Transcript of BriefingsDirect podcast on the role of log management and systems analytics within the Information Technology Infrastructure Library (ITIL) framework.
Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: LogLogic.
Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect. Today, a sponsored podcast discussion on how to run your IT department well by implementing proven standards and methods, and particularly leveraging the Information Technology Infrastructure Library (ITIL) prescriptions and guidelines.
We’ll talk with an expert on ITIL and why it’s making sense for more IT departments and operations around the world. We’ll also look into ways that IT leaders can gain visibility into systems and operations to produce the audit and performance data trail that helps implement and refine such frameworks as ITIL.
We’ll examine the use of systems log management and analytics in the context of ITIL and of managing IT operations with an eye to process efficiency, operational accountability, and systems behaviors, in the sense of knowing a lot about the trains, in order to help keep them running on time and at the lowest possible cost.
To help us understand these trends and findings we are joined by Sudha Iyer. She is the director of product management at LogLogic. Welcome to the show, Sudha.
Sudha Iyer: Thank you.
Gardner: We’re also joined by Sean McClean. He is a principal at KatalystNow in Orlando, Florida. It's a firm that handles mentoring, learning, and training around ITIL and tools used to implement ITIL. Welcome to the show, Sean.
Sean McCLean: Thank you very much.
Gardner: Let's start by looking at ITIL in general for those folks who might not be familiar with it. Sean, how are people actually using it and implementing it nowadays?
McCLean: ITIL has a long and interesting history. It's a series of concepts that have been around since the 1980, although lot of people will dispute exactly when it got started and how. Essentially, it started with the Central Computer and Telecommunications Agency (CCTA) of the British government.
What they were looking to do was create a set of frameworks that could be followed for IT. Throughout ITIL's history, it has been driven by a couple of key concepts. If you look at almost any other business or industry, accounting for example, it’s been around for years. There are certain common practices and principles that everyone agrees upon.
IT, as a business, a practice, or an industry is relatively new. The ITIL framework has been one that's always been focused on how we can create a common thread or a common language, so that all businesses can follow and do certain things consistently with regard to IT.
In recent times, there has been a lot more focus on that, particularly in two general areas. One, ITIL has had multiple revisions. Initially, it was a drive to handle support and delivery. Now, we are looking to do even more with tying the IT structure into the business, the function of getting the business done, and how IT can better support that, so that IT becomes a part of the business. That has kind of been the constant focus of ITIL.
Gardner: So, it's really about maturity of IT as a function that becomes more akin to other major business types of functions or management functions.
McCLean: Absolutely. I think it's interesting, because anyone in the IT field needs to remember that we are in a really exciting time and place. Number one, because technology revises itself on what seems like a daily basis. Number two, because the business of IT supporting a business is relatively new, we are still trying to grow and mature those frameworks of what we all agree upon is the best way to handle things.
As I said, in areas like accounting or sales, those things are consistent. They stay that way for eons, but this one is a new and changing environment for us.
Gardner: Are there any particular stumbling blocks that organizations have as they decide to implement ITIL? When you are doing training and mentoring, what are the speed bumps in their adoption pattern?
McCLean: A couple of pieces are always a little confusing when people look at ITIL. Organizations assume that it’s something you can simply purchase and plug into your organization. It doesn't quite work that way. As with any kind of framework, it’s there to provide guidance and an overall common thread or a common language. But, the practicality of taking that common thread or common language and then incorporating it or interpreting it in your business is sometimes hard to get your head around.
It's interesting that we have the same kind of confusion when we just talk. I could say the word “chair,” and the picture in your head of what a chair is and the picture in my head of what a chair is are slightly different.
It's the same when we talk about adopting a framework such as ITIL that's fairly broad. When you apply it within the business, things like “that business is governance,” “that business is auditing compliance rules” and things like that have to be considered and interpreted within that framework for ITIL. A lot of times, people who are trying to adopt ITIL struggle with that.
If we are a healthcare industry, we understand that we are talking about incidents or we understand that we are talking about the problems. We understand they we are talking about certain things that are identified in the ITIL framework, but we have to align ourselves with rules within the Health Insurance Portability and Accountability Act (HIPAA). Or, if we are an accounting organization, we have to comply to a different set of rules. So it's that element that's interesting.
Gardner: Now, what's interesting to me about the relationship between ITIL and log and systems analytics is that ITIL is really coming from the top-down, and it’s organizational and methodological in nature, but you need information, you need hard data to understand what's going on and how things are working and operating and how to improve. That's where the log analytics comes in from the bottom-up.
Let's go to Sudha. Tell us how a company like LogLogic uses ITIL, and how these two come together -- the top-down and the bottom-up?
Iyer: Sure. That's actually where the rubber meets the road, so to speak. As we have already discussed, ITIL is generally a guidance -- best practices -- for service delivery, incident management, or what have you. Then, there are these sets of policies with these guidelines. What organizations can do is set up their data retention policy, firewall access policy, or any other policy.
But, how do they really know whether these policies are being actually enforced and/or violated, or what is the gap? How do they constantly improve upon their security posture? That's where it's important to collect activity in your enterprise on what's going on.
There is a tight fit there in what we provide as our log-management platform. LogLogic has been around for a number of years and is the leader in this log management industry. It allows organizations to collect information from a wide variety of sources, assimilate it, and analyze it. An auditor or an information security professional can look deep down into what's actually going on, on their storage capacity or planning for the future, on how many more firewalls are required, or what's the usage pattern in the organization of a particular server.
All these different metrics feed back into what ITIL is trying to help IT organizations do. Actually, the bottom line is how do you do more with less, and that's where log management fits in.
Gardner: Back to you, Sean. When companies are trying to move beyond baseline implementation and really start getting some economic benefits, which of course are quite important these days from their ITIL activities, what sort of tools have you seen companies using? To what degree do you need to dovetail your methodological and ITIL activities with the proper tools down in the actual systems?
McCLean: When you’re starting to talk about applying the actual process to the tools, that's the space that's the most interesting to me. It's that element you need some common thread that you can pull through all of those.
Today, in the industry, we have countless different tools that we use, and we need common threads that can pull across all of those different tools and say, “Well, these things are consistent and these things will apply as we move forward into these processes.” As Sudha pointed out, having an underlying log system is a great way to get that started.
The common thread in many cases across those pieces is maintaining the focus on the business. That's always where IT needs to be more conscious and to be constantly driving forward. Ultimately, where do these tools fit to follow business, and how did these tools provide the services that ultimately support the business to do the thing that we are trying to get done?
Does that address the question?
Gardner: I think so. Sudha, tell us about some instances where LogLogic has been used and ITIL has been the focus or the context of its use. Are there some findings general use case findings? What have been some of the outcomes when these two bottom-up, top-down approaches come together?
Iyer: That's a great question. The bottom line is the customers, and we have a very large customer base. It turns out, according to some surveys we have done in our customer base, that the biggest driver for a framework such as ITIL is compliance. The importance of ITIL for compliance has been recognized, and that is the biggest impact.
As Sean mentioned earlier, it's not a package that you buy and plug into your network and there you go, you are compliant. It's a continues process.
What some of our customers have figured out is that adopting our log management solutions allows them to create better control and visibility into what actually is going on on their network and their systems. From many angles, whether it's a security professional or an auditor, they’re all looking at whether you know what's going on, whether you were able to mitigate anything untoward that's happening, and whether there is accountability. So, we get feedback in our surveys that control, and visibility has been the top driver for implementing such solutions.
Another item that Sean touched on, reducing IT cost and improving the service quality, was the other driver. When they look at a log-management console and see this is how many admin accesses that were denied. It happened between 10 p.m. and midnight. They quickly alert, get on the job. and try to mitigate the risk. This is where they have seen the biggest value return on investment (ROI) on implementations of LogLogic.
Gardner: Sean, the most recent version of ITIL, Version 3 focuses, as you were alluding to, on IT service management, of IT behaving like a service bureau, where it is responsible on almost a market forces basis to their users, their constituents, in the enterprise. This involves increasingly service-level agreements (SLAs) and contracts, either explicit or implicit.
At the same time, it seems as if we’re engaging with the higher level of complexity in our data center's increased use of virtualization and the increased use of software-as-a-service (SaaS) type services.
What's the tension here between the need to provide services with high expectations and a contract agreement and, at the same time, this built-in complexity? Is there a role for tools like LogLogic to come into play there?
McCLean: Absolutely. There is a great opportunity with regard to tools such as LogLogic from that direction. ITIL Version 2 focused on simply support and delivery, those two key areas. We are going to support the IT services and we are going to deliver along the lines of these services.
The ITIL Version 2 has started to talk a lot about alignment of IT with the business, because a lot of times IT continues and drives and does things without necessarily realizing what the business is and the business is doing. An IT department focuses on email, but they are not necessarily looking at the fact that email is supporting whatever it is the business is trying to accomplish or how that service does.
As we moved into ITIL Version 3, they started trying to go beyond simply saying it's an element of alignment and move the concept of IT into an area where its a part of the business. Therefore it’s offering services within and outside of the business.
One of the key elements in the new manuals in ITIL V3 is talk to service strategy, and its a hot topic amongst the ITIL community, this push towards a strategic look at IT, and developing services as if you were your own business.
IT is looking and saying, “Well, we need to develop our IT services as a service that we would sell to the business, just as any other organization would.” With that in mind, it's all driving toward how we can turn our assets into strategic assets? If we have a service and its made up of an Exchange server, or we have a service and it’s made up three virtual machines, what can we do with those things to make them even more valuable to the business?
If I have an Exchange server, is there someway that I can parcel it out or farm it to do something else that will also be valuable?
Now, with LogLogic's suite of tools we’re able to pull that log information about those assets. That's when you start being able to investigate how you can make the assets that exist more value driven for the organization's business.
Gardner: Back to you, Sudha. Have you had customer engagements where you have seen that this notion of being a contract service provider puts a great deal of responsibility on them, that they need greater insight and, as Sean was saying, need to find even more ways to exploit their resources, provide higher level services, and increase utilization, even as complexity increases?
Iyer: I was just going to add to what Sean was describing. You want to figure out how much of your current investment is being utilized. If there is a lot of unspent capacity, that's where understanding what's going on helps in assessing, “Okay, here is so much disk space that is unutilized. Or, it's the end of the quarter, we need to bring in more virtualization of these servers to get our accounting to close on time, etc. That's where the open API, the open platform that LogLogic is comes into play.
Today, IT is heavily into the services-oriented architecture (SOA) methodology. So, we say, “Do you have to actually have a console login to understand what's going on in your enterprise?” No. You are probably a storage administrator or located in a very different location than the data center where a LogLogic solution is deployed, but you still want to analyze and predict how the storage capacity is going to be used over the next six months or a year.
The open API, the open LogLogic platform, is a great way for these other entities in an organization to leverage the LogLogic solution in place.
Gardner: Another thing that has impressed me with ITIL over the years is that it allows for sharing of information on best practices, not only inside of a single enterprise but across multiple ones and even across industries and wide global geographies.
In order to better learn from the industries' hard lessons or mistakes, you need to be able to share across common denominators, whether its APIs, measurements, or standards. I wonder if the community-based aspect to log behaviors, system behaviors, and sharing them also plays into that larger ITIL method of general industry best practices. Any thoughts along those line, Sean?
McCLean: It's really interesting that you hit on that piece, because globalization is one of the biggest drivers I think for getting ITIL moving and going on. More and more businesses have started reaching outside of the national borders, whether we call them offshore resources, outshore resources, or however you want to refer to them.
As we become more global, businesses are looking to leverage other areas. The more you do that, the larger you grow your business in trying to make it global, the more critical it is that you have a common ground.
Back to that illustration of the chair, when we communicate and we think we are talking about the same thing, we need some common point, and without it we can't really go forward at all. ITIL becomes more and more valuable the more and more we see this push towards globalization.
It’s the same with a common thread or shared log information for the same purposes. The more you can share that information and bring it across in a consistent manner, then the better you can start leveraging it. The more we are all talking about the same thing or the same chair, when we are referring to something, the better we can leverage it, share information, and start to generate new ideas around it.
Gardner: Sudha, anything to add to that in terms of community and the fact that many of these systems are outputting the same logs. I’s making that information available on a proper context that becomes the value add.
Iyer: That's right. Let's say you are Organization A and you have vendor relationships and customer relationships outside your enterprise. So, you’ve got federated services. You’ve got different kinds of applications that you share between these two different constituents -- vendors and customers.
You probably already have an SLA with these entities, and you want to make sure you are delivering on these operations. You will want to make sure there is enough uptime. You want to grow towards a common future where your technologies are not far behind, and sharing this information and making sure that what you have today is very critical. That's where there is actual value.
Gardner: Let's get into some examples. I know it's difficult to get companies to talk about sensitive systems in their IT practices. So perhaps we could keep it at the level of use-case scenarios.
Let's go to Sean first. Do you have any examples of companies that have taken ITIL to the level of implementation with tools like log analytics, and do you have some anecdotes or metrics of what some of the experiences have been?
McCLean: I wish I had metrics. Metrics is the one thing that seems to be very hard to come up with in this area. I can think of a couple of instances where organizations were rolling out ITIL implementations. In implementations where I am engaged, specifically in mentoring, one of the things I try to get them to do is to dial into the community and talk to other people who are also implementing the same types of processes and practices.
There’s one particular organization out in the Dallas-Fort Worth, Texas area. When they started getting into the community, even though they were using different tools, the underlying principles that they were trying to get to were the same.
In that case they were able to start sharing information across two companies in a manner that was saying, “We do these same things with regard to handling incidents or problems and share information, regardless of the tool being set up.”
Now, in that case I don't have specific examples of them using LogLogic, but what invariably came out in this set of discussions was what we need underneath is the ability to get proactive and start preventing these incidents before they happen. Then, we need metrics and some kind of reporting system where we can start doing the checking issues before they occur and getting the team on board to fix it before it happen. That's where they started getting into log-like tools and looking at using log data for that purpose.
Iyer: That corroborates with one of the surveys we developed and conducted in the last quarter. Organizations reported that the biggest challenge for implementing ITIL was twofold.
The first was the process of implementation, the skill set that they needed. They wanted to make sure there was a baseline, and measuring the quality of improvement was the biggest impediment.
The second one was the result of this process improvement. You get your implementation of the ITIL process itself, and where did you get it? Where were you before and where did you end up after the implementation?
I guess when you were asking for metrics, you were looking for those concrete numbers, and that's been a challenge, because you need to know what you need to measure, but you don't know that because you are not skilled enough in the ITIL practices. Then, you learn from the community, from the best-of-breed case studies on the Web sites and so forth, and you go your merry way, and then the baseline numbers for the very first time get collected from the log tools.
Gardner: I imagine that it's much better to get early and rapid insights from the systems than to wait for the SLAs to be broken, for user surveys to come back, and say, “We really don't think the IT department is carrying its weight.” Or, even worse, to get outside customers or partners coming back with complaints about performance or other issues. It really is about early insights and getting intervention that seems to really dovetail well with what ITIL is all about.
McCLean: I absolutely agree with that. Early on in my career within ITIL I had a debate with a practitioner on the other side of the pond. One thing we had a debate about was about SLAs. I had indicated that it's critical to get the business engaged in the SLA immediately.
His first answer was no, it doesn't have to happen that way. I was flabbergasted. You provide a service to an organization without an SLA first? I thought “This can't be. This doesn't make sense. You have to get the business involved.”
When we talked through it and got down to real cases, it turned out that what he was saying is that it’s not that he didn't feel that the SLA didn’t need to be negotiated with the business. What he meant was that we need to get data and reports about the services that we are delivering before we go to the customer, the customer, in this case, being internal.
His point was that we need to get data and information about the service we are delivering, so that when we have the discussion with a business about the service levels we provide, they have a baseline to offer. I think that's to Sudha's point as well.
Iyer: That's right. Actually, it goes back to one of the opening discussions we had here about aligning IT to the business goals. ITIL helps organizations make the business owners think about what they need. They do not assume that the IT services are going to be there or its not an afterthought. It’s a part of that collective, working toward the common success.
Gardner: Let's wrap up our discussion with some predictions or look into the future of ITIL. Sean, do you have any sense of where the next directions for ITIL will be, and how important is it for enterprises that might not be involved with it now to get involved, so that they can be in a better position to take advantage of the next chapters?
McCLean: The last is the most critical. People who are not engaged or involved in ITIL yet will find they are starting to drop out of a common language. That enables you to do just about everything else you do with regard to IT in your business.
If you don't speak the language and the vendors that provide the services do, then you have a hard time getting the vendors to understand what it is the vendors are offering. If you don't speak the language and you are trying to get information shared, then you have a hard time getting forward in that sense.
It’s absolutely critical for businesses and enterprises to start understanding the need for adopting. I don't want to paint it as if everybody needs to get on board ITIL, but you need to get into that and aware of that, so that you can help drive its future directions.
As you pointed out earlier, Dana, it's a common framework but it's also commonly contributed to. It's very much an open framework, so if a new way to do things comes up and is shared, that makes sense. That would be probably the next thing that's adopted. It’s just like our English language, where new terms and phrases are developed all the time. It's very important for people to get on board.
In terms of what's the next big front, when you have this broad framework like this that says, “Here are common practices, best practices, and IT practices.” If the industry matures, I think we will see a lot of steps in the near future, where people are looking and talking more about, “How do I quantify maturity as an individual within ITIL? How much do you know with regard to ITIL? And, how do I quantify a business with regard to adhering to that framework?”
