Thursday, February 17, 2011

Quest Software and recent acquisitions

I noticed on Jackson Shaw’s blog that identity management is big over at Quest these days with recent acquisitions and more to come. Interesting. Let me take you down a path and then pose a question.

Back in 2004/2005 Oracle took an honest look at their identity management stack and realized that customers really did want a one stop shop (if it was possible). Sure it is a lofty goal to have every identity management tool, but they did look at their gaps of standard identity management tools such as Single Sign On and User Management (Oblix) , Provisioning/De-Provisioning (Thor), Virtual Directory (Octet String) and filled them via these acquisitions. There was a little overlap in the products, but actually very little.

Sure Oracle could have gone out an developed them from scratch, but that would have taken many physical years (and a ton of "man" years) to get to the features and functionality (and stability) of these products that already had a solid customer base and were good, mature products. Buying the technology (and the people who built it) and re-tooling it for their purposes was the path they chose. I know most of these products have now had “Oracalized” versions released with greater integrations between them.

So the question asked looking backwards is: Did Oracle make the right choice? Well I think the obvious answer is a resounding YES. I’ll give two reasons. One, look at the stock price from 2005 to now. Sure Oracle has made other acquisitions, etc. but overall they have performed very well and Wall Street has agreed. If I compare Oracle stock to say Microsoft’s over this period I believe it is a yes as well.

Two, look at market share specifically in identity management. Oracle leap frogged ahead of the competition and took a resounding lead. Analyst firms clearly put them out in front.

So now my question today is: Is Quest the new Oracle in identity management? And if they are, who are they going to take the business away from? Oracle, IBM, CA, Microsoft? Obviously we here at Optimal IdM partner heavily with Microsoft. Forefront Identity Manager (FIM) is selling well and we fill their virtual directory gap they have with our Virtual Identity Server (VIS) solution. While we aren’t Microsoft, our products are built with their technology and leverages & extends the existing investment that a customer has already made.

So what is Quest’s strategy on identity management and who do you think has the most business to lose?

BTW – I do believe that is truly a “lose” scenario. Sure, the identity management market gets bigger each year, but how much bigger? Not that much in a relative sense. Someone at a major un-named vendor told me once that they don’t have any way to track how much business they lose. When you look at it this way, it is really easy. It is simply the sum of revenues of your direct competitors. If a customer purchases Oracle's IdM solution over Microsoft's, well Microsoft lost that deal (even if they weren't aware of it).

Come on folks, it’s not like we are talking rocket science, or developing a virtual directory, which is trickier than you might think!

Saturday, February 12, 2011

Part 2 - Optimal IdM’s Virtual Identity Server has saved customers over 1 Trillion Dollars to date!!!!

This is Part 2 of why I believe implementing Claims security for Marriott is a poor choice. I'll try and keep this relatively brief and point out 3 main reasons.

1. As I laid out in Part 1, basically Marriott giving discounts is a cost of doing business. The fact that they are giving it Microsoft or Quest is irrelevant. Implementing Federation and Claims does nothing to enhance their bottom line. Further, they would still have to maintain and support their existing User ID and Password authentication that they have today for all of the users companies that don't Federate with them. They wouldn't get 100% of all companies would they?

2 - A key mantra that we at Optimal IdM have preached is the following. "When solving a given problem, minimize (and avoid if at all possible) creating new problems." There are several ways that implementing Federation and Claims would introduce other issues.

Here is just one of them that came to mind. Here is the scenario to consider. Jackson is an employee of Quest and Quest implements Federation/Claims with Marriott. So as Jackson hits the Marriott website he is redirected to Quest to authenticate. He authenticates the local ADFS at Quest using his Quest's credentials and a claim is presented to Marriott. All is well in Jackson's scenario.

Now let's suppose Jackson gets fired from Quest (don't see that happening but go with me here). Hmmm... When this grand Federation thing was underway, Jackson would have ultimately authenticated using his Quest credentials, right? So how in the world is Jackson going to authenticate and "prove" his identity to Marriott now? In a 100% pure Federation model you would have no way of authenticating. Sorry Jackson you just lost all of your Marriott points!!! Will the real Jackson Shaw please stand up?

