it will solve your problems. I believe the most effective way to approach these projects is to use application development methodology since one must gather requirements, implement components and verify expected results.

You also made a great point about selecting a platform that is pertinent to the environment. Companies should leverage the platform to the tools that they already have. It seems like a simple idea but many shops implement a wide range of technologies without considering how they fit into the whole. This only increases the time and cost to implement and manage IDM platforms.


Thanks for your comment Scott, I think we're seeing a growing trend towards more homogeneous solutions as people begin to realize that "best in class" doesn't always mean the best fit for a total solution.

In the case with products like MIIS/ILM we are literally the product that is homogenizing the heterogeneous aspects of the environment.


Great write up. If you're interested in what some of the analysts are saying about IDM best practices and vendor rankings there are a number of reports here.

(if that link doesn't work, the full URL is:

Post a Comment

Newer Post Older Post Home