28.10.2010 by Martin Kuppinger
When looking at all the discussions around the “cloud” I still miss some focus on the real essentials of a strategic (!) approach for using clouds. Clouds are, when looking at the right now common understanding of private, hybrid, and public clouds, in fact nothing else than IT environments which produce IT services. These services are provided at many different layers, like in the common (and pretty coarse grain) segmentation into SaaS, PaaS, and IaaS. But: It is about the (efficient, scalable,…) production of standardized, reusable services.
Cloud Computing is about using these services. It is about procurement, management, orchestration, accounting, and so on. With other words: Cloud Computing is mainly about service management, in a standardized way. In a perfect world, all services of all products (internal and external) would be managed consistently. There could be one consistent accounting, ending up with something like an ERP for IT. However, the service management aspect of Cloud Computing appears not to be in the centre of most discussions around Cloud Computing. Many discussions are just about tactical comparisons and views of parts of Cloud Computing. Many discussions are around security. But about service management, the really strategic thing? The part which will fundamentally change the way we are doing IT?
For sure there is a lot of discussion around service management today. ITIL is a good example. However, that covers just a part of IT. We have to look at it from the highest layer (business and its requirements, described as real business services like “managing contracts of type … in compliance with regulations and…”) down to granular web services used in SOA architectures. Services are sort of everywhere. And the future of IT is about having two layers:
- Service production (In the Clouds)
- Service consumption (Cloud Computing)
That requires fundamental changes in IT organizations. The core competency is to become best in class in mapping business requirements to the required services, e.g. in doing the “cloud computing” part right. For the “production” part of IT, it is about becoming best in class in providing efficient services. But typical IT organizations will be split into two parts: Consumption/Orchestration/Management and so on – and production in the private cloud environment. Enabling this shift is the key issue for any organization today.
You might now argue “what about security?”. Pretty easy: Security is a part of this. Every service has a functional part and a “governance” part: Where is the service allowed to run due to compliance? What about encryption of transport and data? Who is allowed to access the service (or parts of it)? And so on… With other words: When you’ve solved the service management piece, you’ve automatically solved at least a large portion of the security piece. You might argue that there are some infrastructural aspects not covered by this (how to enforce what you need for service governance). But that could be understood as well as part of your service environment.
A lot of aspects around Clouds, Cloud Computing, Cloud and Services, Cloud Security and so on will be discussed at EIC 2011/Cloud 2011 in Munich, May 10th to 13th.
14.10.2010 by Martin Kuppinger
I’m somewhat reluctant regarding biometrics. There are some good reasons that biometrics still are a niche approach: The need for specialized hardware, the aversion of users against some biometric approaches like fingerprints, the discussion about potential security weaknesses for example around fingerprints, the intrusiveness to the user experience, and more…
However, there is one approach I find interesting: Keystroke Biometrics. The German vendor Psylock provides several solutions based on what they call keystroke biometrics. The user has to train the system a little. I had to enter 11 sentences, which took me less than 2 minutes. OK, I’m typing pretty fast, but it probably never will take more than 3-4 minutes to train the system. To authenticate, a sentence has to be entered. The system analyzes the way a user types in the sentence and compares it to the stored values. I’ve tried to change my way of typing a little (slower, with breaks,…) – and wasn’t identified. When I typed as usual, I was always identified successfully.
For sure there will be some more false negatives/false positives depending on the configuration. But overall, it is a simple approach. It is based on the rhythm of typing which appears to be unique. And: You don’t need special hardware, because every user has a keyboard. At least if you don’t use an iPad or another tablet. And even there you might use that technology because you can type with your fingers on the screen. However, that would mean to have two identities – for the tablet and for a system with a real keyboard.
From my perspective, this approach is interesting to either add another factor to authentication or to use it for password resets instead of questions and other approaches. It is simple to use and to implement. From my perspective it is one of the most appealing approaches in biometrics, because it is easy to use, requires no additional hardware, and it is intuitive.
