Thursday, November 6, 2008

ITIL requires better log management and analytics to gain IT operational efficiency, accountability

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: LogLogic.

Read complete transcript of the discussion.

Implementing best practices from the the Information Technology Infrastructure Library (ITIL) has become increasingly popular in IT departments. As managers improve IT operations with an eye to process efficiency, however, they need to gain operational accountability through visibility and analytics into how systems and networks are behaving.

Innovative use of systems log management and analytics -- in the context of entire IT infrastructures -- produces an audit and performance data trail that both helps implement and refine such models as ITIL. Compliance is also a building requirement that can be solved through verification tools such as systems monitoring and analytics in the context of ITIL best practices.

To learn more about how systems log tools and analysis are aiding organizations as they adopt ITIL, I recently spoke with Sean McClean, principal at consultancy KatalystNow, and Sudha Iyer, director of product management at LogLogic.

Here are some excerpts:
IT, as a business, a practice, or an industry is relatively new. The ITIL framework has been one that's always been focused on how we can create a common thread or a common language, so that all businesses can follow and do certain things consistently with regard to IT. ... We are looking to do even more with tying the IT structure into the business, the function of getting the business done, and how IT can better support that, so that IT becomes a part of the business.

Because the business of IT supporting a business is relatively new, we are still trying to grow and mature those frameworks of what we all agree upon is the best way to handle things. ... When people look at ITIL, organizations assume that it’s something you can simply purchase and plug into your organization. It doesn't quite work that way.

ITIL is generally a guidance -- best practices -- for service delivery, incident management, or what have you. Then, there are these sets of policies with these guidelines. What organizations can do is set up their data retention policy, firewall access policy, or any other policy.

But, how do they really know whether these policies are being actually enforced and/or violated, or what is the gap? How do they constantly improve upon their security posture? That's where it's important to collect activity in your enterprise on what's going on.

Our log-management platform ... allows organizations to collect information from a wide variety of sources, assimilate it, and analyze it. An auditor or an information security professional can look deep down into what's actually going on, on their storage capacity or planning for the future, on how many more firewalls are required, or what's the usage pattern in the organization of a particular server.

All these different metrics feed back into what ITIL is trying to help IT organizations do. Actually, the bottom line is how do you do more with less, and that's where log management fits in. ... Our log management solutions allows [enterprises] to create better control and visibility into what actually is going on in their network and their systems. From many angles, whether it's a security professional or an auditor, they’re all looking at whether you know what's going on.

You want to figure out how much of your current investment is being utilized. If there is a lot of unspent capacity, that's where understanding what's going on helps in assessing, “Okay, here is so much disk space that is unutilized." Or, "it's the end of the quarter, we need to bring in more virtualization of these servers to get our accounting to close on time."

[As] the industry matures, I think we will see ... people looking and talking more about, “How do I quantify maturity as an individual within ITIL? How much do you know with regard to ITIL? And, how do I quantify a business with regard to adhering to that framework?”

There has been a little bit of that and certainly we have ITIL certification processes in all of those, but I think we are going to see more drive to understand that and to formalize that in upcoming years.
Read complete transcript of the discussion.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: LogLogic.

Tuesday, November 4, 2008

Genuitec, Eclipse aim for developer kit to smooth rendering of RIAs on mobile devices

The explosion in mobile Web use, due partly to the prevalence of the iPhone and other smart-phone devices -- and a desire to make developers less grumpy -- have led Genuitec to propose a new open-source project at the Eclipse Foundation for an extensible mobile Web developer kit for creating and testing new mobile rich Internet applications (RIAs).

Coming as a sub-project under the Device Software Development Platform (DSDP), the FireFly DevKit project is still in the proposal phase, and the original committers are all from Genuitec, Flower Mound, Tex. [Disclosure: Both Genuitec and the Eclipse Foundation are sponsors of BriefingsDirect podcasts.]

Included in the developer kit will be a previewer and a debugger, a Web rendering kit, a device service access framework, a deployment framework, and educational resources.

The two tool frameworks will enable mobile web developers to visualize and debug mobile web applications from within an Eclipse-based integrated development environment (IDE). Beyond this the FireFly project will develop next-generation technologies and frameworks to support the creation of mobile web applications that look and behavior similarly to native applications and are able to interact with device services such as GPS, accelerometers and personal data.

The issue of developer grumpiness was raised in the project proposal:
When programming, most developers dislike switching between unintegrated tools and environments. Frequent change of focus interrupts their flow of concentration, reduces their efficiency and makes them generally grumpier :). For mobile web application development, web designers and programmers need to quickly and seamlessly perform incremental development and testing directly within an IDE environment rather than switching from an IDE to a device testing environment and back again.
One goal of the Web rendering toolkit is to make Web applications take on the look and feel of the host mobile device. Possibly, an application could run in the Safari browser on an iPhone, but appear similar to a native iPhone app.

Initially, example implementations of the project frameworks will be provided for the iPhone. As resources become available, examples for the G1-Android platform will also be developed. The project will actively recruit and accept contributions for other mobile platforms such as Symbian, Windows Mobile and others.

The current timeframe of the project calls for it to piggyback an incubation release on top of the Eclipse 3.5 platform release. The entire project proposal is available on the Eclipse site.

Friday, October 31, 2008

BriefingsDirect Analysts take Microsoft's pulse: Will the software giant peak in next few years?

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: Active Endpoints.

