Andrew Pollack's Blog

Technology, Family, Entertainment, Politics, and Random Noise

Dear IBM - Wake the hell up. Your utter failure in enterprise identity management is killing all your products.

By Andrew Pollack on 10/17/2010 at 08:28 PM EDT

What’s killing Lotus Notes as a first choice for Enterprise Mail in so many companies is not Lotus Notes.

We know that with the work of DAOS, ID Vault, and other advances; the Domino server is kicking serious ass in terms of platform efficiency, server consolidation, resource management, and performance. We also know that the client has improved to the point where it no longer compares as the backward, ugly, hick relation to Outlook. Indeed, there are plenty of people who find it better looking and more effective. Sure, plenty don’t – but the point is that neither is so much better that it’s a market making difference. Why then, is the Domino mail decision rapidly becoming either a holdout position for companies already invested and not willing to lose the workflow functionality of their applications – or the fall back choice for those few who want to resist going with Microsoft for complete control over their I.T. Budget?

The answer is that IBM has totally and completely fumbled the ball with their enterprise desktop management strategy. They’ve so totally failed in this arena, that a majority of IT workers would be very hard pressed to even tell you what alternatives exist for a large enterprise that did not want to standardize on Active Directory. If you run a medium sized business or an enterprise, you need a directory access management solution that ties your file sharing, network sharing and other services, email, and possibly phone system together. In all but the most hardcore resistant sites, that means Active Directory today. It didn’t used to.

When IBM essentially ceded the market for identity management to Active Directory (through failing to provide a competitive alternative), they made what may be the most costly mistake in the history of software. A company that goes with Active Directory (and really, who isn’t at this point?) is buying into a licensing suite for Windows servers that includes their file and print sharing, the directory services, their access control, DNS management, etc. From there it is a very easy sale to just include the Exchange server, the web application server, etc.

Sure, we can – if given the chance – make the case from a license cost perspective, functional perspective, end user perspective, manageability perspective, and almost any other perspective that Domino provides better value, lower cost, and more reliability. We don’t get that chance however, until after the decision to go with Exchange has already been made. At that point the battle is against a decision that management types have already invested significant reputation capital as well as budget in. You can’t win that battle by just being right. You have to be overwhelmingly and irrefutably right, and you have to time that winning combination to match a significant failure in the current plan. It’s not an easy fight to win.

While IBM wasted vast amounts of time and budget on services dependant schemes to put J2EE servers on every rack (expecting to reap massive services revenue as a result -- which never really did pan out), Microsoft did for identity and access management what Notes had long ago accomplished for messaging. They built Active Directory into a very scalable, deceptively easy to manage, comprehensive credential and role management system that is in most cases sufficiently run on a just a single server in each location. Sure, backup servers are commonly used – just like in Domino – but those are even easier to set up.

As few as ten years ago (Domino/Notes golden age, btw) many sites didn’t use an enterprise wide directory management system. Those tools were localized to buildings, departments, or sometimes campuses and generally not much bigger than the local LAN segment. Today, credential and access management is expected to fully span the enterprise. While there are alternatives to doing this with Active Directory, most people don’t know what they are. The cost and complexity of building a true enterprise wide alternative is so high as to be prohibitive for most enterprises.

I did a Google search on “Alternatives to Active Directory”, and then “Tivoli Alternatives to Active Directory” and guess what? IBM Tivoli Software was not even in the first page of results – not even with their name mentioned in the search. Not even when I added the “+” sign making it a mandatory search term! I went to IBM’s site for Tivoli and it took me 4 page clicks to even find Access Manager and even then no description of what it could do.