There has been a little bit of that and certainly we have ITIL certification processes in all of those, but I think we are going to see more drive to understand that and to formalize that in upcoming years.
Gardner: Sudha, it certainly seems like a very auspicious pairing, the values that LogLogic provides and the type of organizations that would be embracing ITIL. Do you see ITIL as an important go-to market or a channel for you, and is there in fact a natural pairing between ITIL-minded organizations and some of the value that you provide?
Iyer: Actually, LogLogic believes that ITIL is one of those strong frameworks that IT organizations should be adopting. To that effect, we have been delivering ITIL-related reporting, since we first launched the Compliance Suite. It has been an important component of our support for the IT organization to improve their productivity.
In today’s climate, it's very hard to predict how the IT spending will be affected. The more we can do to get visibility into their existing infrastructure networks and so on, the better off it is for the customer and for ourselves as a company.
Gardner: We’ve been discussing how enterprises have been embracing ITIL and improving the way that they produce services for their users. We’ve been learning more about visibility and the role that log analytics and systems information plays in that process.
Helping us have been our panelists, Sudha Iyer. She is the director of product management at LogLogic. Thanks very much, Sudha.
Iyer: Thank you, it's a pleasure, to be sure.
Gardner: Sean McClean, principal at KatalystNow, which mentors and helps organizations train and prepare for ITIL and its benefits. It’s based in Orlando, Florida. Thanks very much, Sean.
McCLean: Thank you. It’s been a pleasure.
Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. Thanks for listening and come back next time.
Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: LogLogic.
Transcript of BriefingsDirect podcast on the role of log management and systems analytics within the Information Technology Infrastructure Library (ITIL) framework. Copyright Interarbor Solutions, LLC, 2005-2008. All rights reserved.
Thursday, November 06, 2008
Friday, October 31, 2008
BriefingsDirect Analysts Take Microsoft's Pulse: Will the Software Giant Peak in Next Few Years?
Edited transcript of BriefingsDirect Analyst Insights Edition podcast, Vol. 32, on the outlook for Microsoft in the face of the economic downturn and new directions in the IT market, recorded October 24, 2008.
Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: Active Endpoints.
Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.
Dana Gardner: Hello, and welcome to the latest BriefingsDirect Analyst Insights Edition Podcast, Volume 32.
This periodic discussion and dissection of IT infrastructure-related news and events with a panel of industry analysts and guests comes to you with the help of our charter sponsor, Active Endpoints, maker of the ActiveVOS visual orchestration system.
I am your host and moderator Dana Gardner, principal analyst at Interarbor Solutions. Our topic this week, the week of October 20, 2008, is the IT elephant in the room ... Microsoft. The software titan held its Professional Developers Conference (PDC) on October 27 in Los Angeles. We’re expecting quite a bit of news from the event, and this also gives us a chance to examine the state of Microsoft and its place and role in the enterprise IT dominion.
We’re going to dig into Microsoft, its mission, how well it’s doing, and how well we’re expecting it do over the next couple of years. We’re joined by this week's panel to help us dig through this.
I’d like to welcome first Jim Kobielus, senior analyst at Forrester Research. Hi, Jim.
Jim Kobielus: Hi, Dana. Hi, everybody.
Gardner: Tony Baer, senior analyst at Ovum. Hi, Tony.
Tony Bear: Hey, Dana, good to be here again.
Gardner: Dave Linthicum, independent consultant with the Linthicum Group. Dave, will be joining in a little bit.
Next, Brad Shimmin, principal analyst at Current Analysis. Howdy, Brad.
Brad Shimmin: Hi, Dana, how are you?
Gardner: Great, thank you. Making his debut on our show, Mike Meehan, a senior analyst at Current Analysis as well, and former editor-in-ehief at SearchSOA.com. Welcome, Mike.
Mike Meehan: Great to be here, Dana.
Gardner: And, last, Joe McKendrick, independent analyst and prolific blogger on SOA and business intelligence topics. Howdy, Joe?
Joe McKendrick: Pleasure to be here, Dana, thank you.
Gardner: Alright, let’s dig into the freshest news this week. Microsoft just yesterday announced its financial results for the quarter ending September 30. We saw 9 percent revenue growth, which includes 20 percent revenue growth for their business software, and overall 2 percent net income growth.
It’s not quite as robust as similar recent reports from IBM, Oracle, and HP. Indeed, the Business Unit at Microsoft did better than the Windows Operating System Unit, which has of course been its long-time cash cow.
I guess we’ll take this over to Tony. Tony, is there anything that we can read into Microsoft’s financial results that give us some indication of how well the company is doing?
Baer: Actually, I’ve been giving this some thought in terms of the results from some of the others lately -- for example, IBM and Oracle, mostly up, and SAP down.
My sense with Microsoft is that the Windows unit has been very much slowed down by the very slow uptake of Vista, and especially by the tendency of corporate customers, if and when they get new machines, to downgrade to Windows XP. So, that certainly has created something of a drag there.
The other part of this -- and this is actually one part which does surprise me a little bit -- is that Microsoft has been putting a lot more emphasis especially around business software, and specifically Oslo. You’ll see a lot of this in the sessions and announcements next week at PDC. It’s too early to impact the results, the financial results, but its indicative of a general direction on Microsoft's part. It has become more of an enterprise computing player.
What does surprise me a little bit is that in a company of Microsoft’s size it would have that much material impact.
Gardner: What's a little surprising to me is that even with 9 percent revenue growth and 20 percent revenue in the Business Software Unit, which includes Office, that only translated into 2 percent income or earnings.
Is Microsoft at a disadvantage, compared to other enterprise vendors, because of its exposure to the consumer market, Web advertising market, and the cyclical nature of an operating system upgrade like Windows?
Baer: I’m not sure if it’s at a disadvantage with regard to the consumer market per se. I hate to use an extreme example like this, but take a look at some of the very toughest economic times that we’ve had. Let’s go back to the Depression, which of course we all remember from our childhood, or at least that we are all reincarnated now. During the ‘30s, when nobody had any money, people went out for cheap, real thrills. In that case, it was a trip down to the movie theater.
My sense is that, if you already have an Xbox 360, what's the big deal about getting another game? That’s a much cheaper thrill than going out and buying some more expensive piece of consumer electronics hardware.
I don't think that the exposure to the consumer side is such an issue. I think it's more a matter that certain parts of Microsoft’s business have matured and that some of the newer areas, which would be the enterprise side, and would also be say the Web-designer side, where they are going head-to-head with Adobe, are still much too early on the maturity curve to have a material impact.
Gardner: Alright, Mike Meehan, what do you think? Is Microsoft in a good, medium, or a bad position going into an economic downturn, given what we’re seeing and given their exposure across such a wide variety of different products and services?
Meehan: You’re generally never in a bad position when you’re diversified. That’s the one thing Microsoft has going for it. It has its hooks in a lot of different ponds.
I tend to think that they are better off in the consumer market than they are in the enterprise market. My view is that .NET has lost to Java, just as an enterprise technology. It’s a niche. It’s an avenue where Microsoft is going to have a presence.
People are going to use Visual Studio. They can build out Oslo and they can try to keep people in with as much service orientation as Microsoft can give you in their package, but they are not going to be on the same par as IBM, Oracle, or even SAP long term, in terms of being able to give you enterprise applications and application development tools.
They are a sidelight to that. Their business is more in the operating system and in the Xbox. Kids like playing games, and social computing, those game-oriented things, are going to be the areas where Microsoft is going to see its greatest profits down the road.
Gardner: So, you’re saying that Microsoft’s future is waning when it comes to its share of market, profits, and growth on the business side, and that’s its virtuous growth machine between the tension of their tools and its platform is not going to continue? It’s fighting against organizations like Google and Apple in the consumer space that is going to be Microsoft’s growth future?
Meehan: I think they are capped on the business side. There's only so much of that pie they are ever going to get right at this point.
Gardner: Anybody out there have a concurring view to that? It seems that the vast majority of Microsoft’s revenues and profits still come from the business sector.
Kobielus: I think that there’s some validity to the viewpoint that Microsoft's growth potential has capped on the business side, when you consider packaged applications, and software- and application-development tools, in the sense that the entire product niche of the service-oriented architecture (SOA) universe is rapidly maturing.
The vendors in this space -- the SOA vendors, the business-intelligence (BI) vendors, the master data management (MDM) vendors -- are going to realize revenue growth and profitability. Those who survive this economic downturn and thrive in the next uptick, will be those who very much focus on providing verticalized and customized applications on a consulting or professional services basis.
In that regard, Microsoft is a bit behind the eight ball. They don’t really have the strength on the consulting, professional services, and verticalization side, that an SAP, Oracle, or an IBM can bring to the table.
Microsoft, if they want to continue to grow in the whole platform and application space and in the whole SOA universe, needs to put a greater focus on consulting services.
Gardner: That's interesting. Now, here we have Microsoft, as I say the elephant in the room, the largest software company in the world, in many respects one of the most successful companies in the history of business, behind the eight ball. How could it be behind the eight ball, when it has $40 billion in cash in the bank, and an army of global developers and engineers? Yet, I think there's something to this.
Let’s drill down for a second. Gartner, the largest analyst and research firm came out with a Top 10 Strategic Technology Areas list for 2009. These are the 10 areas I think are going to be the most strategic for IT people.
Number 1, virtualization. I think it's safe to say that Microsoft is catching up on virtualization.
Number 2, cloud computing. We’ll soon get detail on Microsoft’s cloud computing, but they’re clearly behind the eight ball if you compare them to say Amazon or Google or Salesforce.com.
Number 3, servers beyond blades. Well, that’s a hardware story, and Microsoft isn’t in the hardware business.
Number 4, Web-oriented architecture, mashups, or the use of Web development, primarily for new applications. Microsoft’s in that, but that’s a problem, because there isn't always a tie-in to their platform. It’s really a Web- and browser-based business, which has been somewhat troublesome for Microsoft, given its software plus services focus.
Number 5, mashups. Same story there. Microsoft does have tools and approaches, but it doesn’t necessarily feed their cash cow of selling more operating systems or upgrades to operating systems.
Number 6, specialized systems. I’m not exactly sure what that means, but I don’t think Microsoft is so verticalized that this is going to be a growth area for them.
Number 7, social software and social networking. We haven’t seen Microsoft dominate here. In fact, they tried to buy their way into this with Yahoo and failed.
Number 8, unified communications. Microsoft has been big there. That’s a potential growth area for them.
Number 9, business intelligence, another big growth arena.
Then, Number 10 from Gartner’s list, Green IT. Green IT, of course, means consolidation, more highly utilized servers, not hundreds of Microsoft Exchange Servers running at 20 percent utilization. So, I would posit that Microsoft is behind the eight ball on Green IT as well.
Does anybody out there want to react to this issue of Microsoft in catch-up mode?
McKendrick: When did Bill Gates start Microsoft? What year was that?
Gardner: 1977.
McKendrick: It was actually 1975. That was the worst downturn in our generation, as far as the economy goes. He, and eventually Steve Ballmer, started the company going. What year was MS-DOS launched to licensing? When did that began to catch on?
Baer: 1980, 1981.
McKendrick: Yeah, the other downturn, the other worst economic downturn in our generation. So in other words, in Microsoft’s history it seems they’ve had their crucial turning points, at times when the rest of the economy was in a funk.
Windows was in the early 1990s, another recessionary period.
I was speaking with Brian Loesgen from Neudesic a couple of weeks ago. It was in the midst of the first wave of financial panic in the economy. He put it this way. Microsoft has its own economy. No matter what happens to the economy at large, Microsoft has its own economy going, and just seems to get through all this.
What’s driven Microsoft from day one, and continues to do so, is that Microsoft is the software company for Joe the Plumber. That’s their constituency, not necessarily Joe the Developer. They cater to Joe the Developer, Joe the CIO, and Joe the Analyst certainly likes to check in on what they are doing. It's this whole idea of disruptive technology. They have always targeted the under-served and un-served parts of the marketplace and move up from there.
Gardner: So we have two narratives. We have Microsoft is too big to fail, has done well regardless of economics in the past, and is independent of larger economic trends because of its "Joe the Plumber" appeal. We also have this narrative of they are playing catch-up.
McKendrick: The base of Microsoft, these companies that are using Microsoft technology, don’t necessarily get virtualization or cloud computing.They just want a solution installed on their premises and want it to work.
Gardner: Dave Linthicum, are you out there now?
Dave Linthicum: Yeah, I am out there now. How are you doing Dana? I was actually crying over my 401(k) portfolio, so I got in late on the call.
Gardner: Well, I can see why that would choke you up. Now, what's your position on these dual narratives: Microsoft, too big to fail, has done always well in the past -- or Microsoft behind the eight ball on virtualization, cloud computing, and some of the other major growth areas of the next couple of years?
Linthicum: I think they are behind the eight ball. A lot of the strategy I’ve seen coming out of Microsoft over the last few years, especially as it relates to cloud computing, SOA, and virtualization, has been inherently flawed. They get into very proprietary things very quickly. It really comes down to how are they going to sell an additional million desktop operating systems.
Ultimately, they just don’t get where this whole area is going. If you think about Joe’s point, going back in history, not as far, but to the whole Internet trend, it turned out to be an explosion back in the middle ‘90s.
They missed the boat on that completely. They were off doing their own MSN network and working on that kind of stuff, and they really were catching up in the end. They had a pretty good offering and they took a large part of the market because they own the desktop and all those things going on.
Now, we’re heading into an area where they may not be as influential as they think they should be. They may be not only behind the eight ball, but lots of other organizations that are better at doing cloud computing, virtualization, and things like that, and have a good track record there, are going to end up owning a lot of the space.
Microsoft isn’t going to go away, but I think they’re going to find that their market has changed around them. The desktop isn't as significant as it once was. People aren’t going to want to upgrade Office every year. They’re not going to want to upgrade their desktop operating systems every year. Apple Macs are making big inroads into their market space, and it’s going to be a very tough fight for them. I think they’re going to be a lot smaller company in five years than they are today.
Gardner: Let’s take that notion to Mike Meehan. Is Microsoft going to be the same, smaller, or bigger in five years?
Meehan: I wouldn’t say smaller, only because they got maybe as large as they were going to get in the earlier part of this decade. Dave is absolutely right in that the one area that Microsoft never really conquered that it needed to conquer, given its strength in the desktop, is the handheld. If they are not going to be there with the handheld long-term, that’s a major growth area that they are going to miss out on. That’s where a lot of the business is going to shift to.
I don’t spend all my day on a handheld, but I live in Boston. I can ride the T and I can see a lot of people who do use handhelds. If you want to be there, if you want to be in the cloud services, that’s where a lot of people are going to be getting consumer cloud services from. It’s going to be right off those handhelds, and Microsoft is just not there.
On the SOA side, as I said before, Microsoft is just trying to be as service-oriented as they can for users who are trying to be not SOA-driven, but "As Service-Oriented As Possible."
In fact, make that an acronym, ASOAP. There are going to be a number of users who are not going to go fully into SOA, because they have an enterprise architecture. It’s too hard to do, too hard to maintain. They’re never going to quite figure that out. They are just going to try to be tactical and as service-oriented as possible. Microsoft will try to service them and hold that part of their business.
What’s the next big thing they’re going to do? Joe referred to Microsoft having come up with that in previous downturns. I don’t see where they have got that right yet, and so I think that leads to them being smaller long-term.
Baer: I think the biggest deficiency in this go-around, compared to the Internet about a dozen years ago, is that they don’t have a figure like Bill Gates to crystallize turning the company around.
That was an amazing case study back around 1995, where Microsoft was caught by surprise by the Internet. Gates basically convened a weekend-long retreat, or something like that. I’m not sure how long it was, but it was pretty short.
At that time, the company was small enough -- and I use the term “small” in a relative sense -- that the company could turn around. More importantly, in someone like Gates, they had someone with the type of vision that could crystallize everyone to start thinking on the same page. I don’t think they have that same kind of figure now.
Gardner: That's right. It was the first week of December, 1995 that Microsoft came out and announced that the Internet was a big deal, and within two years they were the top browser company in the world, and have remained there ever since. So they have demonstrated an ability to move quickly.
Let’s go to Brad Shimmin. Brad, you are going to go to PDC. If there’s any venue where Microsoft can talk to Joe the Plumber and Joe the Developer, and convince the world that its vision of the future is the right way to go, it’s at the PDC.
Do you think that Microsoft is going to have an opportunity to change this perception of it being behind the eight ball in any appreciable way at the PDC?
Shimmin: I do, and simply because they don’t have to. I think back to a number of points that’s been made here that to be successful Microsoft doesn’t need to convince the world. It just needs to convince the people that attend the PDC. They have such an expansive and well-established channel, with all the little plumber-developers running around building software with their code, that just as 40 is the new 30, Microsoft is really kind of the new Apple, in a way.
They don’t need to be Oracle to succeed, they really need to have control over their environment and provide the best sort of tooling, management, deployment, and execution software that they can for those people who have signed on to the Microsoft bandwagon and are taking the ride with them.
That’s what it’s all about for them at these shows. In general, it’s the same way. They don’t need to be the next Oracle to remain successful on the business space.
As Mike said, they’re kind of capped out in many ways relative to the consumer market, but, gosh, they have shown that with things like SharePoint, for example, Microsoft is able to virally infest an organization successfully with their software without having to even lift a finger.
They’ll continue to do that, because they have this Visual Basic mentality. I hate to say it, but they have that mentality of “Let’s make it as simple as possible” for the people that are doing ASOAP, as Mike said, that don’t need to go all the way, but really just need to get the job done. I think they’ll be successful at that.
