In the 1990s, implementing identity management was the IT equivalent of entering quicksand.
Projects took years, requiring process changes, custom integration, and organizational buy-in.
Many companies underestimated the time, cost, and effort to get identity right resulting in a number of highly publicized project failures.
Over time, enterprises developed a much more rational approach to identity management. Rather than take on yet another "boil the ocean" IT initiative, large organizations eschewed big projects in favor of a more piecemeal approach, implementing high-value products in areas such as user provisioning, Web access, or central management.
This buying behavior led to an inevitable cycle on the supply side. First, VCs threw money at identity start-ups like Netegrity, Oblix, and Thor that offered niche products. The start-ups then went to market where the best products, and execution won out. Finally, established leaders were gobbled up in an acquisition binge. CA grabbed Netegrity; Oracle bought Oblix and Thor; Sun Microsystems acquired Waveset Technologies. Pretty soon, there were a few large vendors (BMC, CA, Hewlett-Packard, IBM, Microsoft, Novell, Oracle, and Sun) offering identity management suites.
As we fade into the sunset of 2007, there is still plenty of upside in the identity management space. And as always in the tech industry, history is repeating itself. Many of the hottest identity management firms are venture-backed start-ups that have carved out a niche and are now executing in the field. For example:
Aveksa and Sailpoint deliver products to manage identity governance and role management. This is a new requirement driven by GLBA, HIPAA, PCI DSS, and Sarbanes-Oxley. These two companies provide specialized tools that help companies map users and roles to compliance mandates.
Imprivata provides a network-based appliance that simplifies single sign-on (SSO), and authentication management and also marries physical and electronic identity. This is a great example of a simple solution to a complex problem.
Identity Engines saw identity-based networking on the horizon, so it introduced a new-age Radius server to accommodate the burgeoning requirements for policy management and massive scale.
Chosen Security believed that growing demand for PKI would be a mismatch for technical complexity. As a result, it has a PKI service offering.
Centrify takes advantage of pervasive Windows infrastructure by offering a middleware bridge that lets large organizations manage Linux and Unix users through Active Directory.
None of these companies will grow up to be the next Microsoft, but I believe all of them offer products that users value. That's a recipe for success as I see it.
I know what you are thinking: The next step is more industry consolidation. Yup, it is already happening. Cisco Systems' purchase of "fine-grained access control" start-up Securent comes to mind. Look for more identity specialization and more M&A activity, after the ball drops on New Year's Eve.