The sad truth is the combined software strategy for the desktop in the enterprise under Steve Mills, IBM’s Senior Vice President and Group Executive - Software & Systems, has been an unmitigated disaster. During his tenure, IBM has completely ceded the marketplace to Microsoft in the most critical enterprise management system there is – the network. IBM no longer even offers a seriously competitive alternative in this space. His management of IBM Software spans the time when IBM has gone from having a significant share of the network management marketplace to nearly zero, where failed attempts by competing internal software groups have led to significant market loss in every single segment, and where current predictions nearly uniformly agree that the percentage of IBM software on Enterprise Desktops will continue to decline. Mr. Mills can no doubt cite excellent looking growth numbers in software revenue since the mid 90's. Who the hell can't? The entire industry has been on fire for most of that time. What those numbers will not show, however, is growth in the IBM share of that rapidly increasing market. Growth is good, but failing to grow as fast as the industry is only good until you look closely.

Dear IBM – Please wake the hell up.


There are  - loading -  comments....

re: Dear IBM - Wake the hell up. Your utter failure in enterprise identity management is killing all your products.By Dwight Wilbanks on 10/17/2010 at 09:12 PM EDT
IBM has made their position exceptionally clear, I don't understand or agree
with them, but, the part that is clear is the things that you and I consider
important are not the same thing that the decision makers consider important.



re: Dear IBM - Wake the hell up. Your utter failure in enterprise identity management is killing all your products.By JP Liggett on 10/17/2010 at 09:24 PM EDT
I thought Domino based LDAP used with samba could be used as an alternative to
MS AD and windows servers. Most linux shops I know swear by samba. I presume
that this may have been a standard offering from IBM.


"Since Samba 3 arrived in 2003, Windows network administrators have been able
to use Samba and Linux as a drop-in replacement for an NT file/print server.
You could, and many have, used Samba in place of an NT PDC (primary domain
controller). " http://www.linux-watch.com/news/NS9104718779.html Sept 2007"
re: Dear IBM - Wake the hell up. Your utter failure in enterprise identity management is killing all your products.By Andrew Pollack on 10/17/2010 at 09:30 PM EDT
It's not about one server serving a small environment. Imagine you have 50 or
100 compuses. You CAN set up linux boxes and openLDAP, and SAMBA, and
Kerberos, and CUPS, etc etc.

But you're going to need a hell of a lot more than than one kid fresh out of
the local community college to manage each of those sites and keeping them tied
together is going to keep you pretty busy.

It can be done -- it can even be done better than with AD. But very, very,
few people are able to make it happen.
re: Dear IBM - Wake the hell up. Your utter failure in enterprise identity management is killing all your products.By Dwight Wilbanks on 10/17/2010 at 09:42 PM EDT
Active directory is so very easy to build on. Other solutions are so very
lucrative for consultants. Those that really want to make the best
recommendation to their clients is offered an ethical dilemma. I just can't go
there, AD is the way to go.
re: Dear IBM - Wake the hell up. Your utter failure in enterprise identity management is killing all your products.By Gregg Eldred on 10/17/2010 at 09:52 PM EDT
What? No mention of Novell? Yeah, I remember, IMHO, that excellent directory
service combined with exceptional file and print services.
no point.By Andrew Pollack on 10/17/2010 at 09:56 PM EDT
Novel also failed to transition from the LAN to the global enterprise.
Architecturally they never really had a chance. Banyan had a better chance
but they lacked an attractive user interface, funding, and an intelligent
management team as well.
re: Dear IBM - Wake the hell up. Your utter failure in enterprise identity management is killing all your products.By Bill Dorge on 10/17/2010 at 10:10 PM EDT
And so IBM wakes up, then what? It's not that they don't have the know how or
ability to integrate with Active Directory, they do it with lot's of products,
even lot's Lotus products. The question is, why don't they do it with Domino?
re: Dear IBM - Wake the hell up. Your utter failure in enterprise identity management is killing all your products.By Andrew Pollack on 10/17/2010 at 10:18 PM EDT
Actually, they're working really hard to integrate Domino's functionality with
the AD -- eventually hoping to be able to entirely run in the AD world without
its own directory.

That's not enough. It would help -- or would have 5 years ago anyway. It
still makes you totally dependent on your key competitor for how your product
works.