Kobielus: I just want to elaborate on what Brad said and then bring it back to the question of will Microsoft be larger, smaller, or the same size in five years time. I think they will be larger, and they will be larger for the simple reason that they do own the desktop, but the desktop is becoming less relevant.
But now, what’s new is that they do own the browser, in terms of predominant market share or installed base. They do own the spreadsheet. They do own the portal. As Brad indicated, SharePoint is everywhere.
One of the issues that many of our customers at Forrester have hit on -- CIO, CTO, that level -- is that SharePoint is everywhere. How do they manage SharePoint? Its a fait accompli, and they have to somehow deal with it. It’s the de-facto standard portal for a large swath of the corporate world.
Microsoft, to a great degree, owns the mid-market database with SQL Server. So owning so many important components of the SOA stack, in terms of predominant market share, means that Microsoft has great clout to go in any number of directions.
One direction in which they’re clearly going in a very forceful way that brings all this together is in BI and online analytical processing (OLAP).
The announcements they made a few weeks ago at the BI conference show where Microsoft clearly is heading. They very much want to become and remain a predominant BI vendor in the long run.
What that means is a number of things. First and foremost, innovating at the desktop within SharePoint and in Excel to enable, in memory, deeply dimensional user-driven modeling to begin to dissolve the OLAP cube and enable users to begin to develop their own advanced analytics, build it out, and grow that knowledge base in a collaborative environment that’s very much hinged on SharePoint -- the collaborative features, version management, library check-in and check-out, and so forth.
In five years time, Microsoft will be one of the predominant BI players. It already is, but it will become more important as one of the main BI platforms out there.
I don’t imagine Microsoft would become as verticalized a BI player as say a SAS Institute, but Microsoft, as several other analysts on this call have mentioned, has a phenomenal partner ecosystem, and they are providing an evermore powerful platform for those vendors and professional sources and customers to build out those analytics. So, they will be bigger.
Gardner: Okay. So, Microsoft has its installed base. It has its devotees, people who are making their living based on its products. It’s a huge channel. You see in a number of key IT areas a deep advantage in terms of their installed base, but that begs the question of whether things remain fundamentally the same or whether we’re going through a period of transformation.
Let’s go back to Brad. Based on what you know about PDC announcements, how is Microsoft going to pull off both retaining its installed base strengths, and also ushering people into higher productivity and lower cost, which are going to become essential?
Many Microsoft products are not the lower cost alternatives in the market, particularly from an architectural standpoint. Does anything come out in your understanding of the PDC announcements that will help solidify its base, but also substantially reduce total cost?
Shimmin: I do. It’s kind of funny, because a lot of the stuff they are going to be announcing, or demoing I should say, at PDC, lean toward some of the things we have been dinging them on.
For example, they are making Windows Communication Foundation (WCF) and Windows Workflow Foundation (WWF) form the heart of their ASOAP model, if you will, but they have been very much geared toward the bitheads that are working in Visual Studio to develop them.
What they’re trying to do is move those more toward an Oslo perspective of compilation and composition, so they’re making them such that they have a much better workflow capability. You had to code it by hand, but they are just coding it in, which goes back to their entire approach with tooling in general. They try to take you as far as they can, so that you don’t have to make as many decisions or intellectual efforts to make your software work.
They’re doing the same thing not just with .NET but also with their Windows Server, which I found to be the most curious part of what they are doing at PDC.
They have had Window Server sort of unofficially as their application container, but really it’s not. BizTalk has been their application container for everything SOA. They’re moving toward Oslo, with the Dublin release. They’re making it more of a first-rate citizen for hosting composite applications as a container.
Gardner: Oslo is their next generation development and deployment framework, which is highly focused on services and business-process level integration.
Shimmin: It is. It’s nice, because they are actually going to have a registry- repository. You literally just have to partner and use standards for anything like that with them now, but they are going to build their own on top of SQL Server, which I think is a smart move, by the way.
But they will have that, and the development tooling that’s going to be hooked indirectly to .NET and the Windows Server. They’re going to make BizTalk more of a B2B integration, yet making it more of an enterprise service bus (ESB), which is the last thing they would have ever told you they want a BizTalk to be. But, they’re going to make it more of that in the future and make Windows Server more of your traditional Java development, Java Shop, which would be your app server.
Gardner: So we have an ESB function set. We have a registry-repository function set. Microsoft is coming not on the leading edge of these technologies. They’re clearly five or seven years behind some other entrants in the marketplace. But, on the total cost perspective, I think what I am hearing from you is that if you go all Microsoft all the time, there are going to be efficiencies, productivity, and cost savings. Is that the mantra? Is that the vision?
Shimmin: That‘s exactly right, Dana. That’s what they’re banking on, and that’s why I think they are the next Apple, in a way, because they are downtrodden, compared to some of the other big guns we’re talking about with Oracle, SAP, and IBM inside the middleware space. But that doesn’t matter, because they have a loyal following, which, if you guys have ever attended these shows of theirs, you’d see that they are just as rabid as Mac fans in many ways.
They’re going to do their best job to make their lives as easy as possible, so that they remain loyal subjects. That’s a key to success. That’s how you succeed in keeping your customers.
Gardner: Dave Linthicum, Microsoft is continuing to make offers that their installed loyal base can’t refuse. But the total cost of ownership (TCO) equation comes in a little bit later. That is to say, if you have bought into the Microsoft-oriented architecture vision, and you’ve spent a lot of money with Microsoft in doing so, you will be able to do all of these things better in the future. What’s wrong with that vision?
Linthicum: Ultimately, people are looking for open solutions that are a lot more scalable than this stuff that Microsoft has to offer. The point that was just made, there are a bunch of huge Microsoft fans that will buy anything that they sell, that’s the way the shops are. But the number of companies that are doing that right now are shrinking.
People are looking for open, scalable, enterprise-ready solutions, they understand that Microsoft is going to own the desktop, at least for the time being, and they are going to keep them there. But, as far as their back office things and some of the things that Microsoft has put up as these huge enterprise class solutions, people are going to opt for other things right now.
It's just a buying pattern. It may be a perception issue or a technological issue. I think it’s a matter of openness or their insistence that everything be proprietary and come back to them.
I heard the previous comment that looking at all Microsoft all the time will provide the best bang for the buck. I think people are very suspicious of that.
If you look back in history, Microsoft Transaction Server (MTS) and all of these other things that Microsoft has built over time to get into enterprise-scale computing, haven’t worked very well. Either it was perceptions or openness. I reviewed MTS when I was at PC Magazine and I found it to be a pretty good product, but it just had no uptake into the market space.
I think their current efforts are going to run into the same issues. You’re not always going to have people who are going to buy it. It’s part of the bundles that they’re offering to the enterprise, the enterprise license agreements that they are selling in, but it's going to be a very hard path for them I think.
Gardner: Mike Meehan, virtualization is obviously a big topic these days. VMware came out with results that showed these things are selling like hot cakes. VMware itself is going to be under pressure in competitive offerings in the marketplace.
Is virtualization at the hardware level, infrastructure level, applications level, and then ultimately at the desktop level -- where we have virtual desktop infrastructure (VDI) -- a game changer in terms of Microsoft being able to pull this off? ... “If you do it all with us you have a better economic story.” How does virtualization change Microsoft’s strategy, if at all?
Meehan: I don't know that it does, in that you have to be so integrated with the company to take advantage of that, that I am not really sure that Microsoft is in the right position to do that.
For example, four years ago, Sun Microsystems started beating that drum that they were going to take these virtual environments, put it together with their software environments, and have this soup-to-nuts computing that was going to be five times more powerful and so much more efficient.
It just never happened on their end. It's hard to execute. It’s hard for Microsoft to align itself with what anybody else is doing. Whatever VMware is doing, I find it a little difficult to believe that Microsoft is willing to be the tail that’s wagged by any other dog.
To a certain extent, Microsoft will try to plug-in to that in its own way. What its own way is, and where exactly it plugs in though, are unknowns to Microsoft itself, and its going to want to own something in there. I don’t even know what it wants to own in terms of virtualization.
Gardner: It seems it wants to own the hypervisor. It’s going to make the Hyper-V hypervisor part and parcel with other infrastructure, and, I would imagine, at a price that people can’t refuse. They’ll also continue to sell Windows licenses for all those virtualized instances of an operating system. That’s still Windows. That’s still good revenue.
Does anyone else have a sense of whether virtualization, as a general trend, knocks down Microsoft’s ability to do it all and well?
McKendrick: VMware announced that operating system, what’s it called, the VMware VDOS, do I have that correct?
Gardner: KVS. Is it their Hypervisor?
McKendrick: No, they are actually calling it an operating system.
Dana Gardner: That's right, their cloud-based infrastructure operating system.
McKendrick: Exactly. That’s the direction organizations are going. Cloud computing, SOA, virtualization, all those things are going to be internal clouds, private clouds, maintained within enterprises.
When you think about an operating system, what is an operating system? That’s virtualization, right? An operating system virtualizes resources underneath, in the server, the hardware, and storage. Virtualized operating system, like VMware is talking about, is probably the next evolution of operating systems in general.
Gardner: That’s right. A disk operating system virtualizes the disk.
McKendrick: Right. That’s what an operating system is, virtualization. People don’t think about it that way.
Gardner: So, your point is that Microsoft is in the position to take its advantages and strengths and move that up yet another abstraction to this private-cloud infrastructure level.
McKendrick: I think so. Steve Ballmer kind of responded to the VMware announcement by saying that Microsoft has something cooking in that regard too, some kind of virtualized operating system. I don’t know if it will be separate from what Windows will be in the future. An operating system is a cloud management system, when you really get down to it, and it’s the next natural evolution for operating systems. That’s what Microsoft is good at.
Gardner: We’ve heard quite a bit on this cloud operating system from Red Hat, Citrix, VMware, IBM, and HP talked it up a little bit. No one’s really come out with a lot of detail, but clearly this seems to be of interest to some of the major vendors.
Let’s go back to Dave Linthicum. What is the nature of this operating system for the cloud, and does it have the same winner-take-all advantage for a vendor that the operating system on the desktop and departmental server had?
Linthicum: I think it does in virtualization. Once one vendor gets that right, people understand it, there are good standards around it, there are good use cases around it, and there’s a good business case around it, that particular vendor is going to own that space.
I’m not sure it’s going to be Microsoft. They’re very good about building operating systems, but in understanding my Vista crashes that are happening once a day, they are not that good.
Also, there are lots of guys out there who understand the virtualization space and the patterns for use there. The technology they’re going to use, the enabling standards, are going to be very different than what you are going to use on a desktop or even a small enterprise departmental kind of problem domain.
Ultimately, a large player is going to step into this game and get a large share of this marketplace pretty quickly, because the cost and ease of moving to that particular vendor is very low.
I can decide this morning that I want to use a particular virtualization vendor, sign up with them, and start putting my assets out in that world in a very short time, versus buying hardware and software I am installing in my own systems and other things that are going to be leveraged.
These virtualization operating systems that are enterprise bound or even in a gray area with the cloud are going to come from somebody else besides Microsoft. That’s just my own personal opinion, based on what they are doing.
Kobielus: I think that Microsoft stands a chance of becoming the predominant cloud OS vendor. Let me just define the level set of what I mean by that. At the heart of any cloud or virtualized cloud operating system is a virtualized database environment. Database virtualization is a real hot topic, and it means many things to many vendors and to many analysts.
Fundamentally, like any other virtualization approach, it simply involves abstracting the internal implementation from the external calling interface, using a variety of approaches.
It’s not all together yet, but Microsoft is coming along with a fairly interesting database virtualization story that will play out in releases over the next several years.
For one thing, of course, they bought DATAllegro a few months back, and now Microsoft is building a shared-nothing, massively parallel database, a data warehousing environment that can scale up to thousands of nodes potentially and many petabytes of data. It’s grid at its very heart. So, a grid environment is virtualization, a database virtualization on one level.
Also, Microsoft has a very interesting project going on that will probably see the light of day in terms of roll-out in the whole SQL Server vNext timeframe in 2011. It’s called Project Velocity, which is very much virtualizing data persistence across both disk-based and spindle-based storage, as well as in-memory cache across a distributed virtualized fabric.
There's also a bit of virtualization going on in the front end of their BI stack, in terms of using in-memory approaches more deeply in all the app, and so on.
Of course, Microsoft has got the whole SQL Server Data Services, software-as-a-service (SaaS) initiative ongoing, and they will continue to ramp that up in coming years. I see all this coming together as the heart of a database virtualization environment.
Then, one other thing you need to have for a fuller virtualized OS in this environment is something called in-database analytics, where you can run the compute intents of algorithms right inside the database. You can take advantage of all the parallelization.
Microsoft doesn’t have a strong story there yet, but I think that in the next year or so, they will roll out a much more interesting story that tracks with what's going on elsewhere, like vendors in the data warehousing arena that have aligned themselves around this framework called MapReduce. A lot of that will come together in the Microsoft side over the next few years, and I think they will be a power in cloud OSs.
Gardner: So, I think what I am hearing from you is that virtualization, grid, and cloud can help Microsoft in its database and data services story, particularly up against someone like Oracle and IBM.
Kobielus: Yes, yes, yes.
Gardner: Okay. There's another difference here though with cloud and private cloud and that is that Joe the Plumber and Joe the Developer aren't going to be deciding the architecture for this cloud.
Also, moving toward the cloud infrastructure is a significant multimillion dollar decision process, involves creating new data centers, tens of millions of dollars in facilities, infrastructure, and manpower, and energy types of investments, things that will impact the company for five, 10, 15 years.
It seems to me that there's only going to be a handful, perhaps fewer than 25 true third-party cloud providers, and that the type of organization where a private cloud makes sense are going to be the Global 2000, maybe down to the Global 500, who would be interested in investing and have the cost savings in scale that would make cloud computing make sense.
So, in a sense, this move toward private-cloud and public-cloud infrastructure really does not benefit Microsoft’s traditional market and channel distribution and penetration. We’re really talking about perhaps as few as 2,500 total customers across the world who would be buying this. Given that that’s the economic landscape, does this not impact Microsoft in terms of its ability, or even interest, in approaching this market?
Baer: A couple of things. I agree with you in terms of the private cloud. I don't think that's really a real winner of a market for Microsoft, because it will require the customer to put in significant capital investments from the top-down. The thing is, those types of customers have not traditionally been Microsoft’s strengths.
I had a couple of thoughts as this session has drifted. One, how does the cloud really impact Microsoft and its prospects, and will Microsoft be able to compete in a more open world?
I have a couple of answers to that. You still have a certain, very stubborn level of mid-size businesses that are Microsoft shops. You go to these PDC conferences, which unfortunately I won’t be at next week, and you see these armies of people, who have been loyal ever since Visual Basic 0.5. They have built a huge developer base, which is translated to an incredible base among small businesses.
So, on one hand, I don’t think that Microsoft is going to lose its grip on its Joe the Plumber small and mid-size business (SMB), enterprise business. On the other hand, in terms of the emergence of clouds, and forgetting about private clouds at the moment, on public clouds I’m not sure. Microsoft has a software-plus-services strategy, the idea of which is to make it as invisible as possible. That has a nice value proposition to its traditional market base.
On the other hand, when you start seeing the proliferation of these third-party clouds, which are coming very much commodity prices -- the Amazons of the world, and so on -- I’m getting the sense that these public clouds are going to become so commoditized that there’s not going to be any single player that’s going to dominate.
I think that Microsoft will be able to retain a very loyal niche at SMB, but I don’t think when it gets to cloud that its going to dominate.
Shimmin: I just want to add to what Tony was saying. Yesterday, Amazon announced that EC2 is now running on Windows Server and Microsoft SQL Server.
Obviously, this is a public cloud, but in my mind, the fact that Microsoft has virtualization is a necessity for them to move forward, I don’t think it’s something they are going to be building a direct business on, like VMware. For them, it’s simply a necessity so that they can run on places like EC2.
The most important thing is, as Tony was just saying with Visual Basic, it all comes back to where you develop your application. Whatever you code in, the tool you’re using is going to dictate where you push that final application out. If it’s to your local server or to a cloud is irrelevant to you.
Whether you’re saving money going to a public cloud, for example, or you have your own investment internally doesn’t matter. The point is that Microsoft, to succeed, needs to have its application container. What I was saying is the Windows Server is a WebSphere Application Server in the cloud, and it seems like they are heading in that direction. So, I think they’re going to be able to ride this virtualization wave.
Gardner: Perhaps it will allow Joe the Developer to have it his way. That is to say, develop in what you like and what you know, target the Microsoft middleware functional set, as well as the containers that the tools are integrated to and aligned with, but perhaps host that up at a cloud.
Now, if Amazon is going to do it, and then Microsoft is going to probably want to do it too -- and they more than likely will -- it’s almost certain that Microsoft will have its own cloud. You use their tools, perhaps their tools are in the cloud as well. So platform is a service value for Microsoft.
That’s all well and good, and it certainly would cut total cost and demonstrate the value of doing it on Microsoft. However, their ability to charge for those services is going to be up against other commodity-level platform-as-a-service and cloud-services sets. Microsoft’s ability to take money from each of these accounts, each of these developers, each of these departments would be severely crippled under that circumstance.
It raises the question: In five years will Microsoft, on a revenue basis, be bigger, the same, or smaller?
Let's wrap up our discussion today by going around and asking that very question to each of our participants. Let's start with you Brad. Brad Shimmin, Microsoft five years from now, bigger, the same, smaller, revenue wise?
