As with any market, IAM software vendors vie for business by positioning and re-position their software in front of potential customers. Ultimately, the customer selects a vendor, implements the software, and walks into the sunset...right? Wrong.

In reality, things go wrong: Hardware doesn't arrive on time. Design decisions are delayed. Conflicts arise between the software vendor, the customer, and the consulting firm. The software's actual capabilities (read 'limitations') come front and center.

By the end of the first phase, some customers are looking for a way out. That's when the project owner starts googling, "Identity Management Project Pitfalls", and "Failed Identity Management Projects," and starts listening to the sweet nothings of the incumbent sales person who got wind of the project's difficulty. That's when the option of ripping and replacing becomes real.

I can't tell you how many times Identropy is engaged in order to perform a feasibility study on a rip-and-replace project. Unfortunately, due to the limitations of delivery methods available in the market today (as Earl Perkins noted in a recent blog entry), most of the time our advice to the customer is to make specific tweaks to their approach and 'stay the course'. Although it is true that sometimes we may find a real reason to switch, it still has to justify the pain of ripping and replacing an IAM solution. Here are a few reasons why:

  1. IAM is Invasive! There are connectors from the IAM system to all the target systems in your environment. Many times, we'll find poorly architected (and overly customized) solutions that place a tremendous amount of dependency on the target systems.
  2. Lack of Standards: Unfortunately, there is no generic industry standard for interacting with target systems. Each IAM vendor has their own 'Connector Framework'. A rip and replace would have to 'recreate' many of nuances specific to the platform that was just deployed.
  3. Re-Educating End-Users: Getting end-users to change their behaviors the first time was hard enough!
  4. Trading Deficiencies: For many customers who have gone through a rip-and-replace, they have come to find out that the deficiencies they were running from from the replaced software vendor exist in another form in the new software.
  5. They're Expensive: Replacing IAM software is more expensive than most customer's initial estimation. After taking into account the new skills that have to be learned, changes in hardware, software, the investment in end-user training, etc. the cost is often equivalent (if not more than) the cost of implementing it the first time.

For these reasons and others, we strongly suggest our customers to perform a workshop feasibility study on the effort of ripping and replacing before pulling the trigger. Get an outside consulting firm to take a look and validate your approach.  It shouldn't take very long (a week or so), and their insight may save you significant time and money.

Ash Motiwala

Ash Motiwala

I’ve been in the identity space for most of my career, and I’m still passionate about it. Anyhow, a CTO is supposed to be the person who sets technical vision for the company, but honestly – Identropy has way too much brainpower for a single person to do that. Instead, I get my hands dirty with the customer development process, lend a helping hand wherever its needed, and I have the privilege to talk identity with some of the brightest minds in this space every day.