I’ve seen many approaches for strong authentication – most of them are either too expensive, too complicated, or they aren’t really appealing. The latter is true for approaches like “passfaces” have to pick one or some known faces from different pictures. Many approaches are complicated to deliver. And many of the token-based approaches are complex from a logistics perspective and are expensive. However, many of these approaches and especially combinations of for example hardware tokens and soft-tokens will work for many use cases.

But there are other approaches which are interesting as well. One which looks pretty interesting is GrIDsure, provided by an UK vendor and implemented by several OEMs right now. The idea is to provide a grid of numbers and to define a pattern within this grid per user. One user might decide on picking the numbers in the corners, clockwise. The next one might pick numbers from the second line from the right to the left. Even a relatively small grid allows for many different combinations. And due to the fact that the numbers within the grid change every time, there is a very high number of changing PINs which then can be entered. The concept is easy to understand, doesn’t require additional hardware and works with any type of device with a display.

Despite being really reluctant when a new vendor appears and likes to tell me that he has found the solution for strong authentication, the conversation with GrIDsure was definitely interesting. At least interesting enough to cover it in my blog and to do further research on that solution.

Even while I don’t share his understanding of the term “private cloud” (I don’t believe in that term) , I like what Chuck Hollis of EMC has blogged about “Monetizing the cloud“. There are so many open questions around the valid business models for as well cloud providers as consumers for cloud services. And everyone will have to learn a lot – and learning from others might help to avoid mistakes.

By the way I also wouldn’t limit the cloud discussion to “providing infrastructure” – it goes well beyond that and covers virtually any type of IT service.

There will room to discuss thinks like the correct terminology around the cloud as well as valid business models at Cloud 09, to be held 2nd to 4th of December in Munich – the cloud counterpart to our European Identity Conference.

IBM yesterday has announced its Tivoli Identity Manager 5.1. If you read the list of new features you might end up with the same question like me: Why is it only version 5.1, e.g. a minor (.1) release instead of TIM 6? Amongst the new features are fundamental things like Role Management, SoD support, attestation and, last not least, support for some Privileged Account Management (or Privileged Identity Management, the term IBM is using). With other words: IBM has significantly expanded the feature set of its product, mainly adding a lot of IAM-GRC features to what TIM delivers. Given that they have some other interesting solutions in the GRC space, especially for analytics and dashboards, IBM definitely improves its positioning in that emerging market segment.

So the GRC stuff is one of the new areas in TIM 5.1. That’s nice, but we have seen that before. Many vendors have either added such features to their products or have released separate GRC platforms – with advantages and disadvantages in both approaches. IBM in fact has tied in that area.

Much more interesting is the addition of PIM capabilities to a provisioning solution. Even while not every aspect of PIM will be solved by what TIM 5.1 delivers, that fulfills my expectations of PIM becoming more and more part of provisioning tools – which is just logical, given that it is about managing accounts. IBM is the first vendor in the market who delivers an integration in that area. Novell might become a close follower given that they have recently acquired a PIM vendor.

With these additions, IBM would have gould reasons to name the release of TIM as version 6.0 instead of 5.1. But understanding the reasons for version numbers is definitely amongst the hardest things in IT.

However, IBM shows that they are intensively acting to improve their positioning in the IAM and GRC market space. Being one of the first big companies which had entered that market, there hasn’t been that much evolution for some time. But now IBM is definitely back and moving forward significantly, acting as a strong competitor for the other players in the market. And once they deliver on full GRC solutions, beyond IAM-GRC and access controls (and IBM is amongst the ones who might deliver on that given their strengths in areas like SIEM, ITSM, and others…) IBM might even further improve its positioning.

The biggest problem around cloud computing is the lack of a valid and well accepted definition. Definitions like “scalable services delivered via the internet” fail for example when thinking about “private clouds” which aren’t used via the internet (but at least based on using the same standards). And, by the way, not every cloud service will have to be highly scalable – there will be more and more very specialized services where functionality is key, not a massive scalability.

But the more you dive into the topic of cloud computing it becomes obvious that this cloudy thing of “cloud” (usually associated with the Internet and things which are provided there) isn’t the key thing. The key to success is that companies understand the value of Cloud IT.

What does this mean? Cloud IT stands for consequently using cloud principles in IT – and in every part of IT, not only for consuming some external services. That includes

• well defined services (SLAs!!!)
• a consistent service management across all services, regardless of where they are running (and, based on that, consistent approaches to cloud governance)
• applications which are agnostic of where they are run or which hardware resources are available – there have to be parameters which might limit the ability to run applications everywhere and the application has to accept the currently available hardware resources but as well should understand that these resources can change dynamically

Defining everything in IT as services in a consistent manner is a fundamental change and the foundation for a flexible use of cloud services. Once you have made that move you can decide (based on parameters of a service) which service provider (internal or external) you will use. Thus, the first step is making your IT “cloud-ready”, e.g. moving towards a Cloud IT. Without that, using cloud services will always be sort of tactical and not strategic.