Shimmin: I think they will be smaller revenue wise, but they will be making more money from their infrastructure and their business applications than they were in the past.
Gardner: Good. Dave Linthicum, same question.
Linthicum: I already said they are going to be smaller. I think it's going to be turned kind of more into a cash-cow company. They’re going to have hooks into some of these new trends. Where they’re going to find their business model and the culture within the company is going to be the single most preventive factor for them expanding their revenue.
Gardner: So, you see it as a smaller revenue and a smaller profit.
Linthicum: Smaller revenue, smaller profit, and smaller impact on the marketplace.
Gardner: Michael Meehan?
Meehan: Just because I think the economy will grow over the next five years -- almost because it has to -- I’m going to say they are going to be bigger in revenue but they will have smaller impact on the marketplace.
Gardner: Tony Baer?
Baer: I agree with Mike. The economy will grow and, more importantly, world markets will grow, and they just will not be the single biggest frog in the pond.
Gardner: Jim Kobielus?
Kobielus: I think they will be bigger, and their growth will be in packaged applications, analytics, BI, and performance management.
Gardner: Joe McKendrick.
McKendrick: I agree with what Mike originally said. They will be bigger, because the whole pie will be a lot larger in the next few years. Let’s face it, many competitors have taken on Microsoft have had their head handed to them on a plate over the years. Don’t underestimate the folks in Redmond.
Gardner: Very good. I’ll throw my two cents in. I think their revenues will be smaller, but not appreciably so, but that their margins will continue to erode, and that’s going to force them to pick and choose businesses more carefully, and have to decide what they want to be when they grow up rather than try to be everything to everybody.
Well, thanks everyone. This has been a good and fun discussion about Microsoft and their PDC. I want to thank all of our guests for joining.
I also want to thank our charter sponsor for the BriefingsDirect Analyst Insights Edition Podcast Series, Active Endpoints, maker of the ActiveVOS Visual Orchestration System. I am your host and moderator Dana Gardner, principal analyst at Interarbor Solutions. You’ve been listening to Volume 32 of our series. Thanks and come back next time.
Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.
Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: Active Endpoints.
Transcript of BriefingsDirect podcast on the outlook for Microsoft. Copyright Interarbor Solutions, LLC, 2005-2008. All rights reserved.
Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: Active Endpoints.
Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.
Dana Gardner: Hello, and welcome to the latest BriefingsDirect Analyst Insights Edition Podcast, Volume 32.
This periodic discussion and dissection of IT infrastructure-related news and events with a panel of industry analysts and guests comes to you with the help of our charter sponsor, Active Endpoints, maker of the ActiveVOS visual orchestration system.
I am your host and moderator Dana Gardner, principal analyst at Interarbor Solutions. Our topic this week, the week of October 20, 2008, is the IT elephant in the room ... Microsoft. The software titan held its Professional Developers Conference (PDC) on October 27 in Los Angeles. We’re expecting quite a bit of news from the event, and this also gives us a chance to examine the state of Microsoft and its place and role in the enterprise IT dominion.
We’re going to dig into Microsoft, its mission, how well it’s doing, and how well we’re expecting it do over the next couple of years. We’re joined by this week's panel to help us dig through this.
I’d like to welcome first Jim Kobielus, senior analyst at Forrester Research. Hi, Jim.
Jim Kobielus: Hi, Dana. Hi, everybody.
Gardner: Tony Baer, senior analyst at Ovum. Hi, Tony.
Tony Bear: Hey, Dana, good to be here again.
Gardner: Dave Linthicum, independent consultant with the Linthicum Group. Dave, will be joining in a little bit.
Next, Brad Shimmin, principal analyst at Current Analysis. Howdy, Brad.
Brad Shimmin: Hi, Dana, how are you?
Gardner: Great, thank you. Making his debut on our show, Mike Meehan, a senior analyst at Current Analysis as well, and former editor-in-ehief at SearchSOA.com. Welcome, Mike.
Mike Meehan: Great to be here, Dana.
Gardner: And, last, Joe McKendrick, independent analyst and prolific blogger on SOA and business intelligence topics. Howdy, Joe?
Joe McKendrick: Pleasure to be here, Dana, thank you.
Gardner: Alright, let’s dig into the freshest news this week. Microsoft just yesterday announced its financial results for the quarter ending September 30. We saw 9 percent revenue growth, which includes 20 percent revenue growth for their business software, and overall 2 percent net income growth.
It’s not quite as robust as similar recent reports from IBM, Oracle, and HP. Indeed, the Business Unit at Microsoft did better than the Windows Operating System Unit, which has of course been its long-time cash cow.
I guess we’ll take this over to Tony. Tony, is there anything that we can read into Microsoft’s financial results that give us some indication of how well the company is doing?
Baer: Actually, I’ve been giving this some thought in terms of the results from some of the others lately -- for example, IBM and Oracle, mostly up, and SAP down.
My sense with Microsoft is that the Windows unit has been very much slowed down by the very slow uptake of Vista, and especially by the tendency of corporate customers, if and when they get new machines, to downgrade to Windows XP. So, that certainly has created something of a drag there.
The other part of this -- and this is actually one part which does surprise me a little bit -- is that Microsoft has been putting a lot more emphasis especially around business software, and specifically Oslo. You’ll see a lot of this in the sessions and announcements next week at PDC. It’s too early to impact the results, the financial results, but its indicative of a general direction on Microsoft's part. It has become more of an enterprise computing player.
What does surprise me a little bit is that in a company of Microsoft’s size it would have that much material impact.
Gardner: What's a little surprising to me is that even with 9 percent revenue growth and 20 percent revenue in the Business Software Unit, which includes Office, that only translated into 2 percent income or earnings.
Is Microsoft at a disadvantage, compared to other enterprise vendors, because of its exposure to the consumer market, Web advertising market, and the cyclical nature of an operating system upgrade like Windows?
Baer: I’m not sure if it’s at a disadvantage with regard to the consumer market per se. I hate to use an extreme example like this, but take a look at some of the very toughest economic times that we’ve had. Let’s go back to the Depression, which of course we all remember from our childhood, or at least that we are all reincarnated now. During the ‘30s, when nobody had any money, people went out for cheap, real thrills. In that case, it was a trip down to the movie theater.
My sense is that, if you already have an Xbox 360, what's the big deal about getting another game? That’s a much cheaper thrill than going out and buying some more expensive piece of consumer electronics hardware.
I don't think that the exposure to the consumer side is such an issue. I think it's more a matter that certain parts of Microsoft’s business have matured and that some of the newer areas, which would be the enterprise side, and would also be say the Web-designer side, where they are going head-to-head with Adobe, are still much too early on the maturity curve to have a material impact.
Gardner: Alright, Mike Meehan, what do you think? Is Microsoft in a good, medium, or a bad position going into an economic downturn, given what we’re seeing and given their exposure across such a wide variety of different products and services?
Meehan: You’re generally never in a bad position when you’re diversified. That’s the one thing Microsoft has going for it. It has its hooks in a lot of different ponds.
I tend to think that they are better off in the consumer market than they are in the enterprise market. My view is that .NET has lost to Java, just as an enterprise technology. It’s a niche. It’s an avenue where Microsoft is going to have a presence.
People are going to use Visual Studio. They can build out Oslo and they can try to keep people in with as much service orientation as Microsoft can give you in their package, but they are not going to be on the same par as IBM, Oracle, or even SAP long term, in terms of being able to give you enterprise applications and application development tools.
They are a sidelight to that. Their business is more in the operating system and in the Xbox. Kids like playing games, and social computing, those game-oriented things, are going to be the areas where Microsoft is going to see its greatest profits down the road.
Gardner: So, you’re saying that Microsoft’s future is waning when it comes to its share of market, profits, and growth on the business side, and that’s its virtuous growth machine between the tension of their tools and its platform is not going to continue? It’s fighting against organizations like Google and Apple in the consumer space that is going to be Microsoft’s growth future?
Meehan: I think they are capped on the business side. There's only so much of that pie they are ever going to get right at this point.
Gardner: Anybody out there have a concurring view to that? It seems that the vast majority of Microsoft’s revenues and profits still come from the business sector.
Kobielus: I think that there’s some validity to the viewpoint that Microsoft's growth potential has capped on the business side, when you consider packaged applications, and software- and application-development tools, in the sense that the entire product niche of the service-oriented architecture (SOA) universe is rapidly maturing.
The vendors in this space -- the SOA vendors, the business-intelligence (BI) vendors, the master data management (MDM) vendors -- are going to realize revenue growth and profitability. Those who survive this economic downturn and thrive in the next uptick, will be those who very much focus on providing verticalized and customized applications on a consulting or professional services basis.
In that regard, Microsoft is a bit behind the eight ball. They don’t really have the strength on the consulting, professional services, and verticalization side, that an SAP, Oracle, or an IBM can bring to the table.
Microsoft, if they want to continue to grow in the whole platform and application space and in the whole SOA universe, needs to put a greater focus on consulting services.
Gardner: That's interesting. Now, here we have Microsoft, as I say the elephant in the room, the largest software company in the world, in many respects one of the most successful companies in the history of business, behind the eight ball. How could it be behind the eight ball, when it has $40 billion in cash in the bank, and an army of global developers and engineers? Yet, I think there's something to this.
Let’s drill down for a second. Gartner, the largest analyst and research firm came out with a Top 10 Strategic Technology Areas list for 2009. These are the 10 areas I think are going to be the most strategic for IT people.
Number 1, virtualization. I think it's safe to say that Microsoft is catching up on virtualization.
Number 2, cloud computing. We’ll soon get detail on Microsoft’s cloud computing, but they’re clearly behind the eight ball if you compare them to say Amazon or Google or Salesforce.com.
Number 3, servers beyond blades. Well, that’s a hardware story, and Microsoft isn’t in the hardware business.
Number 4, Web-oriented architecture, mashups, or the use of Web development, primarily for new applications. Microsoft’s in that, but that’s a problem, because there isn't always a tie-in to their platform. It’s really a Web- and browser-based business, which has been somewhat troublesome for Microsoft, given its software plus services focus.
Number 5, mashups. Same story there. Microsoft does have tools and approaches, but it doesn’t necessarily feed their cash cow of selling more operating systems or upgrades to operating systems.
Number 6, specialized systems. I’m not exactly sure what that means, but I don’t think Microsoft is so verticalized that this is going to be a growth area for them.
Number 7, social software and social networking. We haven’t seen Microsoft dominate here. In fact, they tried to buy their way into this with Yahoo and failed.
Number 8, unified communications. Microsoft has been big there. That’s a potential growth area for them.
Number 9, business intelligence, another big growth arena.
Then, Number 10 from Gartner’s list, Green IT. Green IT, of course, means consolidation, more highly utilized servers, not hundreds of Microsoft Exchange Servers running at 20 percent utilization. So, I would posit that Microsoft is behind the eight ball on Green IT as well.
Does anybody out there want to react to this issue of Microsoft in catch-up mode?
McKendrick: When did Bill Gates start Microsoft? What year was that?
Gardner: 1977.
McKendrick: It was actually 1975. That was the worst downturn in our generation, as far as the economy goes. He, and eventually Steve Ballmer, started the company going. What year was MS-DOS launched to licensing? When did that began to catch on?
Baer: 1980, 1981.
McKendrick: Yeah, the other downturn, the other worst economic downturn in our generation. So in other words, in Microsoft’s history it seems they’ve had their crucial turning points, at times when the rest of the economy was in a funk.
Windows was in the early 1990s, another recessionary period.
I was speaking with Brian Loesgen from Neudesic a couple of weeks ago. It was in the midst of the first wave of financial panic in the economy. He put it this way. Microsoft has its own economy. No matter what happens to the economy at large, Microsoft has its own economy going, and just seems to get through all this.
What’s driven Microsoft from day one, and continues to do so, is that Microsoft is the software company for Joe the Plumber. That’s their constituency, not necessarily Joe the Developer. They cater to Joe the Developer, Joe the CIO, and Joe the Analyst certainly likes to check in on what they are doing. It's this whole idea of disruptive technology. They have always targeted the under-served and un-served parts of the marketplace and move up from there.
Gardner: So we have two narratives. We have Microsoft is too big to fail, has done well regardless of economics in the past, and is independent of larger economic trends because of its "Joe the Plumber" appeal. We also have this narrative of they are playing catch-up.
McKendrick: The base of Microsoft, these companies that are using Microsoft technology, don’t necessarily get virtualization or cloud computing.They just want a solution installed on their premises and want it to work.
Gardner: Dave Linthicum, are you out there now?
Dave Linthicum: Yeah, I am out there now. How are you doing Dana? I was actually crying over my 401(k) portfolio, so I got in late on the call.
Gardner: Well, I can see why that would choke you up. Now, what's your position on these dual narratives: Microsoft, too big to fail, has done always well in the past -- or Microsoft behind the eight ball on virtualization, cloud computing, and some of the other major growth areas of the next couple of years?
Linthicum: I think they are behind the eight ball. A lot of the strategy I’ve seen coming out of Microsoft over the last few years, especially as it relates to cloud computing, SOA, and virtualization, has been inherently flawed. They get into very proprietary things very quickly. It really comes down to how are they going to sell an additional million desktop operating systems.
Ultimately, they just don’t get where this whole area is going. If you think about Joe’s point, going back in history, not as far, but to the whole Internet trend, it turned out to be an explosion back in the middle ‘90s.
They missed the boat on that completely. They were off doing their own MSN network and working on that kind of stuff, and they really were catching up in the end. They had a pretty good offering and they took a large part of the market because they own the desktop and all those things going on.
Now, we’re heading into an area where they may not be as influential as they think they should be. They may be not only behind the eight ball, but lots of other organizations that are better at doing cloud computing, virtualization, and things like that, and have a good track record there, are going to end up owning a lot of the space.
Microsoft isn’t going to go away, but I think they’re going to find that their market has changed around them. The desktop isn't as significant as it once was. People aren’t going to want to upgrade Office every year. They’re not going to want to upgrade their desktop operating systems every year. Apple Macs are making big inroads into their market space, and it’s going to be a very tough fight for them. I think they’re going to be a lot smaller company in five years than they are today.
Gardner: Let’s take that notion to Mike Meehan. Is Microsoft going to be the same, smaller, or bigger in five years?
Meehan: I wouldn’t say smaller, only because they got maybe as large as they were going to get in the earlier part of this decade. Dave is absolutely right in that the one area that Microsoft never really conquered that it needed to conquer, given its strength in the desktop, is the handheld. If they are not going to be there with the handheld long-term, that’s a major growth area that they are going to miss out on. That’s where a lot of the business is going to shift to.
I don’t spend all my day on a handheld, but I live in Boston. I can ride the T and I can see a lot of people who do use handhelds. If you want to be there, if you want to be in the cloud services, that’s where a lot of people are going to be getting consumer cloud services from. It’s going to be right off those handhelds, and Microsoft is just not there.
On the SOA side, as I said before, Microsoft is just trying to be as service-oriented as they can for users who are trying to be not SOA-driven, but "As Service-Oriented As Possible."
In fact, make that an acronym, ASOAP. There are going to be a number of users who are not going to go fully into SOA, because they have an enterprise architecture. It’s too hard to do, too hard to maintain. They’re never going to quite figure that out. They are just going to try to be tactical and as service-oriented as possible. Microsoft will try to service them and hold that part of their business.
What’s the next big thing they’re going to do? Joe referred to Microsoft having come up with that in previous downturns. I don’t see where they have got that right yet, and so I think that leads to them being smaller long-term.
Baer: I think the biggest deficiency in this go-around, compared to the Internet about a dozen years ago, is that they don’t have a figure like Bill Gates to crystallize turning the company around.
That was an amazing case study back around 1995, where Microsoft was caught by surprise by the Internet. Gates basically convened a weekend-long retreat, or something like that. I’m not sure how long it was, but it was pretty short.
At that time, the company was small enough -- and I use the term “small” in a relative sense -- that the company could turn around. More importantly, in someone like Gates, they had someone with the type of vision that could crystallize everyone to start thinking on the same page. I don’t think they have that same kind of figure now.
Gardner: That's right. It was the first week of December, 1995 that Microsoft came out and announced that the Internet was a big deal, and within two years they were the top browser company in the world, and have remained there ever since. So they have demonstrated an ability to move quickly.
Let’s go to Brad Shimmin. Brad, you are going to go to PDC. If there’s any venue where Microsoft can talk to Joe the Plumber and Joe the Developer, and convince the world that its vision of the future is the right way to go, it’s at the PDC.
Do you think that Microsoft is going to have an opportunity to change this perception of it being behind the eight ball in any appreciable way at the PDC?
Shimmin: I do, and simply because they don’t have to. I think back to a number of points that’s been made here that to be successful Microsoft doesn’t need to convince the world. It just needs to convince the people that attend the PDC. They have such an expansive and well-established channel, with all the little plumber-developers running around building software with their code, that just as 40 is the new 30, Microsoft is really kind of the new Apple, in a way.
They don’t need to be Oracle to succeed, they really need to have control over their environment and provide the best sort of tooling, management, deployment, and execution software that they can for those people who have signed on to the Microsoft bandwagon and are taking the ride with them.
That’s what it’s all about for them at these shows. In general, it’s the same way. They don’t need to be the next Oracle to remain successful on the business space.
As Mike said, they’re kind of capped out in many ways relative to the consumer market, but, gosh, they have shown that with things like SharePoint, for example, Microsoft is able to virally infest an organization successfully with their software without having to even lift a finger.
