What happens when your identity vendor doubles its software maintenance costs and management is so tired of being...
held at virtual vendor gunpoint that they start looking for an equivalent product in the marketplace? Realistically, there are two ways to respond to this problem: First, go with another vendor and hope it doesn't have the same sales strategy as the last one, or second, look to see if there's something on the open source market so you can be the owner of your own destiny.
While the first option is difficult to predict and depends on the size and strength of your organization, the second is a much easier option because there are strong open source identity management software options to consider. These open source identity stacks are available for immediate download and have many of the same features that commercially off the shelf (COTS) products provide. But should you do it? Let's take a look to see if you'll be getting a pig-in-a-poke or a well thought-out and functional product.
Breaking down the inner workings of identity management tools
Identity management tools have been around for over a decade, and while it would seem the market was saturated long ago, in around 2012 several companies began offering open source identity management software products in the marketplace. With large companies like Microsoft, Oracle, IBM and many others offering full suites of professional identity COTS products, why would open source be a viable option?
COTS vendor customers might say that what really drove the success of the deployments is that the software only provided about 25% of the base functionality of the tool. But the reality is most of the magic that goes into an identity package is broken down into two components: its breadth of support of target systems and connection scripts to drive the identity management engine, and the authorization workflows, roles, entitlements and access control decisions that determine how users will be defined.
Both of these are process and architecture, not software. A generally accepted industry estimate is the costs of the hardware and software only make up 20% of the overall costs of an identity package deployment in the first year of operation. Because of this, some vendors that were competing with the leading identity providers took a different tack and offered their software for free so they could concentrate their value on all those non-software related activities, including professional consulting services and training, to bring in money.
Benefits of open source identity management software
So what are the benefits of open source to an identity management professional? First, it comes down to money. With open source software, there are no capital costs to deploy identity services. While there may be other costs -- including potential subscription costs for updates and/or configuration tools that allow easier or better management -- generally the "millions" of dollars needed to bring in a COTS product can be avoided by instead using open source.
In addition, while not necessarily exclusive to open source tools, most open source vendors provide a development community that is open to any and all for bug fixes and increased or new functionality. Also, most open source products provide a "try before you buy" philosophy. This helps an organization if it wants to do a low-cost pilot or bake off between different open source providers. It can simply assign a team to download the code and install/test it to see if it's a good fit with a sample of the environment.
Finally, the advantage of open source is it can be a good choice for a small to medium-sized organization that has limited resources or funding, but still needs strong identity management services. With COTS products, many times the smaller companies are priced out due to the high barrier to engage.
Disadvantages to open source identity management
As the old adage goes, "nothing comes for free." There are some disadvantages to open source identity tools. While capital expenditures aren't required, there are hardware, consulting, training and integration costs, which don't go away just because the identity management software is open source. These can be substantial over time and so a total cost of ownership analysis is highly recommended.
Another important disadvantage is there are fewer vendors to choose from. Some of the available options include OpenIAM, OpenIDM, Atricore, OpenRegistry, JoshuaTree, Allidm, Soffid, OSIAM and nLight. As mentioned, there are a number of types -- such as on-premises, hosted, cloud- based, etc. -- of COTS identity providers; in fact the marketplace is still very crowded. But in a Google search for open source identity management products, less than a handful of vendors are displayed, and they are almost exclusively on-premises. If an organization has a specialized set of target systems it must interface with, or it leans towards cloud or hosted products, a COTS tool may be the only choice. With that said, the open source providers currently in the market have very mature options and compete well with the COTS vendors if they support the targets and infrastructure your company is looking for.
Support generally doesn't come for free with open source vendors or their customer-supported support community may not be responsive to some issues. So solving the original issue of rising support costs may not go away.
Finally, the viability of open source products is always in question. Generally, these products are run by boutique companies, so what happens if they go under or are acquired by a larger commercial company? Will the product downloaded today be available tomorrow? While this is generally true for most small security companies, there's a bigger stigma that must be overcome when it's suggested than an open source product be considered.
COTS products vs. open source identity management software
While most large enterprises go with COTS identity management products, medium to smaller organizations may benefit from looking at an open source identity option. While there are more risks in selecting a product that is community-supported, the barrier to entry is greatly reduced and funds can be better allocated towards consulting and support to deploy the solution. In addition, the core functionality is very much on par with COTS products, the breadth of connectivity may be more limited, but with open source it's easy to download the software and see if it is a good fit without a lot of time and effort expended. In the end, if you can provide good identity capabilities and still reduce the expenditures so money can be redirected toward other necessary security needs, it's a win-win situation for you and your organization.
About the author:
Randall Gamby is an Identity and Access Management (IAM) professional with over 25 years of IAM experience. He is currently the IAM strategist for a Fortune 500 company. Prior to this position he was a Master Security Consultant, a state Information Security officer and the enterprise security architect for an insurance and finance company. His experience also includes many years as an analyst for the Burton Group's Security and Risk Management Services group. His coverage areas included: secure messaging, security infrastructure, identity and access management, security policies and procedures, credential services and regulatory compliance.