What IBM needs is a serious AD competitor that's capable of competing with AD.
It hasn't happened yet and doesn't look like it's going to happen any time soon.

Mills blew it. You can't un-screw it up.
re: Dear IBM - Wake the hell up. Your utter failure in enterprise identity management is killing all your products.By Patrick Picard on 10/18/2010 at 08:42 AM EDT
Didn't IBM/Lotus dump the whole directory independence thing?
re: Dear IBM - Wake the hell up. Your utter failure in enterprise identity management is killing all your products.By Martijn de Jong on 10/19/2010 at 08:37 AM EDT
Yes, they did. ID Vault and Notes Shared Login basically replaced their efforts
to be directory independent:
http://www-01.ibm.com/support/docview.wss?rs=899&uid=swg21416004
re: Dear IBM - Wake the hell up. Your utter failure in enterprise identity management is killing all your products.By Bill Malchisky Jr. on 10/17/2010 at 10:33 PM EDT
How ironic. I just had this conversation with a fellow alum this weekend.
Almost point for point. He works at a big Notes shop and the lack of AD
integration is causing problems for him to upgrade to ND8.5.1--particularly
with SSO. Then there is the SPNEGO aspect too: the Lotus Notes long-term
strategy therein, and by his using it, SPNEGO will force him to keep Windows
desktops rather than using a heterogeneous desktop strategy, which is preferred
for his firm (based upon user roles and job required tools). Made for an
excellent conversation.

Great post.
re: Dear IBM - Wake the hell up. Your utter failure in enterprise identity management is killing all your products.By Ben Poole on 10/18/2010 at 03:55 AM EDT
Great post. Mills does seem to be running some kind of "parallel universe"
strategy. I can't see him changing that either, until the whole services thing
stops working for him.

I wonder when / if that will happen? I see IBM "consultants" working for big
customers at GBP 1,000 per day, adding nothing (and I mean NOTHING!); IBM seem
to be betting the farm on a pretty shaky foundation.

But hey, what do I know, I just work for a livingu2026
re: Dear IBM - Wake the hell up. Your utter failure in enterprise identity management is killing all your products.By Henning Heinz on 10/18/2010 at 05:09 AM EDT
I still believe Steve Mills knows what he is doing. He just don't want to be in
this business and I think he is willing to sacrifice what is suffering from
this decision.
I expect it would be very hard to implement an alternative Directory Service in
a Windows (desktop) dominated world. Personally I would have hoped that some
bigger company would try to bring Samba 4 out of Alpha in all these years of
its development.And that would even only offer a cheap copy of Active
Directory.
re: Dear IBM - Wake the hell up. Your utter failure in enterprise identity management is killing all your products.By Ed Maloney on 10/18/2010 at 07:24 AM EDT
Novell is for sale on the cheap these days. Being located in the same building
as IBM in Waltham, MA is a plus. Why IBM hasn't purchased them to get their
SUSE Linux, Identity Management Suite and a ton of great technology IP is
beyond me. If for no other reason IBM should buy them to keep Oracle from
adding this to their growing technology stack.
re: Dear IBM - Wake the hell up. Your utter failure in enterprise identity management is killing all your products.By Dave T on 10/18/2010 at 07:50 AM EDT
There may be opportunity yet. We are almost completely AD/LDAP integrated for
our Domino platform, but then, we use very few clients (99% web with a couple
dev/admins). Still, I find that we are often called upon to fill the gaps
between AD and other platforms like PeopleSoft, Cisco phone systems, etc. Add
to that all the manual processes around keeping AD up-to-date and we have quite
the disjointed environment. Sure, it's easy for the Windows folks to say "we
have everything centralized in AD" and that sounds nice - but they only see it
from their small POV, the rest of the enterprise is scrambling.