In my view, when it comes to you authenticating to Marriott it has a lot more to do with your "personal" identity and not your corporate affiliation. Of course one answer to that would be to use one of the public identity providers and not the individual companies, but then you are once again relying on Jackson to keep his profile up to date with his current company.

3. In the end, the biggest reason is this. Federation is fundamentally a Single Sign On solution. Don't try and make it more than what it is. It is a great answer for on-premise to the cloud, but not this scenario. Marriott does not have a SSO issue.

I believe the biggest reason for the confusion on scenarios such as this is that Claims ties authentication with authorization. That can make it very difficult to manage effectively in a decentralized fashion. Managing on-premise as well as cloud security is relatively in it's infancy and everyone is just now learning the limitations and issues.

The team at Optimal IdM has been hard at work on our cloud solutions, working closely with key customers and partners. In fact, we will be announcing soon some of the new solutions we have developed to help organizations manage claims authorization. From what we are seeing, it looks like this will fundamentally change the way organizations manage cloud security. More on that subject when it is ready for public consumption.

Wednesday, February 9, 2011

Optimal IdM’s Virtual Identity Server has saved customers over 1 Trillion Dollars to date!!!!

I am back on the blogging bandwagon. Did that headline get your attention? I thought it might. So, what was the impetus for the headline? Well, it is in response to my colleague Jackson Shaw’s blog entry indicating that Marriott is losing millions by not supporting claims. Matt Flynn then chimed in and said that $$$ = motivation and perhaps that would spurn them on to support claims.

Well, I have a different spin on this and I’ll attack this in a two part blog. Part 1 is here and outlines why Marriott (in my opinion) is not losing millions by not supporting claims. First of all, I want to say that I like the claims model and it works in many situations. In fact, Optimal IdM will soon announce some very interesting news around our further integration with the claims model, but that is a topic for another day.

Now on to my theory. As with politics, two things are important to remember. One, follow the money. Two, the devil is in the details (Yes, you should read bills prior to passing them). Let’s look at Marriott’s business model. They sell hotel rooms. There are a finite number of rooms in a given hotel. There are fixed costs of the hotel (taxes, wages for staff, etc.). Whether Jackson stayed at this hotel that night or not is not going to change this hotels fixed costs. There are, however, variable costs. For a typical hotel like a Marriott Courtyard it costs about $20-30 to cover the costs of housekeeping, soap, coffee in room etc. That is “basically” the cost of goods sold. Therefore, selling any room over the variable cost makes good business sense as it is profitable. The only question is how much of a profit.

The fact that Jackson used to work for Microsoft and they are giving him a $10 discount is moot. Why? Because if they set up this grand federation scenario where they would now Federate with Quest (his current employer), they would likely have to give that same $10 to Quest. There is NO net revenue gain. Only if they could guarantee that they would not have to give the discount would it make sense to spend the bucks to re-do what they already have in place. And then you would have to (or really should do) a cost benefit analysis and a payback scenario. Plus, in part 2 I will outline the gotchas that this would add.

I almost always check the check box to get the AAA discount, but very rarely am I asked to prove it with my card at hotels. The fact of the matter is these discounts are factored into their business. Marriott would far rather have $10 less from me or Jackson then to have us go to Hilton or some other chain.

One other thing to think about. Those discounts go out the door when the hotel is at maximum capacity. At that point, everyone including road warriors with the highest status pay the rack rate. It really is simply a matter of supply vs. demand. Sorry Jackson I agree with you on many things, but this is not one that I can agree with. This is one thing that claims will not solve!

Stay tuned for Part 2 of all of the reasons I believe Federation/Claims is a poor choice for this scenario. I am sure I will use this as an example of when someone should not Federate in my speaking session at Quest’s The Experts Conference. My topic is When to Synchronize, When to Virtualize and When to Federate – Which is the Right Solution and When?