They’ll continue to do that, because they have this Visual Basic mentality. I hate to say it, but they have that mentality of “Let’s make it as simple as possible” for the people that are doing ASOAP, as Mike said, that don’t need to go all the way, but really just need to get the job done. I think they’ll be successful at that.
Kobielus: I just want to elaborate on what Brad said and then bring it back to the question of will Microsoft be larger, smaller, or the same size in five years time. I think they will be larger, and they will be larger for the simple reason that they do own the desktop, but the desktop is becoming less relevant.
But now, what’s new is that they do own the browser, in terms of predominant market share or installed base. They do own the spreadsheet. They do own the portal. As Brad indicated, SharePoint is everywhere.
One of the issues that many of our customers at Forrester have hit on -- CIO, CTO, that level -- is that SharePoint is everywhere. How do they manage SharePoint? Its a fait accompli, and they have to somehow deal with it. It’s the de-facto standard portal for a large swath of the corporate world.
Microsoft, to a great degree, owns the mid-market database with SQL Server. So owning so many important components of the SOA stack, in terms of predominant market share, means that Microsoft has great clout to go in any number of directions.
One direction in which they’re clearly going in a very forceful way that brings all this together is in BI and online analytical processing (OLAP).
The announcements they made a few weeks ago at the BI conference show where Microsoft clearly is heading. They very much want to become and remain a predominant BI vendor in the long run.
What that means is a number of things. First and foremost, innovating at the desktop within SharePoint and in Excel to enable, in memory, deeply dimensional user-driven modeling to begin to dissolve the OLAP cube and enable users to begin to develop their own advanced analytics, build it out, and grow that knowledge base in a collaborative environment that’s very much hinged on SharePoint -- the collaborative features, version management, library check-in and check-out, and so forth.
In five years time, Microsoft will be one of the predominant BI players. It already is, but it will become more important as one of the main BI platforms out there.
I don’t imagine Microsoft would become as verticalized a BI player as say a SAS Institute, but Microsoft, as several other analysts on this call have mentioned, has a phenomenal partner ecosystem, and they are providing an evermore powerful platform for those vendors and professional sources and customers to build out those analytics. So, they will be bigger.
Gardner: Okay. So, Microsoft has its installed base. It has its devotees, people who are making their living based on its products. It’s a huge channel. You see in a number of key IT areas a deep advantage in terms of their installed base, but that begs the question of whether things remain fundamentally the same or whether we’re going through a period of transformation.
Let’s go back to Brad. Based on what you know about PDC announcements, how is Microsoft going to pull off both retaining its installed base strengths, and also ushering people into higher productivity and lower cost, which are going to become essential?
Many Microsoft products are not the lower cost alternatives in the market, particularly from an architectural standpoint. Does anything come out in your understanding of the PDC announcements that will help solidify its base, but also substantially reduce total cost?
Shimmin: I do. It’s kind of funny, because a lot of the stuff they are going to be announcing, or demoing I should say, at PDC, lean toward some of the things we have been dinging them on.
For example, they are making Windows Communication Foundation (WCF) and Windows Workflow Foundation (WWF) form the heart of their ASOAP model, if you will, but they have been very much geared toward the bitheads that are working in Visual Studio to develop them.
What they’re trying to do is move those more toward an Oslo perspective of compilation and composition, so they’re making them such that they have a much better workflow capability. You had to code it by hand, but they are just coding it in, which goes back to their entire approach with tooling in general. They try to take you as far as they can, so that you don’t have to make as many decisions or intellectual efforts to make your software work.
They’re doing the same thing not just with .NET but also with their Windows Server, which I found to be the most curious part of what they are doing at PDC.
They have had Window Server sort of unofficially as their application container, but really it’s not. BizTalk has been their application container for everything SOA. They’re moving toward Oslo, with the Dublin release. They’re making it more of a first-rate citizen for hosting composite applications as a container.
Gardner: Oslo is their next generation development and deployment framework, which is highly focused on services and business-process level integration.
Shimmin: It is. It’s nice, because they are actually going to have a registry- repository. You literally just have to partner and use standards for anything like that with them now, but they are going to build their own on top of SQL Server, which I think is a smart move, by the way.
But they will have that, and the development tooling that’s going to be hooked indirectly to .NET and the Windows Server. They’re going to make BizTalk more of a B2B integration, yet making it more of an enterprise service bus (ESB), which is the last thing they would have ever told you they want a BizTalk to be. But, they’re going to make it more of that in the future and make Windows Server more of your traditional Java development, Java Shop, which would be your app server.
Gardner: So we have an ESB function set. We have a registry-repository function set. Microsoft is coming not on the leading edge of these technologies. They’re clearly five or seven years behind some other entrants in the marketplace. But, on the total cost perspective, I think what I am hearing from you is that if you go all Microsoft all the time, there are going to be efficiencies, productivity, and cost savings. Is that the mantra? Is that the vision?
Shimmin: That‘s exactly right, Dana. That’s what they’re banking on, and that’s why I think they are the next Apple, in a way, because they are downtrodden, compared to some of the other big guns we’re talking about with Oracle, SAP, and IBM inside the middleware space. But that doesn’t matter, because they have a loyal following, which, if you guys have ever attended these shows of theirs, you’d see that they are just as rabid as Mac fans in many ways.
They’re going to do their best job to make their lives as easy as possible, so that they remain loyal subjects. That’s a key to success. That’s how you succeed in keeping your customers.
Gardner: Dave Linthicum, Microsoft is continuing to make offers that their installed loyal base can’t refuse. But the total cost of ownership (TCO) equation comes in a little bit later. That is to say, if you have bought into the Microsoft-oriented architecture vision, and you’ve spent a lot of money with Microsoft in doing so, you will be able to do all of these things better in the future. What’s wrong with that vision?
Linthicum: Ultimately, people are looking for open solutions that are a lot more scalable than this stuff that Microsoft has to offer. The point that was just made, there are a bunch of huge Microsoft fans that will buy anything that they sell, that’s the way the shops are. But the number of companies that are doing that right now are shrinking.
People are looking for open, scalable, enterprise-ready solutions, they understand that Microsoft is going to own the desktop, at least for the time being, and they are going to keep them there. But, as far as their back office things and some of the things that Microsoft has put up as these huge enterprise class solutions, people are going to opt for other things right now.
It's just a buying pattern. It may be a perception issue or a technological issue. I think it’s a matter of openness or their insistence that everything be proprietary and come back to them.
I heard the previous comment that looking at all Microsoft all the time will provide the best bang for the buck. I think people are very suspicious of that.
If you look back in history, Microsoft Transaction Server (MTS) and all of these other things that Microsoft has built over time to get into enterprise-scale computing, haven’t worked very well. Either it was perceptions or openness. I reviewed MTS when I was at PC Magazine and I found it to be a pretty good product, but it just had no uptake into the market space.
I think their current efforts are going to run into the same issues. You’re not always going to have people who are going to buy it. It’s part of the bundles that they’re offering to the enterprise, the enterprise license agreements that they are selling in, but it's going to be a very hard path for them I think.
Gardner: Mike Meehan, virtualization is obviously a big topic these days. VMware came out with results that showed these things are selling like hot cakes. VMware itself is going to be under pressure in competitive offerings in the marketplace.
Is virtualization at the hardware level, infrastructure level, applications level, and then ultimately at the desktop level -- where we have virtual desktop infrastructure (VDI) -- a game changer in terms of Microsoft being able to pull this off? ... “If you do it all with us you have a better economic story.” How does virtualization change Microsoft’s strategy, if at all?
Meehan: I don't know that it does, in that you have to be so integrated with the company to take advantage of that, that I am not really sure that Microsoft is in the right position to do that.
For example, four years ago, Sun Microsystems started beating that drum that they were going to take these virtual environments, put it together with their software environments, and have this soup-to-nuts computing that was going to be five times more powerful and so much more efficient.
It just never happened on their end. It's hard to execute. It’s hard for Microsoft to align itself with what anybody else is doing. Whatever VMware is doing, I find it a little difficult to believe that Microsoft is willing to be the tail that’s wagged by any other dog.
To a certain extent, Microsoft will try to plug-in to that in its own way. What its own way is, and where exactly it plugs in though, are unknowns to Microsoft itself, and its going to want to own something in there. I don’t even know what it wants to own in terms of virtualization.
Gardner: It seems it wants to own the hypervisor. It’s going to make the Hyper-V hypervisor part and parcel with other infrastructure, and, I would imagine, at a price that people can’t refuse. They’ll also continue to sell Windows licenses for all those virtualized instances of an operating system. That’s still Windows. That’s still good revenue.
Does anyone else have a sense of whether virtualization, as a general trend, knocks down Microsoft’s ability to do it all and well?
McKendrick: VMware announced that operating system, what’s it called, the VMware VDOS, do I have that correct?
Gardner: KVS. Is it their Hypervisor?
McKendrick: No, they are actually calling it an operating system.
Dana Gardner: That's right, their cloud-based infrastructure operating system.
McKendrick: Exactly. That’s the direction organizations are going. Cloud computing, SOA, virtualization, all those things are going to be internal clouds, private clouds, maintained within enterprises.
When you think about an operating system, what is an operating system? That’s virtualization, right? An operating system virtualizes resources underneath, in the server, the hardware, and storage. Virtualized operating system, like VMware is talking about, is probably the next evolution of operating systems in general.
Gardner: That’s right. A disk operating system virtualizes the disk.
McKendrick: Right. That’s what an operating system is, virtualization. People don’t think about it that way.
Gardner: So, your point is that Microsoft is in the position to take its advantages and strengths and move that up yet another abstraction to this private-cloud infrastructure level.
McKendrick: I think so. Steve Ballmer kind of responded to the VMware announcement by saying that Microsoft has something cooking in that regard too, some kind of virtualized operating system. I don’t know if it will be separate from what Windows will be in the future. An operating system is a cloud management system, when you really get down to it, and it’s the next natural evolution for operating systems. That’s what Microsoft is good at.
Gardner: We’ve heard quite a bit on this cloud operating system from Red Hat, Citrix, VMware, IBM, and HP talked it up a little bit. No one’s really come out with a lot of detail, but clearly this seems to be of interest to some of the major vendors.
Let’s go back to Dave Linthicum. What is the nature of this operating system for the cloud, and does it have the same winner-take-all advantage for a vendor that the operating system on the desktop and departmental server had?
Linthicum: I think it does in virtualization. Once one vendor gets that right, people understand it, there are good standards around it, there are good use cases around it, and there’s a good business case around it, that particular vendor is going to own that space.
I’m not sure it’s going to be Microsoft. They’re very good about building operating systems, but in understanding my Vista crashes that are happening once a day, they are not that good.
Also, there are lots of guys out there who understand the virtualization space and the patterns for use there. The technology they’re going to use, the enabling standards, are going to be very different than what you are going to use on a desktop or even a small enterprise departmental kind of problem domain.
Ultimately, a large player is going to step into this game and get a large share of this marketplace pretty quickly, because the cost and ease of moving to that particular vendor is very low.
I can decide this morning that I want to use a particular virtualization vendor, sign up with them, and start putting my assets out in that world in a very short time, versus buying hardware and software I am installing in my own systems and other things that are going to be leveraged.
These virtualization operating systems that are enterprise bound or even in a gray area with the cloud are going to come from somebody else besides Microsoft. That’s just my own personal opinion, based on what they are doing.
Kobielus: I think that Microsoft stands a chance of becoming the predominant cloud OS vendor. Let me just define the level set of what I mean by that. At the heart of any cloud or virtualized cloud operating system is a virtualized database environment. Database virtualization is a real hot topic, and it means many things to many vendors and to many analysts.
Fundamentally, like any other virtualization approach, it simply involves abstracting the internal implementation from the external calling interface, using a variety of approaches.
It’s not all together yet, but Microsoft is coming along with a fairly interesting database virtualization story that will play out in releases over the next several years.
For one thing, of course, they bought DATAllegro a few months back, and now Microsoft is building a shared-nothing, massively parallel database, a data warehousing environment that can scale up to thousands of nodes potentially and many petabytes of data. It’s grid at its very heart. So, a grid environment is virtualization, a database virtualization on one level.
Also, Microsoft has a very interesting project going on that will probably see the light of day in terms of roll-out in the whole SQL Server vNext timeframe in 2011. It’s called Project Velocity, which is very much virtualizing data persistence across both disk-based and spindle-based storage, as well as in-memory cache across a distributed virtualized fabric.
There's also a bit of virtualization going on in the front end of their BI stack, in terms of using in-memory approaches more deeply in all the app, and so on.
Of course, Microsoft has got the whole SQL Server Data Services, software-as-a-service (SaaS) initiative ongoing, and they will continue to ramp that up in coming years. I see all this coming together as the heart of a database virtualization environment.
Then, one other thing you need to have for a fuller virtualized OS in this environment is something called in-database analytics, where you can run the compute intents of algorithms right inside the database. You can take advantage of all the parallelization.
Microsoft doesn’t have a strong story there yet, but I think that in the next year or so, they will roll out a much more interesting story that tracks with what's going on elsewhere, like vendors in the data warehousing arena that have aligned themselves around this framework called MapReduce. A lot of that will come together in the Microsoft side over the next few years, and I think they will be a power in cloud OSs.
Gardner: So, I think what I am hearing from you is that virtualization, grid, and cloud can help Microsoft in its database and data services story, particularly up against someone like Oracle and IBM.
Kobielus: Yes, yes, yes.
Gardner: Okay. There's another difference here though with cloud and private cloud and that is that Joe the Plumber and Joe the Developer aren't going to be deciding the architecture for this cloud.
Also, moving toward the cloud infrastructure is a significant multimillion dollar decision process, involves creating new data centers, tens of millions of dollars in facilities, infrastructure, and manpower, and energy types of investments, things that will impact the company for five, 10, 15 years.
It seems to me that there's only going to be a handful, perhaps fewer than 25 true third-party cloud providers, and that the type of organization where a private cloud makes sense are going to be the Global 2000, maybe down to the Global 500, who would be interested in investing and have the cost savings in scale that would make cloud computing make sense.
So, in a sense, this move toward private-cloud and public-cloud infrastructure really does not benefit Microsoft’s traditional market and channel distribution and penetration. We’re really talking about perhaps as few as 2,500 total customers across the world who would be buying this. Given that that’s the economic landscape, does this not impact Microsoft in terms of its ability, or even interest, in approaching this market?
Baer: A couple of things. I agree with you in terms of the private cloud. I don't think that's really a real winner of a market for Microsoft, because it will require the customer to put in significant capital investments from the top-down. The thing is, those types of customers have not traditionally been Microsoft’s strengths.
I had a couple of thoughts as this session has drifted. One, how does the cloud really impact Microsoft and its prospects, and will Microsoft be able to compete in a more open world?
I have a couple of answers to that. You still have a certain, very stubborn level of mid-size businesses that are Microsoft shops. You go to these PDC conferences, which unfortunately I won’t be at next week, and you see these armies of people, who have been loyal ever since Visual Basic 0.5. They have built a huge developer base, which is translated to an incredible base among small businesses.
So, on one hand, I don’t think that Microsoft is going to lose its grip on its Joe the Plumber small and mid-size business (SMB), enterprise business. On the other hand, in terms of the emergence of clouds, and forgetting about private clouds at the moment, on public clouds I’m not sure. Microsoft has a software-plus-services strategy, the idea of which is to make it as invisible as possible. That has a nice value proposition to its traditional market base.
On the other hand, when you start seeing the proliferation of these third-party clouds, which are coming very much commodity prices -- the Amazons of the world, and so on -- I’m getting the sense that these public clouds are going to become so commoditized that there’s not going to be any single player that’s going to dominate.
I think that Microsoft will be able to retain a very loyal niche at SMB, but I don’t think when it gets to cloud that its going to dominate.
Shimmin: I just want to add to what Tony was saying. Yesterday, Amazon announced that EC2 is now running on Windows Server and Microsoft SQL Server.
Obviously, this is a public cloud, but in my mind, the fact that Microsoft has virtualization is a necessity for them to move forward, I don’t think it’s something they are going to be building a direct business on, like VMware. For them, it’s simply a necessity so that they can run on places like EC2.
The most important thing is, as Tony was just saying with Visual Basic, it all comes back to where you develop your application. Whatever you code in, the tool you’re using is going to dictate where you push that final application out. If it’s to your local server or to a cloud is irrelevant to you.
Whether you’re saving money going to a public cloud, for example, or you have your own investment internally doesn’t matter. The point is that Microsoft, to succeed, needs to have its application container. What I was saying is the Windows Server is a WebSphere Application Server in the cloud, and it seems like they are heading in that direction. So, I think they’re going to be able to ride this virtualization wave.
Gardner: Perhaps it will allow Joe the Developer to have it his way. That is to say, develop in what you like and what you know, target the Microsoft middleware functional set, as well as the containers that the tools are integrated to and aligned with, but perhaps host that up at a cloud.
Now, if Amazon is going to do it, and then Microsoft is going to probably want to do it too -- and they more than likely will -- it’s almost certain that Microsoft will have its own cloud. You use their tools, perhaps their tools are in the cloud as well. So platform is a service value for Microsoft.
That’s all well and good, and it certainly would cut total cost and demonstrate the value of doing it on Microsoft. However, their ability to charge for those services is going to be up against other commodity-level platform-as-a-service and cloud-services sets. Microsoft’s ability to take money from each of these accounts, each of these developers, each of these departments would be severely crippled under that circumstance.
It raises the question: In five years will Microsoft, on a revenue basis, be bigger, the same, or smaller?