There are plenty of definitions of the “cloud”. Most of them include aspects like services which are provided via the internet and which are highly scalable. But the discussion about terms like a “private cloud” proves that this is a somewhat insufficient definition. Depending on the definition of a “private cloud”, these services might be delivered via a private network.

The insufficiency becomes obvious as well with respect to some of the aspects of the cloud. There are so many different types of cloud services that there are for sure some which, for example, are so specific that they don’t need to be highly scalable – for example cloud applications which are devoted to a specific target audience with only few members like for example airlines or rail operators. There the scalability is automatically limited and not somewhat infinite, like often is assumed as a requirement for cloud services. And there will be many services devoted to much smaller groups (with respect to the size and number of members).

From my perspective, the essence of cloud computing are the services. Services are defined on various levels, from pure computing power up to very specific applications. These services are provided by someone. They have to be well-defined so that they can be provided by different providers and the switch to another provider is supported. This definition goes well beyond today’s definitions in IT Service Management. It has, for example, to be defined, where (geographically) a service can be hosted – due to legal reasons.

Given that a well-defined service which can be run virtually anywhere is the core of cloud computing, it becomse obvious that terms like “private cloud” are just marketing fuzz. In fact there will be only one cloud with different operators, from internal data centers to external cloud providers. And by the way: Where should be the borderline between “private” and “public”? The (diminishing) perimeter of an organization? The fact that a partition of a data center in the cloud is used? A physical machine or a virtual machine? Actually it isn’t possible to define that in a valid way.

The real value of cloud computing is that services can be consumed from different providers and that providers can be changed – sometimes pretty easy, sometimes with a little more efforts. That might be an internal or external provider, but you shouldn’t care about in case that the requirements are fulfilled (which could as well mean that it is mandatory to provide a service internally).

There are many open points around cloud services and the related standards today. In case that we have defined that a specific service consumed in the EU has to be hosted in the EU – how do we avoid that the data is sent from Paris to Berlin via New York which might happen in practice? Obviously, a lot of work has to be done around standards, around service descriptions, around management tools at any level. But despite the shortcomings we observe today, the cloud will become reality and IT will be run and managed differently from today. There are far too many advantages in cloud computing.

We will discuss many of the topics around Cloud Computing, the opportunities, business drivers, standards, service management and so on at Cloud 09 in Munich in November 2009. Take part in these discussions!

The (planned) Oracle/Sun deal has gained a lot of attention. There was a lot of discussion of the rationales behind. But most of them didn’t really touch the point why Oracle will spend so much money for Sun. Have a look at the rationales:

The hardware?

Not really. Oracle never has done hardware business before. That is another type of business. For sure there are some advantages. It is a little easier for Oracle to offer appliances, but they could have done this with standard hardware and some flavour of Linux. For sure, for big shops that might become interesting – highly scalable hardware and the database or application server or a business system. But on the other hand, the overall margins will decrease for these deals. And the aspect that it becomes cheaper for Oracle to equip its own cloud data centers in the future isn’t worth to take the risk of a hardware business.

The Solaris operating system?

As well – some few advantages but no real one. With hardware and a high-level server operating system, Oracle is more competitive with companies like IBM and Oracle, the (from a revenue perspective) real big guys in the industry. And Oracle might even bring some market share back to Solaris, by preferring that OS. But overall, there is not that much value in there. Solaris is fine for large cloud data centers, but it is overkill for many appliances. The overall value of obtaining an OS thus is somewhat limited for Oracle.

The IAM and GRC tools?

Even while we are experts around IAM and GRC – that wasn’t the reason behind. In contrast, that is one of the areas with a huge overlap and thus a lot of potential problems in defining a roadmap and migration paths for existing customers.

The cloud?

Again – not really. There are some advantages in having own hardware and an operating system for high scale cloud data centers. But Oracle would have been well able to manage the move towards the cloud without that. And if it were about the cloud, there probably would have been better choices than Sun.

The psychology?

Yes, to some degree. Oracle now really competes with IBM at any level. It has an own operating system. But that is not the real rationale behind the deal, even while that thought might have influenced the decision making.

The market share?

Which market share? Oracle is buying market share, no doubt. They have done this with acquisitions like PeopleSoft, they have done this especially when acquiring BEA. But there is a rationale behind that about which I will talk later.

The Java stack?

