Mark: I’d say that the writing’s on the wall, but I don’t think it’s that simple. All you’re doing is shifting the problem. Someone else has to take on the big cost of getting that infrastructure running. There are a few software providers and the numbers are growing. So the writing’s on the wall. Are they delivering on the services that are required? That is the question.
Richard: I keep getting asked by customers and parties, ‘can we do this as a service?’ And I think the key thing is from a maturity perspective, complexity is still there, and the challenge to overcome is not whether you can do it as a service, but in actually defining and operating identity as a domain internally, let alone trying to outsource it.
It’s like the outsourcing discussion of 20 years ago. Organisations said ‘get this cost of my balance sheet and give it to someone else’, but that still didn’t drive down cost. Complexities still remain and value wasn’t derived. And now we’re hearing about selective sourcing, which makes a lot more sense.
Does anyone see selective sourcing yet in the identity space yet being really an option? If so, what sort of capabilities are a priority; what can be delivered to the mid-tier and small tier markets more effectively?
Mark: Well we’re doing select sourcing at the moment and also seeing it in the US. Australia is a little bit behind on that front, as businesses tend to watch and see where it’s going before they jump on-board, although there is a lot of outsourcing going on within corporate Australia.
Reno: In light of the current economic situation, with massive redundancies in the public sector and everybody slashing their budgets, how do we see identity management changing, where people are handing over parts of their infrastructure to a managed service provider, or outsourcing major chunks of their business? How do we see identity management working in that sort of a framework?
John: I think like everything else in IT, over time the service providers will start to provide it as a service to their clients, in the same way that they provide other services today. We’re starting to see that now in every other IT segment, where they have basically said, okay we now understand how to put a wrapper around this and offer this to our clients. So I think it will happen. The question is when.
Reno: It opens up a whole area of separation of duties, privileged account management, now all these newer things, newer areas, that have been around for a while, but I think it’s now ‘who’s responsible?’ But also from a client perspective, still having a level of visibility and being able to report on it, even though you’re no longer in control of it.
John: Going back to the SMBs, a lot of smaller organisations are adopting phone-based services, like Google Apps and all those sorts of things anyway. It has everything you need. I can get to it anywhere. There’s a whole plethora of apps there, and it’s incredibly convenient. All the identity management stuff is managed by them – so I think for organisations starting up today, they’d be mad to go and buy their own stuff and put it together.
But businesses that have been around for a while and are more medium sized? You certainly see them looking at whether they can use the service. You still have the problem where you’re looking at authentication as a service. That’s one thing and that’s fine. There’s quite a lot of these sports of service providers around that have a large customer base, but interestingly I don’t think a lot of them are actually making money yet.
And then there’s the actual management piece if you like, the actual provisioning of identity and those sorts of things. That’s a much more difficult problem, because even if you put that somewhere else, you still have to plumb it back into the organisation. So there’s certainly an opportunity there for companies like ourselves to take what they currently have, cut it out if you like, have a new piece up in the cloud and then plumb it back in and maintain business continuity while doing that.
But this is not an easy thing to do. It’s not necessarily an identity management kit, but it’s very much ‘how do I get this stuff and cut it out, go through the cloud and then put it back in while maintaining day to day service levels?’
Reno: So there’s certainly opportunities there. David, question for you, ASG has a very large managed services practice and doing a lot of work in governance through partners around the country. How does ASG solve that sort of problem, where a client may be running a particular technology? Do they ask ASG to consume their service or what they have in place as a component of what you offer back to them?
David: Yes, look I think I would echo John’s comments there, we do the provisioning, we do the operational administrative side of the identity management. But when it comes to the rules, the access authorisation rules, what they should be, then that’s predominantly back to the customer. So we’re acting as a proxy. Whether that will change in future, again I agree with John that it’s an opportunity to get out there, be more strategic and be more advisory, in terms of how they should be operating.
Craig: Another thing is they don’t have a clear understanding of what identity and access management is to the point of being able to pick a piece and then put it in the cloud. It’s just this large amorphous kind of blob of stuff.
CRN: Does the cloud really change the way you all think about IDM or is it a bit overblown? Or are you finding that the traditional policies and strategies for IDM apply equally to the cloud?
John: Customers want to use their internal identities to get access, so they are unlocking things like federation, not in the way that federation was originally intended, but just really to expand their ecosystem through to the partners, and other non-core things really. So it certainly is changing for a lot of people.
Richard: I agree. The interesting thing about cloud and SaaS is that it’s just now another application integration point. Some of the clients you guys service in your day-to-day engagements have 500, 1000, 2000 internal applications.
The difference with cloud based services and SaaS is that they can be consumed in five seconds, and the business bought that off the shelf and said ‘I want that’ and you know the cloud service offerings can have exponential growth of integration requirements for an organisation. So I see exponential growth because SaaS and the cloud provides opportunities for customers to consume faster.
John: I think it’s a big opportunity for us in this industry, because it’s the sort of thing organisations waiting six to 12 months to get CRM, six to 12 months to get another box in place, want. It means that they can reach and attach another service relatively quickly. But they have to do identity management and all those sorts of things. So in some ways it could bring some of our business forward.