Let's wrap up our discussion today by going around and asking that very question to each of our participants. Let's start with you Brad. Brad Shimmin, Microsoft five years from now, bigger, the same, smaller, revenue wise?
Shimmin: I think they will be smaller revenue wise, but they will be making more money from their infrastructure and their business applications than they were in the past.
Gardner: Good. Dave Linthicum, same question.
Linthicum: I already said they are going to be smaller. I think it's going to be turned kind of more into a cash-cow company. They’re going to have hooks into some of these new trends. Where they’re going to find their business model and the culture within the company is going to be the single most preventive factor for them expanding their revenue.
Gardner: So, you see it as a smaller revenue and a smaller profit.
Linthicum: Smaller revenue, smaller profit, and smaller impact on the marketplace.
Gardner: Michael Meehan?
Meehan: Just because I think the economy will grow over the next five years -- almost because it has to -- I’m going to say they are going to be bigger in revenue but they will have smaller impact on the marketplace.
Gardner: Tony Baer?
Baer: I agree with Mike. The economy will grow and, more importantly, world markets will grow, and they just will not be the single biggest frog in the pond.
Gardner: Jim Kobielus?
Kobielus: I think they will be bigger, and their growth will be in packaged applications, analytics, BI, and performance management.
Gardner: Joe McKendrick.
McKendrick: I agree with what Mike originally said. They will be bigger, because the whole pie will be a lot larger in the next few years. Let’s face it, many competitors have taken on Microsoft have had their head handed to them on a plate over the years. Don’t underestimate the folks in Redmond.
Gardner: Very good. I’ll throw my two cents in. I think their revenues will be smaller, but not appreciably so, but that their margins will continue to erode, and that’s going to force them to pick and choose businesses more carefully, and have to decide what they want to be when they grow up rather than try to be everything to everybody.
Well, thanks everyone. This has been a good and fun discussion about Microsoft and their PDC. I want to thank all of our guests for joining.
I also want to thank our charter sponsor for the BriefingsDirect Analyst Insights Edition Podcast Series, Active Endpoints, maker of the ActiveVOS Visual Orchestration System. I am your host and moderator Dana Gardner, principal analyst at Interarbor Solutions. You’ve been listening to Volume 32 of our series. Thanks and come back next time.
Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.
Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: Active Endpoints.
Transcript of BriefingsDirect podcast on the outlook for Microsoft. Copyright Interarbor Solutions, LLC, 2005-2008. All rights reserved.
Monday, October 27, 2008
Identity Governance Becomes Must-Do Item on Personnel Management and Security Checklist
Transcript of BriefingsDirect podcast on the identity governance and best practices for IT systems access provisioning.
Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: SailPoint Technologies.
Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you're listening to BriefingsDirect.
Today, a sponsored podcast discussion about a serious and potentially catastrophic set of issues for many companies. I’m going to be talking about security and risk aversion around personnel, applications, and IT systems. We’re looking how companies can more properly manage identity information and access rules for the users of applications and systems. We will also develop an understanding of a new class of solutions to this growing problem.
The goal is to work more toward identity governance, a step above simply giving access and privileges, and of getting pro-active in managing access across multiple dimensions in a business.
We use the word “governance” because it helps to develop an appreciation for the large-picture solution of properly provisioning users, giving them the right level of access privilege, and then being able to exercise lowering risk from the people, process, and systems perspective -- a comprehensive control and monitoring capability.
These issues and risks are reinforced these days by the sudden and unexpected financial pressure affecting many banks. There are dislocations, mergers, acquisitions, and most likely significant downsizing. There are a lot of bright people who have access to a lot of very sensitive systems. These are very powerful applications. If there were ever a need for identity governance, this would be it.
To help this better understand these issues and some of the newest solutions around identity governance, we are now joined by two executives from SailPoint Technologies. We’re talking with Mark McClain, the CEO and founder, and also Jackie Gilbert, the vice president of marketing and also a founder at SailPoint Technologies. Welcome to you both.
Mark McClain: Thank you, Dana.
Jackie Gilbert: Thanks, Dana.
Gardner: There was a time, and it doesn't seem that long ago, when folks would get themselves a directory and provision people on and off of IT systems through that. It was fairly straightforward. A limited number of people in IT managed this. But it seems that times have changed fairly rapidly. Mark, help me understand what's different now. Why do we need this more holistic governance approach to identity issues?
McClain: Sure, Dana. That's an accurate representation of where the market has evolved to, or it's continuing to evolve to. Some of this has been around for quite some time. It was probably initially referred to in many peoples' minds as a concept of user management, when we first went to distributed computing, and we had all these challenges of managing a whole bunch of identities on systems that were distributed around the enterprise, as opposed to a single well-maintained mainframe or something like that.
The advent of distributed systems, and, to some degree, the Internet drove us to seek how to secure the open enterprise. That was a challenge, as you said, of a lot of provisioning and de-provisioning of accounts, focused on operational efficiency, because it became a very costly solution in many organizations.
They understood that they had some security risk, but many times, their biggest concern was how much it was costing to manage, and also the very poor quality of service that, in many cases, was being offered to their users and partners. Someone would start with the company and not get everything they need to do their job for a few weeks, which is highly unproductive and quite costly.
But then I think if you look back over most of this decade, back to the turn of the century – it’s still funny to say that phrase – you see a series of issues with breaches. There’s been a series of issues with fraud or potential fraud, everything from Enron to things that happened with other companies where there are questionable practices, and then various clear issues of fraud or criminal activity.
And all of that together has brought about a new focus on privacy, financial oversight, and good governance, which is, in many cases, all related to the management of risk.
It comes down to how we get a good handle on who has access to what in our enterprises -- which critical data and applications are exposed to which people? The better we understand that, the better we can understand the actual potential risks we have in sharing that information or allowing it go sometimes outside of our four walls.
In many ways, this focus on governance has been driven by those kinds of things. Now, in the current situation, as you just said, there is lots of churn in the financial markets and in the companies that make up those markets, where people are potentially moving inside of companies, changing jobs, lots of potential lay-offs happening.
That's when these issues of good governance, good controls over who has access to which critical information become very, very acute. That's because people are very sensitized to, "Hmm, if I get a disgruntled employee who may reach back and do something negative, do I have people who have been moved around quickly in a state of churn and now they have access to multiple things that they shouldn't?
It's this segregation of duties challenges. There are lots of issues that we can continue to talk about, but I think it's a well-understood pain-point that's getting more intense all the time as we see kind of more churn and concerns in the markets.
Gilbert: To add to and build on what Mark just said, the other thing that is unique in the current phase we are in, which is all about oversight, audit, risk-management, is that it has created a need for more and more people from the business side of organizations to become involved with identity management – and that has real implications.
When you are just focused on automation and making processes more efficient, that stays within the realm of IT and can be very much a focus for IT tools and technical users. Now, you have executives, boards, and business managers, who are being asked to be accountable and to gauge the risk and the effectiveness of controls around identity.
Those people are being asked to use tools and approve, certify, and deem whether access privileges and the accounts the users hold are correct, and do not place businesses at risk. So, if you think about it, it has actually forced the marriage of business and IT all around this issue of identity governance.
Gardner: I suppose it's not that people are any better or worse than they used to be, but that these systems are extremely powerful. One person with access to some trading applications, for example, can suddenly lose $5 billion. Right?
McClain: Absolutely. As to your comment there about the nature of people, you'd hope that the fundamental moral fiber of the country hasn't declined. But having said that, there are a couple of interesting things that have changed.
One is that, the world of hackers has evolved from seeing what they can get away with to prove their technical prowess, and has now really migrated to a fairly significant level of organized-crime involvement.
We've heard stories from companies of their employees being solicited by criminal elements to give up information. There were people getting phone calls saying, "Hey, would you be willing to sell access to your systems for some amount of money? Are you in credit trouble? Are you having financial difficulties?" People are soliciting employees to perform criminal behavior for money, which is a completely new element in the last 5 to 10 years, for sure.
Gilbert: A recent example of that was at Countrywide Financial. There was just some recent news this week about the arrest of a former employee who was actually selling Social Security numbers and mortgage information over a two-year period to the black market. This person admitted, I think, to receiving more than $70,000, by just selling this proprietary information. I think over 45,000 people were compromised that were Countrywide customers, and this isn't an isolated example.
There have been many cases of bank employees selling costumer information to collection agencies. So I think what Mark was referring to is that there is actually more temptation and more opportunities to commit fraud now because there is a market for it.
Gardner: So, that means that we need to plug these holes and almost develop the ability to forecast vulnerabilities in advance – and that cuts across a chief security officer (CSO), the IT people, line-of-business people, and for the human resources department. So who owns identity governance, if it, in fact, cuts across so many different aspects of a large enterprise?
McClain: It's a good question. I think that's one of the challenges that businesses are wrestling with today. As Jackie pointed out earlier, we saw, when we were focused on the identity provisioning challenges a number of years ago, then it was kind of the help desk and the security group, all within IT, that were wrestling with the problem. Now, you have those constituencies as well as two or three key others.
We now have the auditors, both internal and external, and/or the compliance people who want to have a say, or a seat at the table, to talk about how well we are managing these kinds of access privileges and what risks are involved, when they are not managed well.
You certainly have the business people paying attention now because you have senior management who are highly motivated to avoid being the next headline. They don't want their company showing up out there with Cox Communications, the IRS, Wachovia, and any number of companies like Dupont, which have hit the headlines in the last two or three years with some sort of significant breach related to access.
Business people are very tuned-in to the risk and the potential for fraud, or the potential for abuse – and they are motivated. Your ownership questions are good ones, Dana. This is such a rapidly evolving challenge, but all those people are certainly at the table.
There is a little a bit of a hot potato now going on where IT and security groups are saying, "Hey, I am not going sign-up and own this problem entirely, because I don't have the business context to know exactly what does or doesn't represent risk. You business people have to define that for us."
Gardner: It's tough to be responsible for something that you don't have authority over.
McClain: Absolutely.
Gilbert: One of our customers at a financial institution, the vice president of IT, told me that he has become more savvy and is actually pushing back on the lines of business. He said that when the IT auditor comes in and shows a bunch of red ink, he says that his counterpart in the line of business needs to help own and resolve this issue because IT alone really doesn't have the knowledge that it takes to figure out where is the risk and how to mitigate the risk.
Gardner: As we've seen in other aspects of maturing business processes and IT, solutions often involve bringing enough information up to the right people, through management consoles, analysis, and good data. How do we give whoever becomes the owner of this problem, or perhaps those managing a federated approach to the problem, the tools, the visibility, and the comprehensive access that they need to the right information? What is our first step toward the solution here?
McClain: You partially answered your own question, because you used the word "visibility," which we think is one of the three core pillars of this emerging segment of identity governance. It starts first and foremost with visibility. As a business person or even as an IT or control audit person, I can't define and manage the risk in my organization, unless I understand the current state of the union.
So it really does start with answering the fundamental question that most companies wrestle with, which is "Who has access to what?" One of my customers has joked about the fact that on the day you start with the company, you have access to nothing, and on the day you leave, you have access to everything. Quite often, the only person who actually knows all of the access privileges I may have after 15 years at a company is me.
There have been multiple groups I have moved through, multiple help desks, and IT organizations that have been part of granting me access over the years. So, it's quite probable that, literally, only I understand all of the privileges I have as an employee -- and that's a problem.
This problem starts by helping customers understand the criticality of gaining visibility across critical applications and data for who has access to what. We have to be able to correlate and aggregate a lot of technical information. We have to figure out that "D Gardner" and "Dana G" and "Dana_Gardner" are, in fact, the same person, and then correlate all the privileges that you have into a single view, so I can at least start with visibility.
Gilbert: If you think about it, for most Fortune 1000 companies that is a very difficult thing to do – just based on the fact that they have tens of thousands of employees, and hundreds -- maybe even thousands -- of applications that span mainframes, UNIX, Windows, and custom and packaged applications. The more complex and varied the IT is – and the bigger the company is – the more frequent churn of people.
Some industries have 30-percent churn, with people coming in and out of the organization. All that makes this an extremely difficult problem, as Mark said, just getting proper visibility.
Gardner: Are we talking about this problem in a way that we are going to just grab all of this information, data and access information, and then put it all in one big, honking repository to manage it centrally?
Or are we talking about, "Let's leave the access privileges and controls where they are, but elevate the metadata and put that into some sort of a management framework that we can act on"?
McClain: We would say it is the latter. In other words, efforts to completely centralize all of the real-time access control, real-time authorization of who can get to what has almost always have failed.
There were a number of projects years ago, where people were going to create one enterprise directory. What you find now is that a lot of the more modern applications do rely on a directory, and that directory has become more standardized and more carefully managed. We would say philosophically that this is really more like a business intelligence (BI) application.
In that sense, I want to leave the operational data in the transactional systems that it belongs to. Yet, I have to be able to pull out of that, aggregate it, and put it into a repository that can be searched and cross-referenced across all the information, so that I can get that visibility.
By the way, a highly related point here is, if I just aggregate and correlate all this information from all the underlying systems – like Jackie said, from the mainframes and directories and Windows and UNIX servers – just getting it in one place is only part of the problem. The other huge part of the problem is giving it the right business context.
That's because one of the dirty, dark secrets today is that governance and compliance have become harder, and auditors have been forcing more frequent and periodic review of the access information. Quarterly or annually, these managers and applications owners need to re-certify who has access to what.
Another dirty secret in the industry right now is that managers and applications owners must sign-off on these reports, but they don't understand them, because those reports are generated out of the IT systems and they are incomprehensible to the business people.
Knowing that Dana has access to "server FQ 93T," doesn't tell me much of anything about what Dana can do. If I can understand that that server actually is the front end to the accounts payable system, then now I know something about whether that's appropriate for Dana to have access to.
A second core pillar that we've spent a lot of time talking to our prospects and customers about is this concept of business context. Not only do they have to aggregate and correlate visibility across everything they do, I, as a customer, need to give it context so I can understand the business risks and the criticality of the information that you can access.
Gilbert: Part of the way that context is accomplished can be as simple as just providing business-friendly descriptors for entitlements. We also use the context of business roles, so that we can take a group of entitlements and assign them to a business role.
For example, a "database administrator in the Austin region" gets these types of privileges. By making that linkage and creating that higher level of abstraction around a role, we can ask people to approve whether "Joe" should be in that particular role. And they are much more likely to understand that than they are just looking at the low-level entitlements, and trying to make an intelligent decision about whether that is appropriate.
Gardner: I’m fairly clear that we have a distinct problem here, and that we are not going to solve it through a central forced march into a single approach or product. And, I understand that the identity governance solution has to be understood in the business context.
I guess what I am not clear about is how we actually go out and get this information, make it visible, get that single view of the employee, and then create the opportunity for execution and action against that information?
Gilbert: As Mark said, it's pretty analogous to BI and even data warehousing or data mining, if you will. Our approach is to take a very lightweight, read-only access to the data. We pull entitlement data and account data from applications and servers throughout the enterprise and we aggregate that into what is basically an entitlement warehouse.
We physically create a common data view of users and their entitlements. What that gives you is not only the visibility in one, single place, but it gives you the business context to better understand it. And it allows us to do some automation of controls and policy enforcement, and some risk assessment. It's amazing the value you can derive, once you get the data all in one place and normalized, so that you can apply all kinds of rules and logic to it.
For example, we can much more easily send and route that information around to the people who need to approve access or review it on a quarterly basis. And, it's all in one place. They’re not getting a single spreadsheet per application. They’re getting it all centralized per employee or per application, however they want to see it.
We can also scan that data, looking for policy violations. A good example of that would be what we call "toxic combinations," such as “you can't have an employee who both has the ability to set up a vendor and pay a vendor.” Those are two different access privileges that together indicate a high potential for fraud. So by combining all the entitlement data into one single database, you can much more easily scan for and detect potential policy violations and also the potential for risk to the business.
Gardner: I suppose carrying on with that analogy about BI, that the same information, those same rules, can be used by a number of different constituencies in the organization, whether it's provisioning, personnel, security, or compliance. It all seems to have a common reach, but a differentiation in terms of how people can then use it.
McClain: Yes, I think that's right. The idea of that once you have defined business roles. Once you have defined access policies, these segregated duties, and "toxic" combinations, that that's useful information, whether you are doing annual or quarterly re-certification processes, but also when you are taking on a new employee or adding a new partner or something.
You want to be able to refer to those kinds of systems that data of who has access to what and which are the appropriate policies, what are the appropriate combinations to avoid. So that if I’m going to provision someone, for instance, to a new system, or give them new entitlements, I can check it against that same repository of information on the users and the policies that I care about. I can make sure I’m not creating any problems at the time that I grant access.
Gardner: You can use this identity governance, of course, for prevention and insight. But, it also sounds like it would be very powerful, if we were doing a merger and acquisition (M&A), or if I were forced, tough as it maybe, to fire everybody and then re-hire them under a different ownership or structure. Trying to do something like that without this sort of comprehensive information set would be really onerous.
Have you had any customers or use-case scenarios where people have used these ID governance systems to that degree, and what sort of paybacks have they seen?
Gilbert: That's a really good point. In fact, M&A activity, is a use-case that we have seen with our customers.
A typical example would be that one bank has just bought another bank, and there is going to be a gradual process of integrating the new bank into the larger bank. During that time, we want to manage the population of users in a very shared way, so that a certain set of people will maintain access to just the old bank and then others will get merged access to the combination of the two banks.