Read a full transcript of the discussion.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Welcome to the latest BriefingsDirect Insights Edition, Vol. 32, a periodic discussion and dissection of software, services, SOA and compute cloud-related news and events, with a panel of IT analysts and guests.

In this episode, recorded Oct. 10, 2008, our experts examine the state of Microsoft at the onset of the annual Professional Developers Conference. Two narratives emerge from our roundtable discussion, that Microsoft is behind on many new IT trends and is tied to past business models. The opposing view is that Microsoft will ride pedestrian app dev, business intelligence, data services, Xbox, unified communications, virtualization and cloud computing to become bigger and more pervasive than ever.

Please join noted IT industry analysts and experts Jim Kobielus, senior analyst at Forrester Research; Tony Baer, senior analyst at Ovum; Dave Linthicum, independent SOA consultant at Linthicum Group; Brad Shimmin, principal analyst at Current Analysis; Mike Meehan, a senior analyst at Current Analysis, and Joe McKendrick, independent analyst and prolific blogger. Our discussion is hosted and moderated by yours truly, Dana Gardner.

Here are some excerpts:
Kobielus: There’s some validity to the viewpoint that Microsoft's growth potential has capped on the business side, when you consider packaged applications, and software- and application-development tools, in the sense that the entire product niche of the service-oriented architecture (SOA) universe is rapidly maturing.

The vendors in this space -- the SOA vendors, the business-intelligence (BI) vendors, the master data management (MDM) vendors -- are going to realize revenue growth and profitability. Those who survive this economic downturn and thrive in the next uptick, will be those who very much focus on providing verticalized and customized applications on a consulting or professional services basis.

In that regard, Microsoft is a bit behind the eight ball. They don’t really have the strength on the consulting, professional services, and verticalization side, that an SAP, Oracle, or an IBM can bring to the table.

Microsoft, if they want to continue to grow in the whole platform and application space and in the whole SOA universe, needs to put a greater focus on consulting services.

McKendrick: Microsoft has its own economy. No matter what happens to the economy at large, Microsoft has its own economy going, and just seems to get through all this.

What’s driven Microsoft from day one, and continues to do so, is that Microsoft is the software company for Joe the Plumber. That’s their constituency, not necessarily Joe the Developer. They cater to Joe the Developer, Joe the CIO, and Joe the Analyst certainly likes to check in on what they are doing. It's this whole idea of disruptive technology. They have always targeted the under-served and un-served parts of the marketplace and move up from there.

... The base of Microsoft, these companies that are using Microsoft technology, don’t necessarily get virtualization or cloud computing. They just want a solution installed on their premises and want it to work.

Linthicum: I think they are behind the eight ball. A lot of the strategy I’ve seen coming out of Microsoft over the last few years, especially as it relates to cloud computing, SOA, and virtualization, has been inherently flawed. They get into very proprietary things very quickly. It really comes down to how are they going to sell an additional million desktop operating systems.

Ultimately, they just don’t get where this whole area is going. ... We’re heading into an area where they may not be as influential as they think they should be. They may be not only behind the eight ball, but lots of other organizations that are better at doing cloud computing, virtualization, and things like that, and have a good track record there, are going to end up owning a lot of the space.

Microsoft isn’t going to go away, but I think they’re going to find that their market has changed around them. The desktop isn't as significant as it once was. People aren’t going to want to upgrade Office every year. They’re not going to want to upgrade their desktop operating systems every year. Apple Macs are making big inroads into their market space, and it’s going to be a very tough fight for them. I think they’re going to be a lot smaller company in five years than they are today.

Meehan: Dave is absolutely right in that the one area that Microsoft never really conquered that it needed to conquer, given its strength in the desktop, is the handheld. If they are not going to be there with the handheld long-term, that’s a major growth area that they are going to miss out on. That’s where a lot of the business is going to shift to. ... On the SOA side, as I said before, Microsoft is just trying to be as service-oriented as they can for users who are trying to be not SOA-driven, but "As Service-Oriented As Possible" (ASOAP).

In fact, make that an acronym, ASOAP. There are going to be a number of users who are not going to go fully into SOA, because they have an enterprise architecture. It’s too hard to do, too hard to maintain. They’re never going to quite figure that out. They are just going to try to be tactical and ASOAP. Microsoft will try to service them and hold that part of their business.

What’s the next big thing they’re going to do? Joe referred to Microsoft having come up with that in previous downturns. I don’t see where they have got that right yet, and so I think that leads to them being smaller long-term.

Shimmin: [Microsoft is going to have an opportunity to change this perception] and simply because they don’t have to. I think back to a number of points that’s been made here that to be successful Microsoft doesn’t need to convince the world. It just needs to convince the people that attend the PDC. They have such an expansive and well-established channel, with all the little plumber-developers running around building software with their code, that just as 40 is the new 30, Microsoft is really kind of the new Apple, in a way.

They don’t need to be Oracle to succeed, they really need to have control over their environment and provide the best sort of tooling, management, deployment, and execution software that they can for those people who have signed on to the Microsoft bandwagon and are taking the ride with them. ... (Microsoft) is kind of capped out in many ways relative to the consumer market. But, gosh, they have shown that with things like SharePoint, for example, Microsoft is able to virally infest an organization successfully with their software without having to even lift a finger.

They’ll continue to do that, because they have this Visual Basic mentality. I hate to say it, but they have the mentality of “Let’s make it as simple as possible” for the people that are doing ASOAP, as Mike said, that don’t need to go all the way, but really just need to get the job done. I think they’ll be successful at that.

