Wednesday, May 23

Aveksa and Radical Changes to Identity Management

I don't generally like to discuss specific vendors - especially if I don't have a strong relationship with them. But I saw a press release last week that was titled Aveksa Radically Changes the Economics of Identity and Access Management. I have to admit that I probably grimaced and thought "radically changes... seriously? Are they kidding?" The release stated that they introduced a new product called Access Fulfillment Express that's going to break "the cycle of heavy investments". I sarcastically thought "Yeah, sure it is."

I know Aveksa to be good within their sweet spot - Access Governance across enterprise applications - but I didn't think of them as an influential player in Identity Management (provisioning) probably because I knew they integrated with most of the major IAM vendors for provisioning tasks. So, I was pretty skeptical that they'd be doing anything that "radically changes the economics" of an IAM project. That was, until today when I had an opportunity to speak with someone from Aveksa.

Consider my tune changed.

One of the most complicated parts of any IAM deployment traditionally has been the development of the connectors. The connectors establish the link to the target systems and define the rules by which data will be managed. There's a lot of work on both the business side and technical side to get the connectors working properly. The connector work often makes or breaks the entire IAM system.

So, what has Aveksa done to the connectors to improve upon them? Essentially, they've dumbed them down. If the connector is JUST a connector and doesn't have all that business logic built in, the process of deploying a connector becomes much easier. They called them Lightweight Adapters. It's analogous to a set of APIs that can carry out whatever commands are sent to them. And the commands, then, and business logic, is managed by the application.

IAM solutions originated as complex systems of connectors that later bolted on a UI to provide workflow. By starting with the UI as the real business value, Aveksa may have stumbled upon (or brilliantly planned?) a way to radically simplify deployment and management of IAM solutions.

NOTE: I haven't vetted Aveksa's approach in any detail. I haven't deployed the solution or even looked at the documentation, but I thought the shift in approach was worthy of discussion.


Anonymous said...

Courion has been building their connectors like this for the past 16 yrs. I would say that Aveksa still has a lot of catching up to do considering Courion has built 300+ connectors.

David Crow said...

Welcome to the year 2000.

Aveksa is correct that business logic does not belong in the connector layer, but they are far from the first to come to this conclusion.

This is the approach used by the Waveset architecture which has found itself replicated across many products and projects over the years. This is neither revolutionary nor reduces the complexity.

The hard part in connector development is modeling the myriad of authorization repository data models into a common model that can be represented in a business friendly and intuitive way.

For a directory or a UNIX system where account attributes and entitlements are mostly name/value pairs, this is really easy. For complex systems like mainframe authorization systems or SAP or ..., this becomes much more complex.

Randy Yates, Memorial Hermann Health System said...

Hi Matt - Great job on your blog, I enjoy reading your posts. I read this recent post and felt compelled to let you know of another vendor who has not only simplified the development of connectors, but has a rich connector library that contains hundreds of connectors for a variety of platforms. Our infrastructure consists of a large number of applications, systems and networks and because of Courion’s vast connector library we were able to connect to all the platforms necessary (Cerner EMR, SSO infrastructure, BMC ITSM change management system, GE PACS, Active Directory, MS exchange, etc) to ensure appropriate user access to sensitive company information. We also use Courion’s Rapid Development Kit to create custom connectors and we can easily modify and update the connectors without any technical hiccups. We’ve had a successful technology partnership with Courion for many years and the extensive connector framework is an important part of that.

Matt Flynn said...

Thanks for the feedback! I have no skin in this game - the approach just sounded interesting. Glad to hear that others have went down that road. I'd love to explore in detail at some point.

Anonymous said...

Aveksa "approach" is that here is my data service bus. Come and grab the data. But feel free to manipulate the data the way you want instead of having someone program the connector for you. I see this as a over simplify approach to shifting the problem onto someone else. In some cases if the other party is willing to do the work sure. But most likely the other party are just as short staffed as the provisioning team. this is not the case where 2 -1 = 1. But Aveksa's desperate need to come up with less proserv service ratio (which it really just shifting the cost onto other business units).