Reno: Mick, you have a risk part of your business which is quite large. Are you seeing the cloud as an area where people are somewhat stuck in the grey zone, where they think it is the responsibility of the provider, less a responsibility for them?
And are you feeling vulnerable from a commercial legality perspective? And the same for managed service providers where people have outsourced it to a provider. There’s the question of ‘who is viewing my data?’ Where’s the separation of duty
Michael: Customers want the efficiencies and perceived cost savings that cloud provides them. So they are pushing some of the risks onto it. They are trying to get direct answers out of the software service vendors to how they address certain risks, because what the cloud providers are saying is ‘come and join us, we can get you this new service within 15 minutes and it will cost you less’.
It’s all good, but there are certain risks associated with that, certainly at the enterprise level. Some cloud organisations do it better than others.
But the key thing is to look at what the main business drivers for cloud are compared to the traditional legacy model. Reduction of costs is part of it, but coming back to the earlier conversation around efficiencies, is the cloud really the perfect model?
What customers are asking for is this particular service, with this particular cost. They don’t care if you’re running it on Unix or NT or anything like that anymore. They just want a system that provides a lot of efficiency that supports their direct business model.
When you’re looking at the cloud model, as far as identity management in the traditional sense and provisioning, all customers want to do is have some kind of identity aggregator out there. We have identities pushing into the system, and we’re provisioning that to run other accounts, other applications.
So what they’re buying from us is a system that directly supports the organisation’s business models in that area. And once an organisation changes their mindset into that type of model, the efficiencies that are provided are absolutely brilliant.
Back in the late 90s in North America we provided a solution for a ticket organisation. They had a business driver which was one identity within an organisation, because customers had three different identities to access six applications.
Once they adopted that identity centric model, they provided their identity to the organisation once, the application developers consumed that identity and once that framework was put in place, 12 months later, they’d rolled out 140 applications across that organisation, all based on the back of that identity framework, which is absolutely brilliant as far as efficiency savings go.
For the medium-sized organisations we talk about, it’s cost prohibitive, because what they’re targeting is just an easier way of going on one console and creating identities and just provisioning to active directory and exchange.
The shift in paradigm from the cloud is that people are buying a service and it’s an out of base model. We are no longer talking about are we using .NET or Pearl or Delta, or which technology are we using to provision or internally which technology is best, because frankly it doesn’t matter.
Rene: Michael, you and I had a discussion recently where you said it’s all about keeping it simple and trying to deploy a value proposition to the client and then growing it over time. Obviously identity management offers so much and when you try and take it on this big it’s a lot harder than if you try and start with a smaller piece and then get them to consume larger chunks of it.
Michael Absolutely, and touching on what John said from a business agility perspective, which is where you’re talking about productivity, rather than a full cloud-based solution, a hybrid solution may be better. Typically, we’re finding that businesses haven’t deployed identity in a lot of instances, and we either have a lot of legacy applications and provisioning as we talk about .Net, Pearl or whatever, and all these scripts happening.
The problem is they lose their agility, because really what they should be able to do is have a good identity framework there, that allows them to unbolt an application without it affecting their whole organisation, so they can just pick and choose which one, whether it be cloud or on-premise.
And if all you’re talking about is a connector, rather than the impact of one script, that could have a massive impact on an organisation. So the agility part is important and just bringing it down to a smaller, more bite-sized opportunity, rather than trying to boil the ocean. It seems to me that organisations are looking at that now more and more, because of cloud, because of the applications they want to connect to.
CRN: We were speaking earlier about social media and there has been a few mentions of Facebook here and there. What are the opportunities for resellers in terms of helping their customers develop IDM strategies that factor in their existing or evolving social media strategies?
Michael: Good question. I think the first thing we need to figure out is who to speak to within the client. Over the years we’ve grown tired of talking to security and the traditional sort of IT. Now with the adoption of social media and the cloud, all lines of business think that they can just get out there and form relationships. I think we need to change the people that we’ve been talking to and I think talk more at a business level.
There’s probably the opportunity to get into different parts of the customers that we’ve all been dealing with for many years. It’s now different, with different discussions with more business orientated people. It needs to be simple and it needs to be actionable, while delivering an ROI.
Richard: If we’re dealing with the parts of the organisation charged with better enabling and engaging with their customers - internal or external - consulting is a huge growth area.
And as Rene said, being able to define a value proposition that’s actionable and gets a short sharp ROI, within the context of delivering into a back-end governance framework that will provide the ongoing enablement, is going to be key.
David: What I’ve noticed is we’re having to view the clients differently and we’re having to change who we’re having discussions with, but also internally, all the partners here at the table, we’re also having to look at the people that we’re bringing on-board, the people who make up the sales force and the account management guys within our businesses.
Because it’s a different breed now, and we need a different breed of sales person who can understand the connection between business and IT and we all know they’re not easy to find. It’s just an observation that we also need to change how we go to market and how we convey our value proposition.
The CRN identity management roundtable was held in partnership with Oracle and Nextgen Distribution.