So yeah, I'm obviously biased towards an answer here, but I get this question a lot and many are surprised by my methods of recommending a platform - yeah I said it, a platform, not a product. Let's first discuss what it means to be an Identity Management Platform.
Product, Platform or Suite
There are a plethora of products on the market today, sometimes referred to as boutique vendors which specialize in doing one thing very well; they are either provisioning or password synchronization specialists with synchronization and integration functionality added as an afterthought. Some of the larger IdM suites purchased boutique solutions to round out their feature set or gain depth in a particular market segment. This tends to make the suite's just a collection of individual products with specific strengths, little integration amongst themselves, and plenty of overlap.
In contrast, a platform is something you can build on which implies a solid foundation. But what makes for a solid foundation for Identity Management? Let's come back to that in a minute...
Evaluation Time
We frequently come across customers who wish to evaluate several different products before settling on a solution. They also love to dictate the requirements for the evaluation citing the features they think are most important in a solution which are invariably pulled from marketing materials provided by one of the vendors which stilts the results towards one product or another. Let's get one thing straight, every one of the major players in the market today are equally capable at solving the requirements of IdM solutions today or they wouldn't be successful. Even the boutique products do what they claim to do so I say for the sake of argument that all IdM products are equally able to get the job done. And don't just take my word for it, according to InfoWorld's IDM Shootout back in 2005, all of their products evaluated completed the tasks set before them:
All of the solutions we tested met our essential requirements, but important differences emerged. Some products worked well on the back end but lacked a unified management and reporting interface. Others presented the slick front end but a problematic foundation. Moreover, some vendors did a better job than others of tying together the multiple tools for identity management into a single, unified solution.
That being said, what can we use to distinguish one from another?
I take a bit of criticism because I tend to distill all of those fluffy evaluation requirements down to just two:
- What is your company's primary development platform?
- Based on the answer for the former, choose the vendor with the best synchronization engine that supports your development standards
If you're a big J2EE shop then a Microsoft IdM solution isn't going to be for you, and likewise if you're a big .NET shop then a Novell IdM solution is going to be a poor fit.
The Synchronization Engine
At the heart of all of the available solutions is an engine which is ultimately responsible for reading data in from one source, manipulating it and feeding it to other subscribing targets. They come in all shapes and sizes with various backend models (DBMS vs Directory) and differing data paradigms (event based vs state based). The engine is the true workhorse under the pretty veneer, so choose wisely. It's much easier to build say, password synchronization on top of a robust sync engine than it is to build a robust sync engine behind an excellent password management portal. The extensibility of that engine and the development flexibility for customizing how that engine processes data becomes the fundamental component of the equation. So, why am I tying so much importance to the development standards?
The Identity Management Platform
Remember when I said that all IdM products were equally capable of satisfying your requirements? It's also true that no products or solutions on the market encompass either a total solution or a full out-of-the-box solution. All solutions require customization and tailoring for your unique business rules. You see, it's nice and easy to require a product to connect to all of your data sources, but it's a completely different thing to expect any product to understand your business and even if those neat specialized provisioning tools solve all of your immediate needs, what they provide in robust account provisioning they lack in total flexibility. It's the flexibility that is ultimately the most important goal for any solution and how do you achieve flexibility? You guessed it, by having a platform that allows for complete customization - one that can grow and evolve with your evolving business needs. It's important to note here that the InfoWorld challenge did not include extensibility as a weighted metric in their evaluation.
People, Not Products
So, don't be fooled by fancy interfaces, glitzy wizards and hefty price tags because at the end of the day, it's not about what looks good now - it's about what is still going to be relevant in several years after the next big compliance mandate is applied shifting the focus of your IT compliance strategies yet again. Invest in a platform with a robust sync engine - one that is capable of being easily extended and that is in line with the greater development standards of your company. Furthermore, investing in a platform allows you to invest in the people that drive and define that platform - your developers, architects, and analysts.