If you want to learn a lot, fast, about what's available on the market for access management software products, two words, Burton Group. Access Manager this, Access Manager that, and Access Manager the other.
What's My Point of Reference?
Again, I'm a technical writer for Sun Microsystems. I write about Sun Java System Access Manger, specifically the agents; by that I mean the Access Manager Policy Agent software set. Of course, the Burton Group has done research on Sun Java System Access Manager, but they've done research on several access managers (if I can be so bold to call them “access managers.”) The Burton Group calls the market for this product “Web Access Management Market.” If you want to make a competitive analysis, Burton Group is a good place to start. One thing I've learned in life, you can't be all things to all people. None of these Web Access Manager systems or WAMs, as Burton Group is calling them, is going to fit everyone. So, while Sun Java System Access Manager is obviously the best (a little humor), there's going to be some corner case (more humor) where it isn't the best choice .
Who/What is the Burton Group?
They provide research services in various areas. My interest is in the following area: Identity and Privacy Strategies Coverage Areas
It turns out that I have full access to all of Burton Group's research but, much to my dismay, it's not because I'm so charming. I work for Sun Microsystems and Sun has an annual subscription with Burton Group. That's the way it works. Your company has an annual subscription, you get everything. Your company doesn't have an annual subscription, you get a few things here and there. One can do a guest log in. Then you can get something. I have no idea what that will get you, but something free anyway.
I actually contacted Burton Group to ask if people could buy a research paper here or there from them. In a word, “No!” Now, I could just attach all the cool research papers I got right here in my blog, but I might go to jail: a lot of downside, not much upside.
The good thing for me is that they were the sweetest people in the world. My first thought was “Wow! Sun must be paying lots of money for this annual subscription.” But then I don't know. Usually, you can't even buy customer service like that. Still I'm not letting down my guard. As I've said before, “I guess I don't trust anybody...”
All the same, I think they go a long way to make things right. This is from their Web site:
Q: What is Burton Group's vendor-independence policy?
A: At Burton Group, we take pride in our vendor independence. More than 80 percent of Burton Group's customers are enterprise organizations, and our singular commitment to be an unbiased advocate for the enterprise customer guides all of our work.
Burton Group does not publish vendor-sponsored research of any kind. Since the company's founding in 1990, we have never published any vendor-sponsored research. Likewise, Burton Group covers relevant vendors and products without regard to whether vendors subscribe to or use our services. In all of our endeavors, we maintain independence from vendor agendas, providing unbiased assessments of markets, vendors, and products. In keeping with its mission, Burton Group provides technically in-depth, independent research and advice for the enterprise technologist.
Who Did the Research on the Web Access Management Market?
ERROR IN THIS NEXT PARAGRAPH
It was all done by one person, Mark Diodati. You can see by his bio that he worked at a very high level for CA (Computer Associates – it isn't Computer Associates? Everything seems to be just CA now.) for 15 years. Anyway, one of the research papers is about CA SiteMinder. I think it's natural for me to question a former CA VP reviewing a CA product. Back to my “I guess I don't trust anybody” quote. Still his writing comes across painfully objective. So, five brownie points for that. It would seem hard to find an expert on WAM products who didn't actually somewhere in the past work with one WAM product more than the others.
HOW'S THE ABOVE PARAGRAPH WRONG?
I wouldn't normally correct an error I've made in my blog, but Mark Diotadi himself added a comment pointing out an error I made that changes my outlook a bit. Mark didn't work at CA for 15 years. At the time, his bio showed 15 years experience in information security in general. His Bio now shows 16 years total experience. Somehow, I jumped to the conclusion that he worked at CA the entire time, even though his bio mentions other companies, such as RSA. In his comment, Mark breaks the time down a little more specifically as such:
"I worked at CA for two years. I also worked at RSA for six years, and as you point out they have a WAM product as well."
Now, if we can just get IBM, Oracle, and Sun to each hire him for two years, we'll really be on to something.ERROR CORRECTION COMPLETE
Another thing about Mark that I found was that he sometimes contributes to the Burton Group Identity Blog, such as this entry: http://identityblog.burtongroup.com/bgidps/2007/03/the_latticework.html. I like that entry because it points out how confusing it all is. Does identity management really have to be this complex? It seems the answer is “Yes, for now at least!”
Okay, What 's the Research Already?
I'm talking about five papers that each have these labels:
The specific titles are as follows:
CA SiteMinder v6 SP5 (November 29, 2006)
Oracle Access Manger 10gR3 (December 06, 2006)
RSA Access Manager 6.0 (December 13, 2006)
Sun Java System Access Manager 7.1 (March 02, 2007)
IBM Tivoli Access Manager for e-business v.6.0 (March 26, 2007)
The section titles tend to be the same so it's relatively easy to compare one product to another. For example, there's a section titled “Bottom-Line Assessment.” That's broken into two sections that pretty much say:
Things about this WAM product that might influence you to buy it
Things about this WAM product that might influence you to buy another WAM product
Each paper includes pricing information, a graphic of the architecture, and a lot of other things. Another reminder: I write about Access Manger Policy Agent, which is a policy enforcement point (PEP). Therefore info about PEPs (and there was a decent amount) was really good for me. I have a better sense now about how other WAM products handle the PEPs. There's some variety there. And each method has it's advantages and disadvantages.
Where To Go From Here?
I'm not sure what's next. From these five papers, one could definitely make it even easier to compare these products by coming up with even more charts, tables, and graphics. A lot of the hard work has been done. Soon, I'm going to contact Burton Group again to talk to their experts. Apparently, I can do that. I can have “dialogues” with Burton Group experts. I keep thinking that they're going to figure out that I was accidently added to the wrong list and then they're going to make me give back everything I've already learned
Now, I don't know nothing about nothing. But I can tell you this, if you're ever in the market for a WAM product, make the sales/marketing/engineering reps, Sun's and/or whoever else's, do a proof of concept. Because this stuff is complex.
Okay, you got anything else needs reading? Cuz I'm on a tear!!
UPDATE: JUNE 1 - I have a more recent entry on Burton's coverage of the WAM market here:
Understanding the Web Access Management Market.