Kobielus: I think Microsoft will be larger, and they will be larger for the simple reason that they do own the desktop, but the desktop is becoming less relevant. But now, what’s new is that they do own the browser, in terms of predominant market share or installed base. They do own the spreadsheet. They do own the portal. As Brad indicated, SharePoint is everywhere.

One of the issues that many of our customers at Forrester have hit on -- CIO, CTO, that level -- is that SharePoint is everywhere. How do they manage SharePoint? It's a fait accompli, and enterprises have to somehow deal with it. It’s the de-facto standard portal for a large swath of the corporate world. Microsoft, to a great degree, owns the mid-market database with SQL Server.

So owning so many important components of the SOA stack, in terms of predominant market share, means that Microsoft has great clout to go in any number of directions. One direction in which they’re clearly going in a very forceful way that brings all this together is in BI and online analytical processing (OLAP). The announcements they made a few weeks ago at the BI conferenceshow where Microsoft clearly is heading. They very much want to become and remain a predominant BI vendor in the long run.

Gardner: ... On the total cost perspective, I think what I am hearing from you is that if you go all Microsoft all the time, there are going to be efficiencies, productivity, and cost savings. Is that the mantra? Is that the vision?

Shimmin: That‘s exactly right, Dana. That’s what they’re banking on, and that’s why I think they are the next Apple, in a way, because they are downtrodden, compared to some of the other big guns we’re talking about with Oracle, SAP, and IBM inside the middleware space. But that doesn’t matter, because they have a loyal following, which, if you guys have ever attended these shows of theirs, you’d see that they are just as rabid as Mac fans in many ways.

Microsoft is going to do their best job to make their customers lives as easy as possible, so that they remain loyal subjects. That’s a key to success. That’s how you succeed in keeping your customers.

Linthicum: Ultimately, people are looking for open solutions that are a lot more scalable than this stuff that Microsoft has to offer. The point that was just made, there are a bunch of huge Microsoft fans that will buy anything that they sell, that’s the way the shops are. But the number of companies that are doing that right now are shrinking.

People are looking for open, scalable, enterprise-ready solutions, they understand that Microsoft is going to own the desktop, at least for the time being, and they are going to keep them there. But, as far as their back office things and some of the things that Microsoft has put up as these huge enterprise class solutions, people are going to opt for other things right now.

It's just a buying pattern. It may be a perception issue or a technological issue. I think it’s a matter of openness or their insistence that everything be proprietary and come back to them. I heard the previous comment that looking at all Microsoft all the time will provide the best bang for the buck. I think people are very suspicious of that.

Gardner: We’ve heard quite a bit on this cloud operating system from Red Hat, Citrix, VMware, IBM, and HP talked it up a little bit. No one’s really come out with a lot of detail, but clearly this seems to be of interest to some of the major vendors. What is the nature of this operating system for the cloud, and does it have the same winner-take-all advantage for a vendor that the operating system on the desktop and departmental server had?

Linthicum: I think it does in virtualization. Once one vendor gets that right, people understand it, there are good standards around it, there are good use cases around it, and there’s a good business case around it, that particular vendor is going to own that space.

I’m not sure it’s going to be Microsoft. They’re very good about building operating systems, but in understanding my Vista crashes that are happening once a day, they are not that good.

Also, there are lots of guys out there who understand the virtualization space and the patterns for use there. The technology they’re going to use, the enabling standards, are going to be very different than what you are going to use on a desktop or even a small enterprise departmental kind of problem domain. Ultimately, a large player is going to step into this game and get a large share of this marketplace pretty quickly, because the cost and ease of moving to that particular vendor is very low.

... These virtualization operating systems that are enterprise bound or even in a gray area with the cloud are going to come from somebody else besides Microsoft.
Read a full transcript of the discussion.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: Active Endpoints.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Thursday, October 30, 2008

Microsoft's cloud push lacks economic expediency, sidesteps catalysts for ecology-wide adoption

Few topics among economists and business leaders engender the same enthusiasm as productivity. Doing more for less seems the universal balm for individuals, businesses and markets. If we all have growing productivity, well, then everything practically takes care of itself. You'll find few dissenters.

Ask 50 economists, however, how much IT specifically has contributed to productivity surge since the 1970s, and you'll get 50 different answers. They know IT has been good for work efficiency, sure, but just how so and in what dollops? No clue.

Is it better, cheaper software? Is it Moore's Law of escalating power and value from micro-processors? Is it the connected hive of the local area network, or the social fabric of the Internet? The behavior shifts to "always on" data access, or knowledge sharing of ad hoc and geography-free collaboration sessions -- are they behind the productivity boom of the past (apparently closing) bull economic cycle?

Yes, of course, to all. But how and to what degree that these complex causes and effects form the formula for overall productivity is as elusive as predicting the weather from butterfly wing beats. Somewhere in the fog of IT's storm into our consciousness, work habits and business strategies lies the answer. The algorithm of IT's productivity influence over individual people and their societal actions has yet to be written. Too many ghosts. Too many machines.

Nonetheless, productivity -- or rather the expectation of whole new dimensions of productivity -- is what has been behind the hype and strengthening embrace of cloud computing concepts the past two years. In a sense, cloud computing is the unifying theory of IT productivity, which has been indisputably powerful if not complexly disjointed over the past 25 years.

Cloud computing takes many of the essential elements of IT-spurred productivity and serves them up in a whole greater than the sum of the parts. Improved utilization, higher efficiency, better packaging, tuned and refined software, exploitation of network effects, viral effects from social networking, less energy per electron server or packet delivered -- these are just a few of the foundations of cloud computing. What's different is that these variables are working much more harmoniously, with common planning and strategic architectural forethought.

