During the last 3-4 years, Identity Management appears as the next big thing in the Information Security arena: know your users, what they do, what resources they can access, how, when and why and for how long…. Quite interesting as a concept, taking into account the really fast pace organizations adopt new systems and maintain access control operations (if so they do).
Based on the cornerstone of RBAC, IdM seems both as the strategic and tactical solution on user’s management (not mentioning federation issues). Too complicated for a Sunday evening…
I was recently involved into delivering an RFP response for a major financial institution on the region, cooperating with one of the leading IdM vendors according to the Gartner Group. I’ve got some years experience in dealing with NASDAQ companies when it comes to respond to RFPs (I also -kind of- work for a NASDAQ company), so I’m familiar with their internal procedures, and the heavy effort I have to put before even thinking of organizing chaos.
I also have some experience in IdM projects, having participated myself in one of the biggest installations in the region, so this project is not something out of space to me.
At the end of the day, it all comes down to 5 elements: business benefits, technology, project management, products and services. These elements are what the customers evaluate (I leave budget aside…). So by having a good vendor at the side of your skilled employees, being able to present a straightforward solution with a corresponding methodology and justify your costs is -more or less- the keys to deliver a good response to an RFP.
As told before, I cooperated with a Gartner Group leader in IdM, a really huge (really..) company. And here is my story, that provides a fairly good explanation of how IdM concept was originally perceived..
Setting up meetings to discuss the RFP was a real pain: 6 different representatives, from 6 different departments with -unclear to me but strongly defined- Chinese walls to prevent them from knowing what each other does. After the Japanese habit of collecting business cards, started to discuss on the deliverables that would compile our response the funny game begun.
Pricing for licenses are finalized by the Senior Account Manager of Technology/Financial Institutions and Healtcare, but only after services are finalized by the Manager of Consulting Services for Authentication/Technology Practice, EMEA. Services, on the other hand, are defined from the Project Office only after the Technology Operations and IdM Architect Teams have agreed with the VP of Sales on Strategic Accounts Management and described by the Manager of Consulting Operations for Technology. And do not forget validation from the Principle Alliances Manager… Come on!
I now understand that the idea of IdM was originally perceived by a poor HR guy (be it a lady, does not make any difference) in one of these vendors, that had the task of depicting the corporate organization chart in A0 paper, playing the game of “who is who” and “who does what” in such a company.
My point: I don’t believe in technology solutions that do not solve a problem but transfer the problem on yet another higher level (let alone those who claim to solve another problem) – I never did and most probably I’ll never do so. I do not believe in overestimated hypes that cannot justify their reason of existence. I do not believe in complicated technologies that miss their targets, which is actually managing subjects performing access control operations on objects – and this is what IdM does not do. In fact, I cannot manage a non-established identity using software – period.
Revisit the basics: define the problem and solve it, halelujah ! All in all, once more: it is not that they cannot see the solution; it is that they cannot see the problem…