EIC 2011 and Cloud 2011 – Munich, 10-13 May 2011
06.10.2010 by Martin Kuppinger
Oracle has announced that they are acquiring Passlogix. That is no real surprise to me. Oracle has been the last large OEM partner of Passlogix for their E-SSO (Enterprise Single Sign-On) solution. Others like IBM had decided for own solutions in the past. Passlogix had some success in direct sales, but being a niche vendor they probably had to decide between an exit strategy or significant investments to expand their own portfolio.
From an Oracle perspective, the acquisition definitely makes sense. Oracle mentions “tighter integration” as the opportunity behind that deal. And that exactly is what the deal is about. E-SSO currently is in a transition phase, from a very focused and specialized solution towards an integrated element within authentication and authorization concepts. Versatility, e.g. the capability to flexibly support different authentication methods in sort of a plug-and-play approach, combined with step-up authentication and other concepts, is just one example of new trends in the SSO market. Integrating E-SSO and Web Access Management as well as Identity Federation is another. And the potential of bringing together Oracles Adaptive Authentication Manager, e.g. risk-/context-based authentication, with E-SSO (e.g. E-SSO based on risk and context) is obvious as well.
With the acquisition, Oracle opens the door for new, integrated approaches beyond classical, pure-play SSO. That fits into what IBM has done when acquiring E-SSO technology or Novell with buying a source code license from ActivIdentity – all players want to better integrate E-SSO with other solutions and all want to have the flexiblity in their product strategy they never can have with an OEM product. What can be done with integrated approaches has been demonstrated by Evidian for quite a while – one consolidated access management.
Thus it will be interesting to observe where Oracle starts to deliver on the idea of integrating E-SSO with other technologies. Even while I overall rate integrating E-SSO positively, there is one aspect which should be kept in mind: A strength of the pure-play E-SSO solutions is that they aren’t intrusive with respect to the existing IT infrastructure. Thus they are very easy to deploy and provide a quick win potential. This advantage shouldn’t be given away.
06.10.2010 by Martin Kuppinger
These days I’ve talked with Red Hat about their Cloud strategy. It was an interesting and, in some areas, somewhat surprising conversation. It is not that surprising that Red Hat doesn’t focus on becoming an IaaS (Infrastructure as a Service) provider themselves, e.g. directly competing with Amazon EC2, Microsoft Azure and other environments isn’t on their agenda at that point of time. Red Hat focuses on providing the technology some of these provides (not Microsoft, for sure) require – but not mainly the very big ones, but all the others like Telcos, large MSPs (Managed Service Providers), and so on.
One of the Red Hat claims is that they provide a pretty complete stack, beyond IaaS up to the PaaS (Platform as a Service) level, based on JBoss. Thus, they offer everything from virtualization up to the application infrastructure as a complete, integrated solution. In addition, Red Hat focuses on providing management tools for this complete stack to enable providers to easily create and manage their environments.
However, even that isn’t a big surprise. Red Hat is well positioned in that area, but others are trying to do the same. VMware and the VMforce platform is just one example, Microsoft Azure is another one. The really interesting point, from my position, has been the clear commitment of Red Hat to support different hypervisors, beyond their KVM. That includes VMware ESX as well as Microsoft Hyper-V. Red Hat (correctly) states that the reality of virtualization at MSPs as well as in end-user organizations consists is heterogeneous – and might become even more heterogeneous, with KVM (or Microsoft) expanding their marketshares. Thus an offering has to support different hypervisors – I couldn’t agree more. Red Hat even states that application infrastructures like .NET have to be supported. True as well.
With this approach, Red Hat provides an interesting approach not only to MSPs but as well to end-user organizations which are migrating their data centers to “private clouds”. Supporting heterogeneous environments, beyond the virtualization, is mandatory there. Red Hat at least has a valid strategy there. They have do some homework around the management capabilities, moving forward to higher-level servicce management – but that’s the case for all other vendor in that space as well. Overall, it looks that Red Hat has really understood business – it is not about good or bad, it is about supporting the real world infrastructures of customers, which are heterogeneous.