A typical enterprise data center landscape is more a window into the past of IT than the future. The chilled realms of raised floors inefficiently demonstrate how design sprung from unanticipated but compelling paradigm shifts in computing stinks. The barely backwards compatible data center of today eats up larger chuck of money doing less actual improvement in productivity.

Innovation is held hostage by the need to keep the transaction processing monitor properly integrated to the middleware so the n-tier architecture can join data from the right hand to the left hand during a sales call using a mobile supercomputer generating pretty pictures that completely dim after 145 minutes.

We are all well aware of the price for rapid technological change as progeny for helter-skelter IT adaptation and advancement over the past decades. It all probably could not have happened any differently, but it also does not need to continue like this.

Cloud computing entices and seduces because it is, after all, quite different. IT has matured and the requirements of the workload are appreciated sufficiently to architect data centers holistically and effectively. Cloud computing unifies the most up-to-date architectural concepts around data center resources of, for and by productivity. Total cost considerations and the careful association of all of the parts and elements -- working in concert -- these are the high-level requirements of an IT cloud. You can build it right for the workload and allow it to dynamically adjust and accept new workloads. It's more than a just the next big thing. It more than able to drag along all the old stuff too.

When the entire support infrastructure is designed properly, with all the technical and productivity requirements aligned, then IT is transformed. Leverage standards, employ best practices, depend on efficiencies of scale -- and more than incremental change occurs. It does a lot more, more flexibly, for a lot less. Cloud offers a whole new levels of productivity, directly attributed to advanced IT. Services can be assembled based on specific work needs independent of the underlying platforms. Less waste, more haste, all around.

Why then is Microsoft tepid in its march to cloud? Why is it "software plus services," not just services? Why would such productivity improvements that clouds afford -- at a time when economic conditions demand rapid transformational advances -- be dribbled out as Microsoft has done this week at its Professional Developers Conference in Los Angeles? What exactly is Microsoft waiting for?

Most of us observers expected Microsoft to move to the cloud now, based on the success of Amazon Web Services and Google. But the apparent pace is to offer developers training wheels, little more. The pricing -- sort of important when the whole goal is about economics and productivity -- remains missing.

How can architects, CFOs, developers, ISVs, channel partners -- in essence the entire Windows global ecology of participants -- move one step forward without knowing the pricing, both in terms of form, direction and dollars and cents?

My cynical side says that Microsoft wants to accomplish two things with its Azure initiatives. One, to suck the oxygen out of the cloud market (get it, Azure ... no oxygen) and slow the pace of innovation and investment around clouds and cloud ecologies. And two, to make sure the "software plus services" transition comes slower than the market demand might otherwise enjoy. Why swap out software (with a 60 percent margin) for services (with a 15 percent margin) faster than slower?

The answer, of course, is productivity. I have not been sure for many years whether Microsoft is focused on its users' productivity more than at a pace set by, well ... Microsoft. The cloud approach may be different than IT as usual from over the past 20 years, but so far Microsoft's approach to productivity ala cloud seems about the same.

How might this all be different? How might the new, more productive chapter in IT -- of swift yet appropriate adoption of cloud supported IT resources -- get going faster?

Microsoft could spur the engine of adoption on cloud ecology use and advancement by providing stunningly compelling pricing for ISVs and enterprise developers to build and deploy their applications using Azure and platform as a service now. Microsoft would help the makers of applications succeed quickly by making the services easily available to the huge markets that Microsoft is arbiter of -- both business and consumer.

I can even see if Microsoft is choosy and favors its tools, APIs, platforms, data formats, communications protocols, and existing partners. Make a Windows-only cloud, fine, but make it.

Apple with its online store (which favors the Mac world in a big) for developers of iPhone applications and services has shown just how powerful this approach can be. Microsoft could become the best friend of every Visual Studio, PHP and Eclipse developer and business by helping create the best applications for the least total cost, all as a service.

Microsoft could decide and declare what applications it will and won't provide as Azure services itself, allowing a huge market for others to build what's left and sell the services on a per-use basis to users (perhaps driving them to consume other Microsoft services). Deals could be made on applications portability, but optimally the market should pick cloud winners based on value and reach. May the best cloud for both developers and users win -- it would be a huge win.

Redmond could help those applications that provide good value find an audience quickly. Maybe Microsoft could sell or share metadata about users preferences and requirements so the applications are even more likely to succeed. That would include making pathways to the vast Web consumer markets via MSN and all its Web services available to those that build on the Azure platform. Maybe Yahoo finds its way into the mix. Microsoft could offer both advertising-subsidized and pay-per-use models, or combinations of the two for media and entertainment companies, for example, to load their stuff up on the Azure cloud, or build their own Azure clouds. Might compete effectively against Google as a result.

To me these only scratch the surface the the vast and rich ecology of partners and customers that would emerge from an accessible and productivity-priced Microsoft cloud. Done right, myriad specialized value-added business services and consumer services would spring up at multiple abstractions on top of the essential base services that the Microsoft cloud and APIs provide. It would be a very good business for Microsoft, but an even better business growth opportunity for all of the other players. The pie would grow, and productivity could soar. Users would bet better apps and services at low and predictable cost.

There could be a vast and rich community that thrives in the Microsoft cloud's ether. Or there could be a dark Microsoft cloud of, for and by Microsoft applications and services. Redmond could shoot for the moon again, but likely the other clouds will get in the way. Why risk the ecology play for trying to have it all Microsoft's way? That's why time is critical.