Then, for people who potentially are being laid off or replaced as part of the M&A, we are going to manage them with potential risks in mind. So, we are going to limit their access and we may want to monitor their activity.
We actually provide a tool to segment user populations and then manage them differently in terms of the kind of controls and monitoring that we would allow the company to provide around that M&A acquisition activity.
Gardner: When it comes to implementing something like this, and I believe your product is called SailPoint IdentityIQ 3.0, is this strictly a product approach, or is this professional services and consulting or some level of competency or skill-sets within the organization's combination? I suppose the question is how much of this is actually accomplished by the product, and to what degree is the user company's skill sets required?
McClain: We would love to say you drop it in and it works, but it's not quite that simple. Many times, this is a fairly substantial project, although the ability to get to value quickly is something we've demonstrated with a number of our companies. We work with them to scope an appropriate size project, some limited number of applications or users – to show how the technology can significantly help them with these processes of certification or managing roles or better risk management.
But, quite often there is a very fairly significant consulting part of the conversation, because ultimately this is an opportunity to bring these constituencies to the table, sometimes for the first time. The auditors, the application people, and the IT security people sit down and say, "What do we want to accomplish here? How can we best provide good governance, meet our compliance requirements, and manage our risks appropriately?"
So, there is often a very beneficial set of conversations that come out of that. Then, of course, the challenge of our tool, of our software, is to capture those policies, capture those things in the product.
We have definitely seen very significant payback conversations because of the amount of manual effort and money being spent on these projects, particularly the Sarbanes-Oxley related certification projects, where not only can we save the companies a great deal of money – either in "soft" dollars internally or "hard" dollars being served with consultants.
But frankly, one of the things we hear consistently is that SailPoint IdentityIQ 3.0 is a big frustration reducer for the business.
This is a very significant source of pain and frustration in the business community today. Even if it's not purely a financial justification that we are able to give the customer, sometimes their eyes light up with, "Oh, wow, if I could give this to my users (the line of business or the auditors), they would be so much happier doing what they are doing today." So quite often there is a very significant emotional payback, I'll call it, as well as a financial payback in this kind of a solution.
Gardner: Often, risk reduction and security management is a large undertaking that requires organizational and cultural shifts, and that can involve such things as the Information Technology Infrastructure Library (ITIL), and how to re-engineer your processes within IT department itself. Granted that these are complicated and large undertakings, let's just drill down on the product itself, what does the SailPoint IdentityIQ product do in terms of "picks and shovels" that these other practitioners can put to use?
Gilbert: We've touched on a few of these points before, but a big area we contribute to is in automating some of the types of controls that would be defined by a framework like ITIL, control objectives for information and related technology (COBIT), or some of the frameworks that attempt to say, "Here's a common set of good practices that we've captured, and many of these really involve best practices and business processes for improving security controls."
SailPoint’s automated workflow replaces the manual paper-based quarterly review of access. It provides you with a much more effective set of controls that are predictable, but customizable.
We have one customer who was doing quarterly reviews. They would spend most of the quarter compiling the data, reviewing it, and then manually reconciling it. Then, they would have one or two weeks of a break before they would start the process over again.
So, as Mark said, one of the things that really helps is that we are coming in and replacing something that is painful, onerous, and not very reliable, where people have low confidence. We are replacing that with a set of controls that is much more in line with the sort of recommendations you would see coming out of an ITIL or a COBIT, in terms of how you align controls to reduce risk and how you perform these kinds of activities in a way that is reliable and predictable.
Gardner: Examples often help, but I don’t suppose there are a lot of people jumping up and down saying, "I'm really a high-risk over here!" So, there are not too many companies that you can trot out and say, "Well, we took them from 90 percent risk to 20 percent risk.” But are there any examples of how this has worked, and perhaps some of the paybacks, both business terms and even IT terms of how people have benefited?
Gilbert: A couple of examples come to mind. One of our customers, again a financial services company, went through the first quarterly certification process across dozens of Sarbanes-Oxley relevant applications. In that very first round of review, they detected that, on average, 20 percent of the entitlements for their users were inappropriate and needed to be revoked.
That’s the kind of benefit of oversight you're getting right out of the gate. Once you have the ability to see the data and see it with the right context, you are much more productive at spotting what needs to be taken away and what is inappropriate.
IT audits uncover many of these problems. Another customer was written up by their auditors because they concluded – just based on a sampling – that the access data for the corporation was, on average, only 70 percent accurate, meaning that 30 percent of it was erroneous or incorrect.
These cases that are easy to quantify, and you're giving this immediate benefit of data clean-up and removing inappropriate access. We call it entitlement creep, that's our expression for it over time. People transfer, they change jobs, they need temporary access to some system for a project – and it never gets removed.
Part of what you are getting right out of the gate is the ability to say, "Hey, Joe doesn't really need this. He's not even in the accounts-payable department anymore," but he still has all the system access.
Gardner: Have there been any unintended positive consequences from using this? That's to say, for people who have put identity governance in place did they get what they were expecting, but also more? Where there other ancillary payoffs that people have enjoyed?
McClain: Tha’s an interesting question. I certainly think this idea of happier users is one. IT is so consistently under-appreciated, under-loved, under-paid. When they can provide a tool to the business user that makes the job simpler, faster, easier, especially for something like these audit processes or certification, re-certification processes, that no one looks forward to, I think that's always a win for the IT staff in particular.
I have made something you have to do easier and quicker and less painful. That's quantifiable, but under the given consequence of an improved relationship between IT, security groups, and the users. Also, the relation between internal audit and many of these groups has become fairly combative. You talk to people that have been around IT for years now, and they say, "Look, it's not like we are buddy-buddy with our auditors, but we all were sort of working together, trying to make sure that the company was being well-governed."
We have a few cases that became very combative, with a lot of anger. One person said, "Oh, you mean the ‘A word’" about the group of auditors that they were talking to. What we are finding is that this helps them get back to, "Look, aren't we all trying to accomplish an objective here of better risk management, better governance?"
One of the things that our customers have told us is that they are so focused on just getting through the audit to check the compliance box, people have lost sight of why we were doing this stuff in the first place. Ultimately we're trying to mitigate and manage risk. We’re trying to provide good repeatable processes and good governance, so the right people have the access they need to do their job correctly, and only the access that they need to do their job correctly.
So often, we've gotten away from that. It's become just, "I have to get through this process to check the box, to meet the audit by this date." It's become a must-do that has lost sight of its original objective, in many cases.
Gilbert: You mentioned the culture issue earlier. To be honest with you, we find a lot of people that may be talking about risk management, but inside most IT departments, it is really hard to understand how to put that into action.
Because we give them the ability to begin aggregating the data, doing certifications and revoking and solving policy violations, they can automatically accumulate risk data, allowing them to profile their users by risk. I think people are looking for ways to put a risk-based approach into action. What does that mean to me as an IT practitioner? I think there is a desire to get to that, but there is really a struggle on how to quantify risk, and put risk management it into practice.
Gardner: As we’re wrapping up, it's interesting to look at the future. This is a fast-moving space. When we look to identity governance, say two or three years from now, is this a case of the role growing? Is there a larger payback or a productivity benefit, or are we just going to make what we've got in terms of the problem set work better? What does the future hold?
McClain: The one that we've debated around here, that I think might be useful, as there is this acronym that's fairly prevalent out there, GRC (governance risk management and compliance). Oracle has a GRC suite, IBM has a GRC suite, SAP has a GRC suite. And we've joked about the fact that if you were to look at that from a chronological standpoint, it should have been CRG instead of GRC. Meaning a lot of the focus for the last few years has been on compliance. How do I either reduce the cost and complexity of it? How do I meet the audits more quickly and effectively, and just this huge focus on getting to the audits and all that stuff.
People would tell you that they have compliance relatively under control now. They are generally passing their audits. They generally are not having big material deficiencies, but they sure would like to take cost out of the process and get away from so much manual work, to more automation.
This risk management, the R of CRG seems to be a emerging now as we've talked a lot today. I think senior management is sitting on their perch in the CxO suite. "So, we've spent all this money on security, we're supposedly compliant, why do we still have these breaches?"
Most big companies are still experiencing breaches, most of which don't hit the press, but some do. So, I think they are starting to ask the fundamental question of, "So we are compliant, but we still have risk. We're not managing well. What are we going to do to get better about that?"
Governance, which is I think the focus of our talk today, is in some ways, an umbrella over all that this incorporates and then hopefully moves to just good sound, repeatable, business management of identity and access. How do I place policies? How do I provide a risk matrix, as Jackie was just talking about, that enables me to understand, measure, manage risk?
I think really we are seeing the shift from the C, kind of through the R of GRC. People are just sort of half a foot in the water, half a tail in the water, on the risk management side of it. And, to your point, what does this look like three years from now? I'd like to think a lot of companies are using some risk matrix to address these issues.
They hopefully have compliance well under control. They can pass their audits. They can generate the reports in a timely automated fashion, and they're moving to more sophisticated governance or clarity around the business policies and how those affect the underlying IT systems. So I think it's kind of that progression from the C to R to G, flipping the acronym upside down.
Gardner: Well, great. I have certainly learned quite a bit, and have much better appreciation for why identity governance needs to happen. I have certainly been in cases in my jobs where I've gone from one department or unit to another and I had accessed all those other applications.
McClain: Fortunately you are high-ethics guy and you didn't view it.
Gardner: Yes, right, I didn’t do anything bad about it but I could see where that's certainly a risk.
McClain: Exactly.
Gardner: Okay, we are talking about identity governance and risk, and how to come to more of a solutions focus around this. We've enjoyed the talk. It’s a sponsored podcast today with Mark McClain, CEO and founder, and Jackie Gilbert, vice president of marketing and founder, at SailPoint Technologies. I want to thank you both.
McClain: Thank You, Dana.
Gilbert: Thank You.
Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You have been listening to a sponsored BriefingsDirect podcast. Thanks for listening and come back next time for more in-depth discussions about enterprise software and strategies. Thanks, and bye for now.
Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: SailPoint Technologies.
Transcript of BriefingsDirect podcast on on the identity governance and best practices for IT systems access provisioning. Copyright Interarbor Solutions, LLC, 2005-2008. All rights reserved.
Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: SailPoint Technologies.
Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you're listening to BriefingsDirect.
Today, a sponsored podcast discussion about a serious and potentially catastrophic set of issues for many companies. I’m going to be talking about security and risk aversion around personnel, applications, and IT systems. We’re looking how companies can more properly manage identity information and access rules for the users of applications and systems. We will also develop an understanding of a new class of solutions to this growing problem.
The goal is to work more toward identity governance, a step above simply giving access and privileges, and of getting pro-active in managing access across multiple dimensions in a business.
We use the word “governance” because it helps to develop an appreciation for the large-picture solution of properly provisioning users, giving them the right level of access privilege, and then being able to exercise lowering risk from the people, process, and systems perspective -- a comprehensive control and monitoring capability.
These issues and risks are reinforced these days by the sudden and unexpected financial pressure affecting many banks. There are dislocations, mergers, acquisitions, and most likely significant downsizing. There are a lot of bright people who have access to a lot of very sensitive systems. These are very powerful applications. If there were ever a need for identity governance, this would be it.
To help this better understand these issues and some of the newest solutions around identity governance, we are now joined by two executives from SailPoint Technologies. We’re talking with Mark McClain, the CEO and founder, and also Jackie Gilbert, the vice president of marketing and also a founder at SailPoint Technologies. Welcome to you both.
Mark McClain: Thank you, Dana.
Jackie Gilbert: Thanks, Dana.
Gardner: There was a time, and it doesn't seem that long ago, when folks would get themselves a directory and provision people on and off of IT systems through that. It was fairly straightforward. A limited number of people in IT managed this. But it seems that times have changed fairly rapidly. Mark, help me understand what's different now. Why do we need this more holistic governance approach to identity issues?
McClain: Sure, Dana. That's an accurate representation of where the market has evolved to, or it's continuing to evolve to. Some of this has been around for quite some time. It was probably initially referred to in many peoples' minds as a concept of user management, when we first went to distributed computing, and we had all these challenges of managing a whole bunch of identities on systems that were distributed around the enterprise, as opposed to a single well-maintained mainframe or something like that.
The advent of distributed systems, and, to some degree, the Internet drove us to seek how to secure the open enterprise. That was a challenge, as you said, of a lot of provisioning and de-provisioning of accounts, focused on operational efficiency, because it became a very costly solution in many organizations.
They understood that they had some security risk, but many times, their biggest concern was how much it was costing to manage, and also the very poor quality of service that, in many cases, was being offered to their users and partners. Someone would start with the company and not get everything they need to do their job for a few weeks, which is highly unproductive and quite costly.
But then I think if you look back over most of this decade, back to the turn of the century – it’s still funny to say that phrase – you see a series of issues with breaches. There’s been a series of issues with fraud or potential fraud, everything from Enron to things that happened with other companies where there are questionable practices, and then various clear issues of fraud or criminal activity.
And all of that together has brought about a new focus on privacy, financial oversight, and good governance, which is, in many cases, all related to the management of risk.
It comes down to how we get a good handle on who has access to what in our enterprises -- which critical data and applications are exposed to which people? The better we understand that, the better we can understand the actual potential risks we have in sharing that information or allowing it go sometimes outside of our four walls.
In many ways, this focus on governance has been driven by those kinds of things. Now, in the current situation, as you just said, there is lots of churn in the financial markets and in the companies that make up those markets, where people are potentially moving inside of companies, changing jobs, lots of potential lay-offs happening.
That's when these issues of good governance, good controls over who has access to which critical information become very, very acute. That's because people are very sensitized to, "Hmm, if I get a disgruntled employee who may reach back and do something negative, do I have people who have been moved around quickly in a state of churn and now they have access to multiple things that they shouldn't?
It's this segregation of duties challenges. There are lots of issues that we can continue to talk about, but I think it's a well-understood pain-point that's getting more intense all the time as we see kind of more churn and concerns in the markets.
Gilbert: To add to and build on what Mark just said, the other thing that is unique in the current phase we are in, which is all about oversight, audit, risk-management, is that it has created a need for more and more people from the business side of organizations to become involved with identity management – and that has real implications.
When you are just focused on automation and making processes more efficient, that stays within the realm of IT and can be very much a focus for IT tools and technical users. Now, you have executives, boards, and business managers, who are being asked to be accountable and to gauge the risk and the effectiveness of controls around identity.
Those people are being asked to use tools and approve, certify, and deem whether access privileges and the accounts the users hold are correct, and do not place businesses at risk. So, if you think about it, it has actually forced the marriage of business and IT all around this issue of identity governance.
Gardner: I suppose it's not that people are any better or worse than they used to be, but that these systems are extremely powerful. One person with access to some trading applications, for example, can suddenly lose $5 billion. Right?
McClain: Absolutely. As to your comment there about the nature of people, you'd hope that the fundamental moral fiber of the country hasn't declined. But having said that, there are a couple of interesting things that have changed.
One is that, the world of hackers has evolved from seeing what they can get away with to prove their technical prowess, and has now really migrated to a fairly significant level of organized-crime involvement.
We've heard stories from companies of their employees being solicited by criminal elements to give up information. There were people getting phone calls saying, "Hey, would you be willing to sell access to your systems for some amount of money? Are you in credit trouble? Are you having financial difficulties?" People are soliciting employees to perform criminal behavior for money, which is a completely new element in the last 5 to 10 years, for sure.
Gilbert: A recent example of that was at Countrywide Financial. There was just some recent news this week about the arrest of a former employee who was actually selling Social Security numbers and mortgage information over a two-year period to the black market. This person admitted, I think, to receiving more than $70,000, by just selling this proprietary information. I think over 45,000 people were compromised that were Countrywide customers, and this isn't an isolated example.
There have been many cases of bank employees selling costumer information to collection agencies. So I think what Mark was referring to is that there is actually more temptation and more opportunities to commit fraud now because there is a market for it.
Gardner: So, that means that we need to plug these holes and almost develop the ability to forecast vulnerabilities in advance – and that cuts across a chief security officer (CSO), the IT people, line-of-business people, and for the human resources department. So who owns identity governance, if it, in fact, cuts across so many different aspects of a large enterprise?
McClain: It's a good question. I think that's one of the challenges that businesses are wrestling with today. As Jackie pointed out earlier, we saw, when we were focused on the identity provisioning challenges a number of years ago, then it was kind of the help desk and the security group, all within IT, that were wrestling with the problem. Now, you have those constituencies as well as two or three key others.
We now have the auditors, both internal and external, and/or the compliance people who want to have a say, or a seat at the table, to talk about how well we are managing these kinds of access privileges and what risks are involved, when they are not managed well.
You certainly have the business people paying attention now because you have senior management who are highly motivated to avoid being the next headline. They don't want their company showing up out there with Cox Communications, the IRS, Wachovia, and any number of companies like Dupont, which have hit the headlines in the last two or three years with some sort of significant breach related to access.
Business people are very tuned-in to the risk and the potential for fraud, or the potential for abuse – and they are motivated. Your ownership questions are good ones, Dana. This is such a rapidly evolving challenge, but all those people are certainly at the table.
There is a little a bit of a hot potato now going on where IT and security groups are saying, "Hey, I am not going sign-up and own this problem entirely, because I don't have the business context to know exactly what does or doesn't represent risk. You business people have to define that for us."
Gardner: It's tough to be responsible for something that you don't have authority over.
McClain: Absolutely.
Gilbert: One of our customers at a financial institution, the vice president of IT, told me that he has become more savvy and is actually pushing back on the lines of business. He said that when the IT auditor comes in and shows a bunch of red ink, he says that his counterpart in the line of business needs to help own and resolve this issue because IT alone really doesn't have the knowledge that it takes to figure out where is the risk and how to mitigate the risk.