No. There are probably more risks than advantages. Improving the stack itself is an investment without direct return. That might improve the position of Oracle in the application server field. But given that Sun has “owned” Java and nevertheless hasn’t been the leader in the market of application infrastructures shows that this is not the main reason. Besides this, there might be sort of a trust issue in Oracle owning that stack – Sun has been more trusted in supporting open source than Oracle is. And other companies like IBM and SAP which are heavily relying on Java might as well be somewhat disappointed. Oracle is a much more heavyweight competitor for them than Sun has been.

And yes. Oracle will be able to drive some things forward in the stack. Think about an integration of JAAS (Java Authentication and Authorization Service) with Oracle’s concept of SOS (Service Oriented Security). By doing this, Oracle might gain some advantage for their “engines” which provide these services and some tighter integration than others can provide.

The application server?

Yes, to some degree. The market share of what Sun provides around application infrastructures (development tools and so on) is somewhat relevant but not the main reason. But overall there is the question whether Oracle really wants to maintain Glassfish, Fusion, and WebLogic. And for sure Oracle expands its grip on that market.

The expanded lead in application infrastructures?

Here you go. That is the real target of Oracle. That is why they have bought BEA, that is why they have been heavily investing in IAM and other areas of the IT market. For a long time, there have been the operating systems and the business applications as the instruments of power in the IT industry. That is changing, with the business processes and the supporting application infrastructure becoming the new instrument of power. That is the reason why companies like Oracle, SAP and IBM (based on Java) as well as Microsoft (based on the .NET Framework) are heavily competing for that market. The one who is in control of the business process platform has managed to achieve the vendor lock-in – the more specific features of the platform are used, the more lock-in.

That is, from my perspective, the real rationale behind that deal. From that perspective, it is not that much a market share deal but a market power deal. That is the reason why Oracle buys several elements of limited value for Oracle (not of limited value from an overall perspective, for sure!). That is the reason why Oracle again spends a lot of money and takes some risks. Java helps, the market share in the application server market helps. But they are not the key reasons for that decision.

Interestingly, most customers haven’t yet understood what is happening in the IT market from a strategic point of view. Otherwise, they wouldn’t leave platform decisions in the area of IT infrastructure to some developers and architects or, in best case, the CIO, but understand that as a decision with a long-term strategic impact on the entire organization.

Last week Microsoft has announced that they will offer own cloud computing services in nineteen different countries. The approach is “hosted by Microsoft, offered by partners”. That is an interesting approach and it is obviously the result of Microsoft’s thoughts about how to manage the balance act between the existing business model and the upcoming cloud computing business.

On one hand, Microsoft relies on their partners which sell software licenses today. On the other hand, Microsoft has to provide offerings as cloud services. Until now, there have been some limited offerings for example with value-adding services for Exchange infrastructures or, in a specific market segment, the Office LiveMeeting product. With last week’s announcement, Microsoft provides core services like Exchange Online and SharePoint Online by themselves. The services aren’t sold directly by Microsoft but via 2.500+ specialized partners.

Microsoft has as well announced that this is just the beginning of their “Software and Services” strategy, thus other solutions will be added. Given that the pretty prominent URL www.microsoft.com/online (or www.microsoft.de/online or similar URLs) is used it becomes clear that this type of business shall provide a significant part of the future revenue stream of Microsoft.

Even with this business model which focuses on sharing revenues between Microsoft and the partners, there is still some potential conflict with partners. The price tag defined by Microsoft is sort of the upper border for Hosted Exchange and Hosted SharePoint Services. Thus, some of the existing hosting partners of Microsoft will have to change their price tags. Microsoft now is the one who controls the price tag. Partners might add services, for sure.

But many partners will have to rethink their business model. On one hand, participating in a constant revenue stream is interesting. On the other hand, the more parts of the environment are delivered from the cloud, the less project revenues will occur. That is a risk for partners.

From a Microsoft perspective, the model looks more interesting. Microsoft has the biggest network of resellers for cloud services in the market, Microsoft can compete with other cloud vendors and Microsoft adds a service-based revenue model to its existing license-based models.

It will be interesting to observe how that model affects the existing partnerships as well as the entire cloud market. Despite some scepticism I think that the chosen model is the best solution for the balance act Microsoft has to do. And I’m as well convinced that it will allow Microsoft to take a significant share of that particular area of the cloud market. It might again prove that Microsoft is pretty well able to adopt to changes – like they have done multiple times before.

By the way: Don’t miss Cloud ‘09 and EIC 2009!

Today, Liberty Alliance will move to a new organization named Kantara. That is based on the analysis that security, privacy, and minimal disclosure of end users’ personal information are becoming more and more important. In this area, several initiatives are on their way. The idea of Kantara now is to build an umbrella organization for the entire identity industry and to streamline different initiatives. Liberty Alliance will become a part of that bigger effort.