Microsoft, at least based on the tepid pace of the Azure roadmap as laid out this week, is more interested in hedging bets and protecting profits than in spurring on productivity and providing economic catalysts to rich new potential ecologies of online, services-driven businesses. Any continued delay to cloud is the giveaway of Microsoft's true intentions.

If Microsoft's own business interests prevent it from realizing the full potential of cloud computing, or make it try and damp down the cloud market generally, then Microsoft is a drag on the economy at a time when that is the last thing that's needed. And yet Microsoft could do cloud better than any other company on Earth.

Microsoft needs to decide whether it really wants to be in the software or services business. Trying to have it both ways, for an indeterminate amount of precocious time, to in effect delay the advancement of serious productivity, seems a terrible waste and a terrible way to affect its community.

The not trivial risk for Microsoft is that in five years it won't be leading in the software or services business any more.

Monday, October 27, 2008

Identity governance evolves to must-do item on personnel management and IT security checklist

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: SailPoint Technologies.

Read complete transcript of the discussion.

Security and risk aversion around personnel, applications, and IT systems access have never been more urgent. Properly managed identity information and access rules for users of enterprise applications and systems have evolved quickly from hiring and firing to also gaining insight into improper ongoing use and abuse patterns.

Shoddy provisioning of users on and off of IT systems and services won't pass muster with internally mandated best security practices, not to mention becoming a major liability in a new era of mandated regulation and oversight. Guessing which users have access to which discrete services from inside or outside of the company won't fly in a virtualized and cloud-augmented world.

The alternative to guesswork moves IT operators and security officer closer to the level of identity governance, a step above simply granting access and privileges. It means becoming pro-active in managing roles and access across multiple dimensions in a business, across an identity governance lifecycle, for as long as users can interact with a company and its assets.

To learn more about what identity governance means and how big the stakes are for enterprises and highly regulated vertical industries, I recently spoke with Mark McClain, the CEO and founder of SailPoint Technologies, along with Jackie Gilbert, vice president of marketing and also a founder at SailPoint.

Here are some excerpts:
If you look back over most of this decade, back to the turn of the century – it’s still funny to say that phrase – you see a series of issues with breaches. There’s been a series of issues with fraud or potential fraud, everything from Enron to things that happened with other companies where there are questionable practices, and then various clear issues of fraud or criminal activity.

And all of that together has brought about a new focus on privacy, financial oversight, and good governance, which is, in many cases, all related to the management of risk. ... There is a lot of churn in the financial markets and in the companies that make up those markets, where people are potentially moving inside of companies, changing jobs, lots of potential lay-offs happening.

That's when these issues of good governance, good controls over who has access to which critical information become very, very acute. ... Now, you have executives, boards, and business managers, who are being asked to be accountable and to gauge the risk and the effectiveness of controls around identity. ... Some industries have 30-percent churn, with people coming in and out of the organization. All that makes this an extremely difficult problem, just getting proper visibility.

Those people are being asked to use tools and approve, certify, and deem whether access privileges and the accounts the users hold are correct, and do not place businesses at risk. So, if you think about it, it has actually forced the marriage of business and IT all around this issue of identity governance.

We now have the auditors, both internal and external, and/or the compliance people who want to have a say, or a seat at the table, to talk about how well we are managing these kinds of access privileges and what risks are involved, when they are not managed well. ... One of the dirty, dark secrets today is that governance and compliance have become harder, and auditors have been forcing more frequent and periodic review of the access information. Quarterly or annually, these managers and applications owners need to re-certify who has access to what.

Another dirty secret in the industry right now is that managers and applications owners must sign-off on these reports, but they don't understand them, because those reports are generated out of the IT systems and they are incomprehensible to the business people.

You certainly have the business people paying attention now because you have senior management who are highly motivated to avoid being the next headline. They don't want their company showing up out there with Cox Communications, the IRS, Wachovia, and any number of companies like Dupont, which have hit the headlines in the last two or three years with some sort of significant breach related to access.

There is a little a bit of a hot potato now going on where IT and security groups are saying, "Hey, I am not going sign-up and own this problem entirely, because I don't have the business context to know exactly what does or doesn't represent risk. You business people have to define that for us."

It really does start with answering the fundamental question that most companies wrestle with, which is "Who has access to what?" One of my customers has joked about the fact that on the day you start with the company, you have access to nothing, and on the day you leave, you have access to everything. Quite often, the only person who actually knows all of the access privileges I may have after 15 years at a company is me.

There have been multiple groups I have moved through, multiple help desks, and IT organizations that have been part of granting me access over the years. So, it's quite probable that, literally, only I understand all of the privileges I have as an employee -- and that's a problem.

[Our solution] is pretty analogous to business intelligence (BI) and even data warehousing or data mining, if you will. Our approach is to take a very lightweight, read-only access to the data. We pull entitlement data and account data from applications and servers throughout the enterprise and we aggregate that into what is basically an entitlement warehouse.

We physically create a common data view of users and their entitlements. What that gives you is not only the visibility in one, single place, but it gives you the business context to better understand it. And it allows us to do some automation of controls and policy enforcement, and some risk assessment. It's amazing the value you can derive, once you get the data all in one place and normalized, so that you can apply all kinds of rules and logic to it.

... It's all in one place. They’re not getting a single spreadsheet per application. They’re getting it all centralized per employee or per application, however they want to see it.