Full "Identity Management" has yet to hit us. What they have asked for, and I
feel they really need, is a simple way for the "Access Group" to centrally
manage users for the variety of platforms, including sophisticated
onboarding/offboarding and with solid reporting and auditing. We don't get
that from AD, not even close...
re: Dear IBM - Wake the hell up. Your utter failure in enterprise identity management is killing all your products.By Mark Gesick on 10/18/2010 at 02:30 PM EDT
Thank you. I agree.
re: Dear IBM - Wake the hell up. Your utter failure in enterprise identity management is killing all your products.By Leo L on 10/18/2010 at 05:19 PM EDT
Don't know what to tell you Andrew. IBM has been trying to pretend for years
that "AD" doesn't even exist. I think that they are just now realizing that
this "AD" thing may actually be sticking around and they may need to address
working with it. Of course, I'll believe it when I see it.....
re: Dear IBM - Wake the hell up. Your utter failure in enterprise identity management is killing all your products.By Stephan H. Wissel on 10/18/2010 at 09:19 PM EDT
If EMC is really buying Novell's Linux bussiness IBM could grab the rest, give
the Groupwise customers a free Notes licence and use eDirectory as alternative
for AD. After all this is where AD got its blueprints from. eDirectory scales
well and customers could put an end to the AD Forrest madness that came to live
due to the poor AD scalability
re: Dear IBM - Wake the hell up. Your utter failure in enterprise identity management is killing all your products.By Thomas Hampel on 01/19/2012 at 10:13 AM EST
@Stephan , interesting idea of IBM taking over Novell, it would support the
strategy.


Other Recent Stories...

  1. 05/05/2016Is the growing social-sourced economy the modern back door into socialism?Is the growing social-sourced economy the modern back door into socialism? I read a really insightful post a couple of days ago that suggested the use of social network funding sites like “Go Fund Me” and “Kickstarter” have come about and gained popularity in part because the existing economy in no longer serving its purpose for anyone who isn’t already wealthy. Have the traditional ways to get new ventures funded become closed to all but a few who aren’t already connected to them and so onerous as to make ...... 
  2. 04/20/2016Want to be whitelisted? Here are some sensible rules for web site advertisingAn increasing number of websites are now detecting when users have ad-blocking enabled, and refuse to show content unless you "whitelist" their site (disable your ad-blocking for them). I think that is a fair decision on their part, it's how they pay for the site. However, if you want me (and many others) to white list your site, there are some rules you should follow. If you violate these rules, I won't whitelist your site, I'll just find content elsewhere. 1. The total space taken up by advertisements ...... 
  3. 12/30/2015Fantastic new series on Syfy called “The Expanse” – for people who love traditional science fiction[] “The Expanse” is a new science fiction series being broadcast onthe Syfy channelthis winter. It’s closely based on a series of books by author James S. A. Corey beginning with “Leviathan Wakes”. There are 5 books in the “Expanse” series so far. If you’re a fan of the novels you’ll appreciate how closely the books are followed.TIP: The first five episodes are already available on Syfy.com. If you’re having trouble getting into the characters and plot, use those to get up to speed.The worlds created for ...... 
  4. 10/20/2015My suggestion is to stay away from PayAnywhere(dot)com  
  5. 08/07/2015Here is one for you VMWARE gurus - particularly if you run ESXi without fancy drive arrays 
  6. 08/06/2015The Killer of Orphans (Orphan Documents) 
  7. 06/02/2015Homeopathic Marketing: Traveler on my Android is now calling itself VERSE. Allow me to translate that for the IBM Notes community... 
  8. 03/17/2015A review of British Airways Premium Economy Service – How to destroy customer goodwill all at once 
  9. 02/26/2015There's a bug in how @TextToTime() and @ToTime() process date strings related to international standards and browser settings. 
  10. 01/21/2015Delivering two new presentations at Developer Camp (EntwicklerCamp) 2015 in Germany 
Click here for more articles.....


pen icon Comment Entry
Subject
Your Name
Homepage
*Your Email
* Your email address is required, but not displayed.
 
Your thoughts....
 
Remember Me  

Please wait while your document is saved.