24.11.2010 by Martin Kuppinger
These days I talked with one vendor about his news around capacity management. Capacity management is used as a term to describe products which are used for optimizing workloads in data centers and to make the best use of the resources within these data centers. Honestly, I didn’t do a deep dive into that specific area before, and maybe I’m a green on advanced IT topics – but when vendors are promising capacity management, I’d expect that to be somewhat active. However, I’ve learned that it’s about reporting and analytics – even in association with terms like dynamic, continuous, proactive or whatever. I’ve checked several other offerings in the meantime and it appears to be common understanding amongst these vendors, that management ends with some nice reports in the space of capacity management.
I would have used the terms capacity reporting or capacity analytics instead, but I know that vendor marketing tends to “beautify” their stories a little.
So what are my expectations on capacity management? The issue is obvious – it is complex to manage the workloads in the increasingly virtualized and complex data centers. And it is becoming even more complex when we have different “clouds”, private and public, where we might put these workloads. Thus we need to support that we can optimize this – a dynamic or continuous capacity management is key. However, I’d at least expect to have a little more than just the information that there is something to be optimized. To achieve a fully automated management for sure will be a long journey, requiring a strong and valid policy model to ensure that nothing goes wrong. It will also require a tight integration with Business Service Management to ensure that the specifics of business processes like high workloads at the end of the month/year are met. It will even require that financial aspects (costs of internal and external cloud resources) and governance aspects (which data and workloads is allowed to be placed where due to governance/compliance/security constraints?) are met. In the meantime, automatically created “jobs” for the virtualization, server, and application management tools to easily make the proposed changes reality would be a first step.
I’m looking forward to see when capacity management becomes reality. There is definitely a value in today’s solutions. But the value could me significantly bigger than it is.
20.04.2009 by Martin Kuppinger
Today Oracle announced that they will acquire Sun. That isn’t a real surprise to me. When the potential acquisition of Sun by IBM has been discussed some weeks ago, I’ve been asked about my view on that. From my perspective that would have been mainly a market share deal. And when big market share deals are discussed, Larry Ellison isn’t far away. Thus I’ve said at that point of time that Oracle might as well make a bid. The third company I had in mind was Cisco, but they have missed that opportunity (which would have improved their strategic positioning significantly).
Right now, Larry Ellison has made it again. And from his perspective, that makes sense. He acquires market share in the application infrastructure and IT infrastructure market, and he gains access to much more Java intellectual property. Despite some overlaps in the portfolio, Oracle benefits from that. They become the “Java company” and they have acquired several other interesting pieces of software. Regarding Solaris, the advantages aren’t that obvious. But at least Oracle has an own operating system right now which might become interesting for appliances and for other new types of solutions. The other way round, Solaris might benefit from other Oracle offerings as part of larger packages or enterprise license agreements – and given that Oracle right now is a hardware vendor as well, they might provide interesting bundles to their customers.
It is noteworthy that Oracle doesn’t talk much about the hardware business in the initial press release. But the sentence of “Oracle will be the only company that can engineer an integrated system – applications to disk – where all pieces fit together…” is an indicator of Oracle planning to keep the hardware business and not to sell it. And given the opportunities for selling larger projects, for the appliance market, and for future cloud offerings (based on own hardware), there is some potential in that combination.
Specifically for IAM and GRC, there are some overlaps. But there are also specific strengths in both portfolios, with for example the very fast Sun Directory Server - and with the installed base of Sun. Anyhow, customers will have to carefully analyze the combined roadmaps of both companies. There are overlaps and that might lead to scenarios where customers have to migrate at some point of time in the future.
15.12.2008 by Martin Kuppinger
GRC (Governance, Risk Management, Compliance) is frequently reduced to IAM (Identity and Access Management) or, in best case, to a more business-centric layer on top of IAM infrastructures. In our research and publications around GRC we’ve pointed out that GRC platforms will have to go well beyond IAM – SIEM, BSM (with aspects like business continuity), and other areas will have to be covered.
If you ask the question the other way round, that becomes more obvious: What are the controls that business requires from IT?
That question is, from my perspective, the core question for the selection as well as the conception of any GRC platform. There are GRC aspects outside of IT but even these have to be managed in a consistent way, thus such a platform has to support them. Within these controls, risk controls are amongst the most important ones. I’ve recently blogged about the need for an integrated Risk Management. Risk controls cover many aspects, including the fulfillment of compliance regulations and business continuity.
The breadth of a GRC platform becomes visible if you take (still IT-driven) for example ISO 27001. ISO 27001 includes a huge number of controls, with many which are neither IAM-related nor can any IT system automatically provide the status information. Even more, to provide the current status for these controls, many different IT systems have to deliver – IAM, SIEM, and many more. GRC platforms will have to support any type of control. They will have to support the ability to report manually as well as automated. And they will have to support interfaces to many lower-level systems.
The controls, on the other hand, will have to be multi-layered, supporting at least a business view (“Are the core security requirements met?”) as an IT view (“Are we in compliance with all the controls described in ISO 27001?”). The business layer is sort of an abstraction of the IT view.