We can also scan that data, looking for policy violations. A good example of that would be what we call "toxic combinations," such as “you can't have an employee who both has the ability to set up a vendor and pay a vendor.” Those are two different access privileges that together indicate a high potential for fraud. So by combining all the entitlement data into one single database, you can much more easily scan for and detect potential policy violations and also the potential for risk to the business.
Read complete transcript of the discussion.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: SailPoint Technologies.

Friday, October 24, 2008

Web 2.0 acts as accelerant in pending corporate Darwinian shake-out, says Palladium Group CEO

The impact of Web 2.0 technologies on the current global economic downturn will hasten the demise of closed and siloed corporate cultures while providing a reality-based balm on those companies that seek transformation and adaptation by tapping the wisdom of its communities.

These were some of the high-level observations from a chat I had this morning with Dr. David Friend, chairman, president and CEO of Palladium Group, a prominent performance management and consulting firm in Lincoln, Mass.

The swift and severe economic recession predicted by economists and presaged by plunging stock valuations worldwide points to a difficult period of months and possibly years, said Friend. And that means that the decisions that companies and government agencies make during the tumultuous period will carry more impact, perhaps making the difference between organizations becoming adaptive survivors or calcified road kill.

Companies in today's increasingly "hot, flat and crowded world," said Friend, need to make better decisions. Information alone does not do the job. A systemic and ingrained corporate capacity around decision making is needed. Former lions of Wall Street Lehman Brothers and Bear Stearns had oceans of data at their disposal, for example, but still made decisions that imperiled the venerable firms, such as allowing 40-times leverage bets against risky investment instruments.

Palladium Group, formerly the Balanced Scorecard Collaborative, works with companies to help develop strategy, performance management, and business intelligence (BI) methods that help implement "decision cycles" that foster better business outcomes. "It's about building decision-making engines," said Friend.

Today, more than ever, companies need to make decisions fast, based on accurate and comprehensive information. Those analytics need to reach the people who can act and communicate effectively. Yet even in good times, companies tend to take complexity and attack it via compartmental and isolated sub-problem-solving.

The result is that "IT people think about IT, budget people think about budgets, and strategy people think about strategy," said Friend. The decisions, therefore, are faulty or missing because the fuller implications and inputs are not assimilated. Companies, in effect, lack a figurative right brain function, or lose it over time.

New tools, collectively grouped under Web 2.0, however, have emerged in just the past few years that could have a dramatic bearing on how companies newly react to the pressures of the economic contraction. Severe downturns act in a Darwinian fashion, weeding out the ill-adapted and weak, and rewarding the fittest and agile. Web 2.0 will aid the agile and open while placing those who don't use tools such as blogs, wikis, podcasts, social networks at a disadvantage, said Friend.

Friend has a blog for his employees, he said, but it is not easily found via Web search. I find this a bit anachronistic given his stated fealty for the medium.

Nonetheless, BI and Web 2.0 can act in cohesion, said Friend, by allowing better communication about empirical findings and effects, and also injecting more valuable insights from more people with better access to changing environments. Friend cited the use of wikis by the U.S. intelligence community as a way of dramatically improving collaboration and cooperation among rival or siloed agencies.

For those companies that, by culture and tradition, act as dictatorships, with decisions that emanate from the top and which punish countervailing information from reaching decision makers, they will not benefit from the wellspring of information available from employees, customers, partners, and even competitors. Those who avoid or undermine the benefits of Web 2.0 tools will lack the information that leads to better decisions, will miss the ongoing refinement of strategies by those witnessing their impacts.

The power is in the "democratization of information," said Friend, and then of placing that information in the context of proper decision-making. The flow of information and its exploitation for the business's benefit will hasten the decision cycles, for better or worse, said Friend.

I fully agree with this assessment, and I also believe that the economic challenges will accelerate the transformation of both IT and business. IT needs to, as usual, reduce total costs while improving business outcomes. BI and Web 2.0 are essential ingredients for this challenge. But the business leaders must also see the value in these tools and expand their usefulness by integrating them into their decision cycles.

To do this means resisting the urge to slash IT budgets generally, but instead to fund the tools that will provide agility and better decisions, of investing in the means to increase revenue and improve the competitiveness of companies. The payback from BI and Web 2.0 collaboration are well understood. The decision on their use is what needs to be made -- not avoided or overlooked.

Tuesday, October 21, 2008

Looking forward to webinar on cloud-based desktops as a service story

Virtual desktop infrastructure (VDI) is gaining interest for a lot of technical, risk and cost reasons. But there's more than one way to skin the VDI cat.

I'll be taking part in a webinar presentation later this week, at noon ET on Thursday, Oct. 23, on the cloud version of VDI. Desktone is hosting the webinar, and I'm participating, but not getting paid. Here is more information, and how to join in.

Desktone impressed me over a year ago when I was first introduced to them. The value comes from creating the means for telcos and service providers to deliver virtual desktops, what Desktone calls desktops as a service (DaaS), en masse. The cost savings can be huge, and it gets those who don't need to be in the IT business (just to support a few applications) out of the soup-to-nuts IT game.

For home offices, small businesses, and small enterprises -- not to mention departments of certain types of workers inside large enterprises -- the VDI route via a cloud or network host makes a lot of sense.

It also aligns quite well with the platform as a service (PaaS) trend, in that those using a VDI service can order up access to packaged applications, or hire developers to customize or mashup their own data views or process and workflow efficiencies. All of it then gets delivered as a service. Good VDI is desktops and applications -- you need both.