The interesting question will be: Will Kantara become a big umbrella or a small one? There are several interesting initiatives within the Liberty Alliance today, but there are many initiatives outside of that. There are OASIS standardizations like SPML and SAML, there is the Information Card Foundation (ICF), there are many other activities on different levels up to industry specific standardizations.

Thus it might appear that Kantara becomes more sort of a Liberty Alliance relaunch – if they don’t succeed in integrating at least most of the other relevant initiatives. Let’s wait and see…

Today Oracle announced that they will acquire Sun. That isn’t a real surprise to me. When the potential acquisition of Sun by IBM has been discussed some weeks ago, I’ve been asked about my view on that. From my perspective that would have been mainly a market share deal. And when big market share deals are discussed, Larry Ellison isn’t far away. Thus I’ve said at that point of time that Oracle might as well make a bid. The third company I had in mind was Cisco, but they have missed that opportunity (which would have improved their strategic positioning significantly).

Right now, Larry Ellison has made it again. And from his perspective, that makes sense. He acquires market share in the application infrastructure and IT infrastructure market, and he gains access to much more Java intellectual property. Despite some overlaps in the portfolio, Oracle benefits from that. They become the “Java company” and they have acquired several other interesting pieces of software. Regarding Solaris, the advantages aren’t that obvious. But at least Oracle has an own operating system right now which might become interesting for appliances and for other new types of solutions. The other way round, Solaris might benefit from other Oracle offerings as part of larger packages or enterprise license agreements – and given that Oracle right now is a hardware vendor as well, they might provide interesting bundles to their customers.

It is noteworthy that Oracle doesn’t talk much about the hardware business in the initial press release. But the sentence of “Oracle will be the only company that can engineer an integrated system – applications to disk – where all pieces fit together…” is an indicator of Oracle planning to keep the hardware business and not to sell it. And given the opportunities for selling larger projects, for the appliance market, and for future cloud offerings (based on own hardware), there is some potential in that combination.

Specifically for IAM and GRC, there are some overlaps. But there are also specific strengths in both portfolios, with for example the very fast Sun Directory Server - and with the installed base of Sun. Anyhow, customers will have to carefully analyze the combined roadmaps of both companies. There are overlaps and that might lead to scenarios where customers have to migrate at some point of time in the future.

Cloud Computing will be the next big paradigm shift in IT. I have no doubt about that. But like with in many other cases, there is first of all a vision, then a buzzword, then some basic technology – and then people start to think about things like reliability and security. The same is true with Cloud Computing. There are many services out there, but IAM and GRC for the cloud are heavily underestimated.

That is somewhat funny given that some of these services appeared in the big New Economy bubble some ten years ago. Salesforce.com is just one example, some of the online conferencing providers are as well in the market for years now. But only few of them support at least basic standards like SAML (Security Assertion Markup Language) for Identity Federation. And many still lack the support for such standards, not to talk about more advanced approaches like Information Cards or XACML.

Beyond the fact of missing support for existing standards, there is the issue of missing standards. There are virtually no standards for GRC, for example for auditing and alerting (and SNMP isn’t the solution for the cloud). Even XACML is more sort of a technical standard, which needs a lot of additional work to really support the authorization management issues in the cloud.

There are some additional offerings for example for Single Sign-On to the cloud, there are some identity providers for the very lightweight OpenID and even less for Information Cards, and there are few offerings for Identity Provisioning from the cloud, e.g. managed services for Identity Management. Some of the more interesting vendors in the market are, amongst others, companies like Fischer (Provisioning), Ping Identity (Federation), TriCipher (Authentication), Arcot Systems (Authentication), Multifactor Authentication (again Authentication), and Fun Communications (Information Cards). But the number of offerings is still relatively small.

On the other hand it is obvious that IAM and GRC will become a very fast growing segment of the IT market, for ISVs as well as for Identity Providers. And it will be as well an interesting opportunity for consultants supporting all the other providers in the cloud in enabling their applications for the IAM and GRC requirements of their customers.

To become successful as a provider in the cloud, the “externalization” of the management of authentication and authorization as well as externalized auditing will become mandatory. Customers can’t afford to manage authorizations per cloud service but will have to apply pre-defined policies. Thus, we need new standards and we need new semantics for existing standards like XACML on a much higher level than today.

The entire industry, e.g. cloud providers as well as customers and IAM/GRC vendors have to work together on this. Feel free to send me your ideas and proposals on this – we’re currently preparing a launch of a standards initiative on some IAM/GRC issues and that might be the next one.

More on IAM and GRC for the Cloud at the European Identity Conference 2009 (Munich, May 5th to 8th).