What’s great about a cheap IAM solution? Well, it’s cheap, anyway
Friday, May 28, 2010 at 05:12PM Over a dozen years ago, I worked with a set of testing tools from a particular company. One tool performed regression testing, and the other performed load testing. They competed with Mercury Interactive, which itself had one of the more interesting reputations in the market. Anyway, one day this testing company had the brilliant idea of creating a tiny bit of integration between the two tools (using the scripts generated from regression to feed load tests), package them up, and give the same old tools a new name. Instead of testing tools, they were now a SUITE. It actually wasn’t too bad an idea. They had a good thing going for a while, until bad management and some very questionable practices led to the defection of half the work force and a delisting from NASDAQ.
I’ll keep any comments about questionable Microsoft practices aside and simply observe that they have pretty much done the same thing in the identity space. They’ve taken MIIS, which wasn’t exactly setting the world on fire, glued it to Sharepoint and Active Directory, thrown in their big Euro partner and a few other pieces, and re-christened the whole mess “Forefront.”
I’ve seen (just a couple of) companies build their own provisioning, if you could call it that, with Sharepoint alone. GAH! The workflow is brutal and rigid, an all or nothing proposition that you don’t want to fool with once you’ve put it together. These deployments typically have multiple workflow definitions per location or business unit, with no reusable pieces. It’s also terribly fragile.
Sharepoint is a weak point in and of itself, with its all or nothing security model that is often poorly configured and, of course, dependent on AD groups. Check out one of my earliest posts for the lowdown on MOSS security.
With the other OEM pieces in Forefront, workflow is a better proposition than just plain Sharepoint. You can use Omada’s visual workflow, OR you can build it in Visual Studio. Icky poo poo. However, extending it typically means coding. There are no real ERP connectors, nor is there a Unix connector. Notice my erudition, as evidenced by my use of the word “nor.”
Attestation is attribute-only (unless you use Omada). This is a legacy thing they’ve never fixed, physically or philosophically. It’s based on the old paradigm where provisioning in Windows meant filling in AD attributes, which the applications would have to come query to see if a user was allowed entry. It’s incredibly arrogant on their part.
Another legacy thing: the use of Crystal Reports. Gah! That thing will not die. Where’s the analytics? And SSO is severely limited, and as usual, it includes Kerberos, or at least Microsoft’s version of it.
So let’s look at the business angle. I mentioned yesterday how Novell used to compete with Netscape LDAP by offering a lesser but CHEAPER product. In fact, it often went for ten percent of Netscape’s price, and usually came with ten percent of its functionality. So what Microsoft is doing with Forefront is making the thing very, very, very price competitive. It doesn’t do what the others do, and extending it takes a lot of work, but it’s cheaper or, in some cases I’ve found, free to existing MS customers. WOW, you say, if it’s that cheap, I can afford the consulting help to build it out, right? Well, Skippy, hang on. What you also need to look at, besides TCO (total cost of ownership) in the short term (what it takes to build out), is the long term cost. Can you migrate it to something else if need be? How much will it cost you down the road when you want to make the simplest changes? Will every change requirement mean coding yourself out of a corner?
“Free” sounds terribly intriguing. But if it sounds too good to be true, then it’s too good to be true. Before going whole hog with Forefront, I’d highly recommend a reasonable proof of concept, and make sure you watch how it’s done. Exactly what does it take to build out those use cases? How much customization is required? How flexible is it once it’s built? How many OEM parts are there? Then multiply that by the number of roles or groups or business units. Do the calculations. My wife the math teacher boils everything down to numbers. Y’know, as in “how many days has this been in the refrigerator?”