This may be the last best bet for network service and communications providers as they seek a recurring and growth-oriented business service portfolio. As a small business owner, I'd be happy to acquire QuickBooks as a service, for example, or even move more of my apps, data, and PC functions to the cloud.

If I had more employees, I would certainly look at VDI from a package of business and network services as the answer to keeping them current on the apps I want them to use. And I would seek out a GUI tools set to create custom apps for my specific business needs.

So if you're curious about how VDI from the cloud and app dev works, join myself and other industry analysts, Rachael Chalmers from The 451 Group and Robin Bloor from Hurwitz & Associates, for the Desktone webinar this Thursday. Should be fun.

Friday, October 17, 2008

BriefingsDirect Insights Analysts identify IT winners and losers in global economic downturn

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Charter sponsor: Active Endpoints.

Read a full transcript of the discussion.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Welcome to the latest BriefingsDirect Insights Edition, Vol. 31, a periodic discussion and dissection of software, services, SOA and compute cloud-related news and events, with a panel of IT analysts and guests.

In this episode, recorded Oct. 10, 2008, our experts examine the worldwide economic maelstrom, with an eye to the IT sector and how enterprises and vendors will be impacted. While the times will remain challenging for the foreseeable future, there are opportunities and counter-intuitive effects -- like beginning a start-up company -- when economics drive more of the rationalization around IT decisions.

Please join noted IT industry analysts and experts Tony Baer, senior analyst at Ovum; Jim Kobielus, senior analyst at Forrester Research, and Dave Linthicum, independent SOA consultant at Linthicum Group. Our discussion is hosted and moderated by your's truly.

Here are some excerpts:
On the IT Winners

Baer: ... The winners are those who are likely to be more diversified into services, services that can help companies harvest more of what they already have. ... The fact is that in an economic situation like this, especially where there are a lot of known unknowns, having a services business is a good way of helping clients to discover new economies. And it's also potentially a much more flexible arrangement than having to put in an upgrade of a new version of SAP software.

Gardner: My first take on this is that the government vertical is actually going to explode and might even start going down this road towards transformation in a much more significant way.

Linthicum: People are going to look to government to solve some of these issues and bureaucratic changes are going to be built here in different divisions, and people are going to have oversight of the financial industry.

If the Democratic administration comes in, there is going to be more civilian spending, and there is going to be probably a little shift from the spending in the Department of Defense on the military side.

So, this area is going to be explosive yet again, based on some things that are occurring and based on the government taking power in particular industries.

... I think healthcare is going to remain fairly static, and I think some of their costs maybe reduced. As they start moving into more of a socialized medicine, if the Democrats take it there, there is going to be some big shifts there.

Believe it or not, even though you are moving into a healthcare-for-everyone kind of an environment, you are going to see that actually [IT] cost probably will go up, as a bureaucracy is put in place to maintain and administer that.

Baer: I hate to use the 'D' word but back in the depression, and I hope we are not heading into one, what area boomed during that era? Hollywood, the film industry. People were going out to the movies for cheap thrills. In today's environment, the equivalent of that is, if you already have an Xbox 360 out there, you are going to be buying more games. Those are cheap thrills.

Gardner: We haven't talked about one sector, and that is the Entertainment/Web 2.0/Internet. We’ve seen some downturn in advertising, including Internet advertising, but is there an opportunity for buying $3 movie and downloading it, a $2 song, a $3 game.


On the IT Losers


Koblielus: ... Those who will get hurt are those vendors who rely on new-product sales, especially new product sales that are very much hardware-centric. ... In any economic downturn, the things that get cut from corporate budgets, for example, are large capital expenditure (CAPEX) projects. That's going to hurt a number of IT vendors in particular niches, for example the hardware vendors, and also where it's a discretionary software upgrade purchase. Those are also going to feel the crunch.

In any downturn, users, large corporate IT, look to rationalize and streamline their vendor commitments. In other words, they consolidate to a few very large, very strategic vendors. So, the big guys will get bigger and the small, pure-play data-warehousing appliance vendors will be acquired or will vanish.

Gardner: On the other hand some, verticals that don't look good include retail and manufacturing. The auto industry is getting whacked.

Linthicum: The retail space is going to suffer tremendously. They already have very narrow razor-thin margins. I think we are going to see a lot of the larger retailers suffer and perhaps go away. ... Finance is obviously going to be killed for a long time, especially the banking industry. That's going to be an area that isn't going to recover very quickly from what's going on right now, but I think that manufacturing ultimately will recover and we are going to see some good growth in the year 2009-2010.

Kobielus: ... It basically supplements the fact that there is going to be a decline in the journalist population, essentially a migration towards the extremes, which is on one hand journalism and this is not a development.

I’m very happy to see is that, as the financial base and the business model for journalism businesses is evaporating at this point, you are seeing more-and-more citizen journalists taking up more of the load. People are reading more blogs. They are not buying newspapers.


On the Consequences

Linthicum: [IT buyers] are looking to morph the way in which they consume IT. ... They plan to implement strategic technology into their enterprise [in a way that] increases in interest but decreases in cost. In other words, people are going to move into more efficient technologies. They are going to look at a little bit more at cloud computing and other ways to save money and start moving aggressively in those directions.

... Instead of having a huge Microsoft infrastructure just for e-mail and calendar-sharing in groupware, and those sorts of things, moving to things that are in the cloud. This is obviously Google, but there is also a ton of other guys that are offering some pretty good technology -- information-sharing using similar infrastructure. They’ll start outsourcing that, versus maintaining all these data centers that are just dealing with e-mail and communication between people within the company.