Gardner: As we've seen in other aspects of maturing business processes and IT, solutions often involve bringing enough information up to the right people, through management consoles, analysis, and good data. How do we give whoever becomes the owner of this problem, or perhaps those managing a federated approach to the problem, the tools, the visibility, and the comprehensive access that they need to the right information? What is our first step toward the solution here?
McClain: You partially answered your own question, because you used the word "visibility," which we think is one of the three core pillars of this emerging segment of identity governance. It starts first and foremost with visibility. As a business person or even as an IT or control audit person, I can't define and manage the risk in my organization, unless I understand the current state of the union.
So it really does start with answering the fundamental question that most companies wrestle with, which is "Who has access to what?" One of my customers has joked about the fact that on the day you start with the company, you have access to nothing, and on the day you leave, you have access to everything. Quite often, the only person who actually knows all of the access privileges I may have after 15 years at a company is me.
There have been multiple groups I have moved through, multiple help desks, and IT organizations that have been part of granting me access over the years. So, it's quite probable that, literally, only I understand all of the privileges I have as an employee -- and that's a problem.
This problem starts by helping customers understand the criticality of gaining visibility across critical applications and data for who has access to what. We have to be able to correlate and aggregate a lot of technical information. We have to figure out that "D Gardner" and "Dana G" and "Dana_Gardner" are, in fact, the same person, and then correlate all the privileges that you have into a single view, so I can at least start with visibility.
Gilbert: If you think about it, for most Fortune 1000 companies that is a very difficult thing to do – just based on the fact that they have tens of thousands of employees, and hundreds -- maybe even thousands -- of applications that span mainframes, UNIX, Windows, and custom and packaged applications. The more complex and varied the IT is – and the bigger the company is – the more frequent churn of people.
Some industries have 30-percent churn, with people coming in and out of the organization. All that makes this an extremely difficult problem, as Mark said, just getting proper visibility.
Gardner: Are we talking about this problem in a way that we are going to just grab all of this information, data and access information, and then put it all in one big, honking repository to manage it centrally?
Or are we talking about, "Let's leave the access privileges and controls where they are, but elevate the metadata and put that into some sort of a management framework that we can act on"?
McClain: We would say it is the latter. In other words, efforts to completely centralize all of the real-time access control, real-time authorization of who can get to what has almost always have failed.
There were a number of projects years ago, where people were going to create one enterprise directory. What you find now is that a lot of the more modern applications do rely on a directory, and that directory has become more standardized and more carefully managed. We would say philosophically that this is really more like a business intelligence (BI) application.
In that sense, I want to leave the operational data in the transactional systems that it belongs to. Yet, I have to be able to pull out of that, aggregate it, and put it into a repository that can be searched and cross-referenced across all the information, so that I can get that visibility.
By the way, a highly related point here is, if I just aggregate and correlate all this information from all the underlying systems – like Jackie said, from the mainframes and directories and Windows and UNIX servers – just getting it in one place is only part of the problem. The other huge part of the problem is giving it the right business context.
That's because one of the dirty, dark secrets today is that governance and compliance have become harder, and auditors have been forcing more frequent and periodic review of the access information. Quarterly or annually, these managers and applications owners need to re-certify who has access to what.
Another dirty secret in the industry right now is that managers and applications owners must sign-off on these reports, but they don't understand them, because those reports are generated out of the IT systems and they are incomprehensible to the business people.
Knowing that Dana has access to "server FQ 93T," doesn't tell me much of anything about what Dana can do. If I can understand that that server actually is the front end to the accounts payable system, then now I know something about whether that's appropriate for Dana to have access to.
A second core pillar that we've spent a lot of time talking to our prospects and customers about is this concept of business context. Not only do they have to aggregate and correlate visibility across everything they do, I, as a customer, need to give it context so I can understand the business risks and the criticality of the information that you can access.
Gilbert: Part of the way that context is accomplished can be as simple as just providing business-friendly descriptors for entitlements. We also use the context of business roles, so that we can take a group of entitlements and assign them to a business role.
For example, a "database administrator in the Austin region" gets these types of privileges. By making that linkage and creating that higher level of abstraction around a role, we can ask people to approve whether "Joe" should be in that particular role. And they are much more likely to understand that than they are just looking at the low-level entitlements, and trying to make an intelligent decision about whether that is appropriate.
Gardner: I’m fairly clear that we have a distinct problem here, and that we are not going to solve it through a central forced march into a single approach or product. And, I understand that the identity governance solution has to be understood in the business context.
I guess what I am not clear about is how we actually go out and get this information, make it visible, get that single view of the employee, and then create the opportunity for execution and action against that information?
Gilbert: As Mark said, it's pretty analogous to BI and even data warehousing or data mining, if you will. Our approach is to take a very lightweight, read-only access to the data. We pull entitlement data and account data from applications and servers throughout the enterprise and we aggregate that into what is basically an entitlement warehouse.
We physically create a common data view of users and their entitlements. What that gives you is not only the visibility in one, single place, but it gives you the business context to better understand it. And it allows us to do some automation of controls and policy enforcement, and some risk assessment. It's amazing the value you can derive, once you get the data all in one place and normalized, so that you can apply all kinds of rules and logic to it.
For example, we can much more easily send and route that information around to the people who need to approve access or review it on a quarterly basis. And, it's all in one place. They’re not getting a single spreadsheet per application. They’re getting it all centralized per employee or per application, however they want to see it.
We can also scan that data, looking for policy violations. A good example of that would be what we call "toxic combinations," such as “you can't have an employee who both has the ability to set up a vendor and pay a vendor.” Those are two different access privileges that together indicate a high potential for fraud. So by combining all the entitlement data into one single database, you can much more easily scan for and detect potential policy violations and also the potential for risk to the business.
Gardner: I suppose carrying on with that analogy about BI, that the same information, those same rules, can be used by a number of different constituencies in the organization, whether it's provisioning, personnel, security, or compliance. It all seems to have a common reach, but a differentiation in terms of how people can then use it.
McClain: Yes, I think that's right. The idea of that once you have defined business roles. Once you have defined access policies, these segregated duties, and "toxic" combinations, that that's useful information, whether you are doing annual or quarterly re-certification processes, but also when you are taking on a new employee or adding a new partner or something.
You want to be able to refer to those kinds of systems that data of who has access to what and which are the appropriate policies, what are the appropriate combinations to avoid. So that if I’m going to provision someone, for instance, to a new system, or give them new entitlements, I can check it against that same repository of information on the users and the policies that I care about. I can make sure I’m not creating any problems at the time that I grant access.
Gardner: You can use this identity governance, of course, for prevention and insight. But, it also sounds like it would be very powerful, if we were doing a merger and acquisition (M&A), or if I were forced, tough as it maybe, to fire everybody and then re-hire them under a different ownership or structure. Trying to do something like that without this sort of comprehensive information set would be really onerous.
Have you had any customers or use-case scenarios where people have used these ID governance systems to that degree, and what sort of paybacks have they seen?
Gilbert: That's a really good point. In fact, M&A activity, is a use-case that we have seen with our customers.
A typical example would be that one bank has just bought another bank, and there is going to be a gradual process of integrating the new bank into the larger bank. During that time, we want to manage the population of users in a very shared way, so that a certain set of people will maintain access to just the old bank and then others will get merged access to the combination of the two banks.
Then, for people who potentially are being laid off or replaced as part of the M&A, we are going to manage them with potential risks in mind. So, we are going to limit their access and we may want to monitor their activity.
We actually provide a tool to segment user populations and then manage them differently in terms of the kind of controls and monitoring that we would allow the company to provide around that M&A acquisition activity.
Gardner: When it comes to implementing something like this, and I believe your product is called SailPoint IdentityIQ 3.0, is this strictly a product approach, or is this professional services and consulting or some level of competency or skill-sets within the organization's combination? I suppose the question is how much of this is actually accomplished by the product, and to what degree is the user company's skill sets required?
McClain: We would love to say you drop it in and it works, but it's not quite that simple. Many times, this is a fairly substantial project, although the ability to get to value quickly is something we've demonstrated with a number of our companies. We work with them to scope an appropriate size project, some limited number of applications or users – to show how the technology can significantly help them with these processes of certification or managing roles or better risk management.
But, quite often there is a very fairly significant consulting part of the conversation, because ultimately this is an opportunity to bring these constituencies to the table, sometimes for the first time. The auditors, the application people, and the IT security people sit down and say, "What do we want to accomplish here? How can we best provide good governance, meet our compliance requirements, and manage our risks appropriately?"
So, there is often a very beneficial set of conversations that come out of that. Then, of course, the challenge of our tool, of our software, is to capture those policies, capture those things in the product.
We have definitely seen very significant payback conversations because of the amount of manual effort and money being spent on these projects, particularly the Sarbanes-Oxley related certification projects, where not only can we save the companies a great deal of money – either in "soft" dollars internally or "hard" dollars being served with consultants.
But frankly, one of the things we hear consistently is that SailPoint IdentityIQ 3.0 is a big frustration reducer for the business.
This is a very significant source of pain and frustration in the business community today. Even if it's not purely a financial justification that we are able to give the customer, sometimes their eyes light up with, "Oh, wow, if I could give this to my users (the line of business or the auditors), they would be so much happier doing what they are doing today." So quite often there is a very significant emotional payback, I'll call it, as well as a financial payback in this kind of a solution.
Gardner: Often, risk reduction and security management is a large undertaking that requires organizational and cultural shifts, and that can involve such things as the Information Technology Infrastructure Library (ITIL), and how to re-engineer your processes within IT department itself. Granted that these are complicated and large undertakings, let's just drill down on the product itself, what does the SailPoint IdentityIQ product do in terms of "picks and shovels" that these other practitioners can put to use?
Gilbert: We've touched on a few of these points before, but a big area we contribute to is in automating some of the types of controls that would be defined by a framework like ITIL, control objectives for information and related technology (COBIT), or some of the frameworks that attempt to say, "Here's a common set of good practices that we've captured, and many of these really involve best practices and business processes for improving security controls."
SailPoint’s automated workflow replaces the manual paper-based quarterly review of access. It provides you with a much more effective set of controls that are predictable, but customizable.
We have one customer who was doing quarterly reviews. They would spend most of the quarter compiling the data, reviewing it, and then manually reconciling it. Then, they would have one or two weeks of a break before they would start the process over again.
So, as Mark said, one of the things that really helps is that we are coming in and replacing something that is painful, onerous, and not very reliable, where people have low confidence. We are replacing that with a set of controls that is much more in line with the sort of recommendations you would see coming out of an ITIL or a COBIT, in terms of how you align controls to reduce risk and how you perform these kinds of activities in a way that is reliable and predictable.
Gardner: Examples often help, but I don’t suppose there are a lot of people jumping up and down saying, "I'm really a high-risk over here!" So, there are not too many companies that you can trot out and say, "Well, we took them from 90 percent risk to 20 percent risk.” But are there any examples of how this has worked, and perhaps some of the paybacks, both business terms and even IT terms of how people have benefited?
Gilbert: A couple of examples come to mind. One of our customers, again a financial services company, went through the first quarterly certification process across dozens of Sarbanes-Oxley relevant applications. In that very first round of review, they detected that, on average, 20 percent of the entitlements for their users were inappropriate and needed to be revoked.
That’s the kind of benefit of oversight you're getting right out of the gate. Once you have the ability to see the data and see it with the right context, you are much more productive at spotting what needs to be taken away and what is inappropriate.
IT audits uncover many of these problems. Another customer was written up by their auditors because they concluded – just based on a sampling – that the access data for the corporation was, on average, only 70 percent accurate, meaning that 30 percent of it was erroneous or incorrect.
These cases that are easy to quantify, and you're giving this immediate benefit of data clean-up and removing inappropriate access. We call it entitlement creep, that's our expression for it over time. People transfer, they change jobs, they need temporary access to some system for a project – and it never gets removed.
Part of what you are getting right out of the gate is the ability to say, "Hey, Joe doesn't really need this. He's not even in the accounts-payable department anymore," but he still has all the system access.
Gardner: Have there been any unintended positive consequences from using this? That's to say, for people who have put identity governance in place did they get what they were expecting, but also more? Where there other ancillary payoffs that people have enjoyed?
McClain: Tha’s an interesting question. I certainly think this idea of happier users is one. IT is so consistently under-appreciated, under-loved, under-paid. When they can provide a tool to the business user that makes the job simpler, faster, easier, especially for something like these audit processes or certification, re-certification processes, that no one looks forward to, I think that's always a win for the IT staff in particular.
I have made something you have to do easier and quicker and less painful. That's quantifiable, but under the given consequence of an improved relationship between IT, security groups, and the users. Also, the relation between internal audit and many of these groups has become fairly combative. You talk to people that have been around IT for years now, and they say, "Look, it's not like we are buddy-buddy with our auditors, but we all were sort of working together, trying to make sure that the company was being well-governed."
We have a few cases that became very combative, with a lot of anger. One person said, "Oh, you mean the ‘A word’" about the group of auditors that they were talking to. What we are finding is that this helps them get back to, "Look, aren't we all trying to accomplish an objective here of better risk management, better governance?"
One of the things that our customers have told us is that they are so focused on just getting through the audit to check the compliance box, people have lost sight of why we were doing this stuff in the first place. Ultimately we're trying to mitigate and manage risk. We’re trying to provide good repeatable processes and good governance, so the right people have the access they need to do their job correctly, and only the access that they need to do their job correctly.
So often, we've gotten away from that. It's become just, "I have to get through this process to check the box, to meet the audit by this date." It's become a must-do that has lost sight of its original objective, in many cases.
Gilbert: You mentioned the culture issue earlier. To be honest with you, we find a lot of people that may be talking about risk management, but inside most IT departments, it is really hard to understand how to put that into action.
Because we give them the ability to begin aggregating the data, doing certifications and revoking and solving policy violations, they can automatically accumulate risk data, allowing them to profile their users by risk. I think people are looking for ways to put a risk-based approach into action. What does that mean to me as an IT practitioner? I think there is a desire to get to that, but there is really a struggle on how to quantify risk, and put risk management it into practice.
Gardner: As we’re wrapping up, it's interesting to look at the future. This is a fast-moving space. When we look to identity governance, say two or three years from now, is this a case of the role growing? Is there a larger payback or a productivity benefit, or are we just going to make what we've got in terms of the problem set work better? What does the future hold?
McClain: The one that we've debated around here, that I think might be useful, as there is this acronym that's fairly prevalent out there, GRC (governance risk management and compliance). Oracle has a GRC suite, IBM has a GRC suite, SAP has a GRC suite. And we've joked about the fact that if you were to look at that from a chronological standpoint, it should have been CRG instead of GRC. Meaning a lot of the focus for the last few years has been on compliance. How do I either reduce the cost and complexity of it? How do I meet the audits more quickly and effectively, and just this huge focus on getting to the audits and all that stuff.
People would tell you that they have compliance relatively under control now. They are generally passing their audits. They generally are not having big material deficiencies, but they sure would like to take cost out of the process and get away from so much manual work, to more automation.
This risk management, the R of CRG seems to be a emerging now as we've talked a lot today. I think senior management is sitting on their perch in the CxO suite. "So, we've spent all this money on security, we're supposedly compliant, why do we still have these breaches?"
Most big companies are still experiencing breaches, most of which don't hit the press, but some do. So, I think they are starting to ask the fundamental question of, "So we are compliant, but we still have risk. We're not managing well. What are we going to do to get better about that?"
Governance, which is I think the focus of our talk today, is in some ways, an umbrella over all that this incorporates and then hopefully moves to just good sound, repeatable, business management of identity and access. How do I place policies? How do I provide a risk matrix, as Jackie was just talking about, that enables me to understand, measure, manage risk?
I think really we are seeing the shift from the C, kind of through the R of GRC. People are just sort of half a foot in the water, half a tail in the water, on the risk management side of it. And, to your point, what does this look like three years from now? I'd like to think a lot of companies are using some risk matrix to address these issues.
They hopefully have compliance well under control. They can pass their audits. They can generate the reports in a timely automated fashion, and they're moving to more sophisticated governance or clarity around the business policies and how those affect the underlying IT systems. So I think it's kind of that progression from the C to R to G, flipping the acronym upside down.
Gardner: Well, great. I have certainly learned quite a bit, and have much better appreciation for why identity governance needs to happen. I have certainly been in cases in my jobs where I've gone from one department or unit to another and I had accessed all those other applications.
McClain: Fortunately you are high-ethics guy and you didn't view it.
Gardner: Yes, right, I didn’t do anything bad about it but I could see where that's certainly a risk.
McClain: Exactly.
Gardner: Okay, we are talking about identity governance and risk, and how to come to more of a solutions focus around this. We've enjoyed the talk. It’s a sponsored podcast today with Mark McClain, CEO and founder, and Jackie Gilbert, vice president of marketing and founder, at SailPoint Technologies. I want to thank you both.
McClain: Thank You, Dana.
Gilbert: Thank You.
Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You have been listening to a sponsored BriefingsDirect podcast. Thanks for listening and come back next time for more in-depth discussions about enterprise software and strategies. Thanks, and bye for now.
Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: SailPoint Technologies.
Transcript of BriefingsDirect podcast on on the identity governance and best practices for IT systems access provisioning. Copyright Interarbor Solutions, LLC, 2005-2008. All rights reserved.
Subscribe to:
Posts (Atom)
