Courion Corporation

Primary Observation from Catalyst 2009 – the Connector Problem

Another summer is waning and another Catalyst San Diego is behind us. As a regular attendee, I would give this year's conference fairly good marks. For me the key takeaways were:

• The Lighting Round
• The virtual compliance gap
• The conspicuous lack of customer case studies demonstrating deep and broad success in the identity space.

The Lightning Rounds were new to the format this year. Vendors were given a very short time to explain why they mattered. It seemed an effective way to give attendees a taste of each dish so that they might go back and find out more if they were interested.  Most importantly, it was, dare I say, fun to watch - no time for death by PowerPoint sales pitches here - the presenting executives had their 6 minutes of fame and they were either going to bask in the glow of the lighting flash or be incinerated by it.

There was also a special moment for me that was akin to that rare time in adolescence when your parent does something that you are actually proud of. When my boss, Courion CEO Chris Zannetos, took the podium, he skipped the "Courion is about ensuring the right people get the right access to the right resources and they are doing the right things" blurb and went right to the heart of the matter - "This [use your favorite expletive] is hard". Clearly, automating identity and access management yields speed, efficiency and control and, while there are enough failed or mediocre deployments out there to make people wonder if it's worth all the fuss, there are brilliant successes, too. Chris used his time to share the key ingredients required for success - understand the risk, control and financial implications, take an incremental approach and, most crucially, choose your vendor partner with great care:

• Ask for references and ask these references the tough questions. How many systems and applications are you managing? At what level of granularity? How long did the deployment take? What are you actually automating? How many people did it take to deploy? How many does it take to maintain?
• Do a POC - a real POC, not a demo. Make the vendor take the shrink wrap off the software and install it on your iron and watch how difficult this is to do.
• Ask them to share the risk. Will they commit to a price for all future connectors? Will they lead with a fixed price proposal for everything you need?

Chris took the high road and I was proud (please don't tell him).

The virtual compliance gap was also interesting - the identity track folks touched on the difficulty of demonstrating compliance in a virtual world and so did the virtualization folks, but it's clear a lot of work needs to be done before these areas converge. How, exactly, do you demonstrate compliance to geographically specific regulations when that data (and the entire application and server that's instantiating your business process) is automatically floated between different data centers in different parts of the world to manage power consumption? This is a topic for a future blog.

Finally, the conspicuous lack of deeply successful case studies was, for me, the most important observation and not entirely disconnected from Chris' comments about the importance of partnering with the right vendor. There were several "customer success" stories but the only one I heard that showed deep and lasting success was Wendy Booker from SunTrust Banks (full disclosure: a Courion customer.) In Wendy's case, she covered how they funded a robust access assurance program that manages fine grained entitlements for 35,000 people, with detailed roles and 50+ custom connectors automating all aspects of provisioning and compliance for hundreds of systems and applications - yielding dramatic control, efficiency and service quality improvements.

I hope I didn't miss an important session but most of the other deployments described seemed superficial, such as the case where it took 18 months to do 25 roles for 25,000 people and they only covered RACF and AD. Really? Most companies I know with 25,000 people are dealing in the range of 500-1000 applications, with hundreds of them being KFA (key financial applications for SOX) or HRA (high risk applications for the business). Surely 25 roles for this level of complexity does not begin to address the problem or opportunities.

I began to realize that the elephant in the room is connectors. All provisioning and/or compliance vendors have connectors for RACF and AD but this doesn't begin to meet the need for companies with this kind of scale and complexity. At Courion, we have 160+ out-of-the-box connectors, but what's the likelihood they will be the 160+ most important of the 1000+ that you need?

That's it then--the Achilles heel of the Provisioning and Access Compliance world is connectors. Can your vendor give you a low fixed price for as many as you need? Can they commit to a price in advance, even before you know what the applications are, so that you can plan and manage your deployment out of Phase I and into something that truly enables the business? The answer in almost all cases is, "No".

This is a problem that Courion has been working on for a long time - we understand the issues that make this difficult and we have tooled ourselves to address them. Today, not at some time in the future, we provide our customers unlimited connectors with speed and efficiency, and at one low fixed price - perhaps there's some fodder here for a future blog as well.