There are several lessons we should learn about GRC platforms:
- We should understand them as the overall interface for business control (thus being bi-directional) of IT
- We should position them in that way, looking at them from the business perspective and the questions business likes to get answered
- We should understand that this includes many different technologies, well beyond IAM (but with IAM and the “access control” part of it being highly important)
- We should work on standards which support the interaction with existing and new IT systems
It is still a long way from today’s different approaches in the field of GRC to such GRC platforms. But the outline for the future of these platforms is set – and it will be filled more and more. By the way: When we add the accounting capabilities to this picture, we end up with the “ERP for IT“…
16.10.2008 by Martin Kuppinger
Yesterday one of the vendors (not Novell), who was a little late in an analyst briefing call, said that he had to talk before to a journalist. He mentioned that this journalist was somewhat surprised by the large number of announcements in the Identity Management and GRC industry in these days. Novell is one of the vendors who should feel guilty – they are very active in providing news these days.
One of the recent announcements is about Novell’s Compliance Management Platform. The better term probably would have been GRC Management Platform because Novell doesn’t end with Compliance but focuses as well on other, more Governance- and Risk Management-related aspects. But at least they have understood that customers require a platform, not point solutions to address the GRC requirements (which, by the way, never ever have been more relevant than in these days).
Novell starts with a bundle that consists of several existing products like Novell Identity Manager, Novell Access Manager, and Novell Sentinel, their SIEM and auditing solution. But it goes beyond this, providing as well additional tools which provide best practices from Novell’s implementation projects and thus will support in implementation.
I assume that Novell will work on the integration, the current solution being just a starting point. At least the announcement proves that Novell has understood some important things: GRC is extremly relevant – and it requires platform approaches, not singular solutions.
The second announcement made by novell is their acquisition of Managed Objects. That is particularly interesting to me because I have been watching Managed Objects for quite a while, as one of the really innvoative vendors in the Service Management market. Managed Objects provides analysis, dashboard, and management functionalities to Novell’s systems management solutions. In other words: Novell is moving forward from a technical approach to a better support for IT management.
That is, by the way, common to both announcements: Novell is moving forward from being a very technical vendor to one that understands and supports the requirements of the IT management – with IT/Business alignment being at the centre.
It will take some time for Novell to go that path. But the recent announcements are at least interesting signals for a fundamental, but still evolutionary change at Novell.
06.08.2008 by Martin Kuppinger
My colleague Felix Gaehtgens recently has blogged about his discussion with Tom Bishop, CTO at BMC, about the BMC strategy for IAM. His findings are very consistent with the blog of Tom Bishop which was published some weeks later and appears to be some indirect response to Felix.
It is obvious that many BMC customers are insecure about BMC’s strategy for IAM. There have been several changes, as well in BMC’s organization as in the way BMC is adressing this market. BMC has moved the development of the IAM functionality to India, where they are developing as well other major parts of their products. Some people from the IAM team – as well from the product as the sales/marketing side – in North America and EMEA have left BMC, including Jeff Bohren, one of the guys behind SPML. Even while BMC states that there are more people involved in IAM activities than before, there are some still some open questions left. Read the rest of this entry »
13.06.2008 by Martin Kuppinger
These days I’ve read some entries in the Beteo blog, a blog provided by a swiss software and consulting company which is somewhere in between SOA and BSM – or BTO, the term they tend to use due to some affinity to HP. The interesting thing is that Beteo not only claims but proves that Service Management principles and tools which are commonly used more in the IT Infrastructure Management can be applied to the field of Software Change Management as well. Beteo, a company I’m in contact with since they’ve been founded (and I have been in contact even with their predecessor), uses this concept with success especially in SAP environments.
That leads to the obvious conclusion: There should be a much more common service understanding. There should be one BSM approach on the upper layer. BSM, as real business service management, should really address the business aspects like
- Defining services from a business point of view – like “manage a contract” including storage, access rights,…
- Mapping these business services to IT services
- Manage these services from a business perspective, e.g. accounting, controlling (do we need these services really?),…
The next layer are IT services, e.g. the more technical services IT provides to deliver a business service. These services can be managed with ITIL principles and – at least to some degree – with today’s so called BSM tools.
Whether the mapping of IT services to the IT implementations of business processes is part of the IT service layer or the business service layer is a matter of definition. I tend to place the description of business process at the business service layer and the implementation of business processes in IT – and thus, the relationship of these processes with IT services – at the IT services layer.
Anyhow, there is a layer below for the different types of IT services. Today, BSM focuses mainly on IT infrastructure services and provides mainly an ITISM (IT Infrastructure Service Management) – and not an ITSM (IT Service Management) or a real BSM (Business Service Management).
Besides the IT Infrastructure Services we have IT Application Services. These services tend to be more granular, down to web services and so on.
But regardless of the service you talk about: Each service can be managed with the same principles – and ITIL (and ISO 20000) is a good point to start if you focus on the principles for managing services. You can define, implement, run, optimize any type of service. Whether you look on high level business services or on low level application services, the way you should handle services is, from a conceptual view, the same. The business aspects like service accounting and controlling can be applied as well on every level.
Given that, a unified view on services and their management would bring a lot of benefits to IT – the reuse of management software, improvements in that software when the experiences of infrastructure and software change management are combined and influence the tools, the capability for an overall auditing and accounting of services, a consistent authorization management for services, their management and their use.
But that would mean that the siloes at the vendor side (where software management is in most cases another division than infrastructure management) disappear as well as the siloes in today’s IT organizations are opened for more cooperation.
12.12.2007 by Martin Kuppinger
One of the IT market segments I’m observing for a quite long time ist the System lifecycle management market, including software distribution, OS installation, inventory, patch management and some other technologies. There are few segments which are that crowded. If I count the vendors/brands which compete in the central European region I end up with something aroung 20 at least. Given this number of competitors it is obvious that not all of them will survive. There will be the big ones to survive – and there will be the smart ones.
Read the rest of this entry »