Gardner: Where does this put Microsoft?

Bear: ... They are in a transition. ... In the short-term, I think it's going to hurt their business, because clearly take-up of Vista has pretty well-flagged, especially on the corporate side. Obviously they are trying to cultivate the Software Plus Services side, but that business is still very much in its early in its cycle.

Linthicum: You can go off-premises with lots of stuff and the cost is always cheaper, and also it allows you to upgrade and innovate into new technological areas you haven’t driven before.

Next, would be tactical, software-as-a-service (SaaS) applications. Take some of the HR processing, which is driven by some kind of in-house system in the data center, and outsource that to the dozen or so SaaS vendors who are offering HR processing. That's kind of a light-weight business process.

Then, the next generation is even more risky, and I don’t see a ton of guys doing that initially. It involves some of the core business processes, and getting into an SOA kind of an initiative. Re-automating those, but also outsourcing a tremendous number that haven’t been done before for the primary reason of cost saving.

Kobielus: I see definitely the economic downturn is going to expand the footprint, as it were, for the cloud in data warehousing, where data warehouses are becoming ever larger in the hundreds of terabytes and now into the petabyte.

I’m seeing an upsurge in the number of start-ups and data warehousing vendors that now have cloud based offerings. ... In other words, where there is a capital expenditure crunch or a budget crunch, and users can’t afford to pay the millions of dollars to bring one of these petabyte-scale data warehouses in house, they are going to go outside to the likes of a 1010data or using Amazon EC2 to aggregate, persist these huge datasets.

They can do very complex analyses and also run a greater degree of their data mining and predictive analytics algorithms in that very cloud. It just saves them money, and it's not a huge capital expenditure. It's a pay-as-you-go kind of thing. I think that's going to be the trend and those vendors who are already out there could be the major beneficiaries of this current economic crunch.

Baer: ... In times like these, obviously you have changing economic conditions, changing in a very unpredictable manner. On the other hand, the financial crunch and the credit crunch is going to restrict the amount of resources you have at your disposal. So, you’re basically going to look very opportunistically. You are going to look at, let's say, the low-hanging fruit that will give you the greatest gain in savings or a way to respond to the market in a more agile manner.

... You won’t necessarily do a global top down or enterprise-architectural SOA transformation, if you haven't done SOA already. But, opportunistically, if you are trying to take advantage of some of these cloud-based services to start doing mining on a more massive scale, at the same time trying to lower your risk, it will require certain applications or data source that you may have. You may need to conduct a transformation, where you will implement, more flexible architectures, data SOA architecture.

But you will do it opportunistically in these tactical areas, where you can take advantage of services in the cloud that give you the advantages of the transformation to solve the problem you need to deal with, and at the same time, minimizing your risk.

Kobielus: ... The financial vertical and the government vertical are becoming overlapped. There is a degree of nationalization already that's taking place. The government is taking back Fannie Mae and Freddie Mac. I think they have taken over AIG, but all around the world, you hear governments, especially in Europe saying, “Hey, we need to re-nationalize or, to some degree, exert tighter control over the financial vertica., I think this is everywhere in the world.

What we’re already seeing is that the government vertical, as they have indicated, will continue to grow, because it's going to exercise much greater oversight and equity positions within the financial vertical. I think the early part of this decade is a prelude to what we’re going to see in even greater abundance in the next 10 years.

After the whole Enron fiasco, with Sarbanes-Oxley and so forth, we saw the growth of this market and this technology called governance, risk management, and compliance (GRC) to exert tighter control over the financials of private enterprise, and bring greater transparency.

I think we are going to see now, the government exert ever tighter GRC reigns over the financial sector, to a degree unprecedented, because we now have government actually owning or controlling a number of the key firms in that space. So, the whole GRC sector is in an embryonic stage. There are a number of vendors like SAP and Oracle who have taken sort of a leading-edge position in that area. That will expand greatly, and we are going to see more of these risk dashboards and controls being implemented in the context of BI and the data warehousing investments that enterprises have already made.

In terms of the horizontals, the GRC sector will come into its own, and it will be primarily the driver. There will be the financials, and then it will be around the world. All governments will enforce the use of this kind of technology.

Baer: ... In the case of governance, I don't know if I would call it “opportunistic,” but it is an area in which you do not have an option as to whether you comply or not. Therefore, the only economic way to provide all the information and to do all the audits without having to rip apart all of your existing back-end infrastructure is through a service's layer on top of all that.

Maybe I can come up with a cheap buzzword here, a buzz-line or a tag-line, such as “Son of SOX,” for what's going to become a changing regulatory environment. You’ll need a governance layer that can contend with changes in this moving target. Obviously, the only feasible way, from an architectural standpoint, to deal with that is do a flexible architecture, and that's essentially what a SOA is.

Linthicum: I think this is a great time to do a startup. Number one, VCs be damned at this point. You don't need their money at all, just some angel investors to invest in some very minute infrastructure. With cloud computing out there and the number of things you can do from a marketing, application developer's, and outsourcing perspective, you can basically get a technology company up and running -- and profitable -- probably for the least real cost we've seen in years. It's a great time for people who are innovative, able, and resourceful to get out there and start technology companies.

... Now is a great time for small innovative new startups to get out there and help create new spaces, such as Web 2.0, and I think there are a number of SOA problems that needs solving as well. I'd love to see some startups get out there and take those problems on.
Read a full transcript of the discussion.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Charter sponsor: Active Endpoints.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.