In Germany, there is these days (again) a discussion about whether the German State shall buy data about fiscal fraud. There is someone from Switzerland who offers illegaly obtained data about German citizens who have transferred illegal earnings to bank accounts in Switzerland, not paying taxes for this. Germany some months ago has bought such data about bank accounts in Liechtenstein, to identify fiscal fraud and to penaltize this.

That leads to some highly interesting questions, and there is a political debate about whether to do that or not. It is obviously illegal to buy stolen goods in the knowledge, that they have been stolen. Data is amongst these goods, for sure. It is highly questionnable whether actions of the attorneys based on such data are legal – I doubt this and I’d expect that the German Federal Constitutional Court will accept this once the first law suits about this are brought to him. Thus it might end up with that any penalties against this fiscal fraud aren’t permittable being based on invalid evidence (or evidence derived from invalid evidence, because the data will allow the attorneys to request the account detail from the swiss banks – it just provides a list of accounts as a foundation for follow-up queries). It might also occur that several of these accounts aren’t about fraud – and again, that it might show up to be illegal to do such mass queries based on too little evidence. And: Buying stolen goods (in case you know that they have been stolen or that you have to assume that they were stolen) is under penalty. Thus, the people deciding on doing that are definitely acting against the law and might be penaltized. That will be up to the courts to decide about.

Read the rest of this entry »

There is a constant pressure not only on IT but all areas of organizations to reduce costs. However, that frequently ends up with higher risks and potentially higher costs due to these risks. The problem is: Most organizations, especially in controlling and management, think much more about cost than risk. But cost savings (which are not necessarily negative) without a risk view are a risk – somewhat of a tautology, I know…

That is why Risk Management should be a standard and central element in management, as well for business as IT.

Read the rest of this entry »

Last week, there was the news that the Federal Employment Office of Germany will claim for the return of excessive payments from potentially more than a million so called “Hartz 4″ recipients. What appears to be of political and social relevance, is as well interesting for IT – because it’s about the negative impact of archaic software architecture.

Let’s start with the background. Hartz 4 stands for as well social welfare aid as unemployment aid, named after Peter Hartz, a former Volkswagen member of the board and advisor to the German government about how to change and optimize these aids and insurances. There is a significant number of Hartz 4 recipients. Many of them are either families or single parents. Starting Jan 1st 2010, the child allowance has been increased by 20 € per child and month. However, child allowance is charged against Hartz 4, thus Hartz 4 recipients with childrens shouldn’t benefit from that increase – not that social, isn’t it?

Now the problem arises: Many have received the 20 € (or x times 20 €, depending on the number of children) increase – and now that shall be reclaimed. The Federal Employment Office came up with the explanation that this has been because the short period of time between deciding about the increase of child allowance and the due date. However, there were some weeks in between. Regardless of whether the money will be reclaimed or not (there are interesting legal discussions about), that clearly shows, together with other explanations, that there is an IT issue behind.

That issue is a software where such a change obviously has been to complex to perform in time, in a planned, structured manner. That is, looking at topics like “Software Architecture”, “GRC”, and “Externalization of Security”, pretty interesting – especially from the GRC view on software architecture. Obviously, a change of a business policy couldn’t be transferred to the software just in time. That is a typical GRC issue: Business Policies which lead to complex change process in IT, when code has to be adopted to these changes. That leads to issues like time-to-market or, in that case, has a significant social impact. From a GRC perspective, that is an issue – a governance issue IT management has to deal with. IT is a software architecture issue, because such problems occur only due to a non-policy-aware software architecture and due to hard-coding things which shouldn’t be hardcoded. Think about a policy-controlled software and defined request/approval workflows for such fundamental changes. That isn’t hard to architect, it should just be good practice. It would lead to applications which are acceptable from a GRC point of view (with GRC being much more than security…). It were secure. And, most presumably such a software would rely on policies and thus externalization as well for security, especially access controls.

There is little reason to assume that the Federal Employment Office has a software in place that meets these fundamentals of good software architecture. The real bad thing, besides all the unnecessary costs associated with such archaic software, is the negative social impact of that.

For some of you, the acquisition of Burton by Gartner might have been the deal of the year. I (for sure, acting in the same market) will not comment on this. But for me, it hasn’t been the deal of the year even in these first two weeks. Much more important is the acquisition of Archer by RSA. RSA Security, a EMC subsidiary for several years now, has bought one of the leading GRC vendors. In fact it was EMC which acquired Archer but within EMC it has been RSA Security.

Archer is one of the major players in the Enterprise GRC market – I recently discussed the various segments of the GRC market. With the acquisition of Archer, RSA – until now a provider of very specialized components in the SIEM, DLP, and other security related markets – tries to close the gap between the high-level view of Archer (being mainly an Enterprise GRC provider with some level of CCM). That definitely makes sense. And it fits well in EMC/RSAs strategy for Cloud Security. Thus, by integrating the tools of RSA (and other EMC companies), providing information for automated controls, and the high-level view of Archer, the drill-down features, and the manual control capabilities as well as the overall policy and control management, EMC (with RSA and Archer) might be well able to make a big step forward towards an integrated GRC offering.

However, this shouldn’t be limited to security-related IT controls but should cover all types of IT controls, including service management, access governance, and others. Standards like Cobit show how many different controls are relevant. And, from the high-level perspective (the Archer view), it should even go beyond IT controls and IT GRC. Thus the acquisition of Archer shouldn’t be understood as the final but the first step. Integration of what EMC and partners are offering is the logical next step – but to fully deliver on the idea of an integrated GRC, EMC might have to add some other technologies (like access governance and, especially with focus on the cloud, service management).

Anyhow: The acquisition makes sense, no doubt about that. And I’m convinced that it hasn’t been the last one in the GRC market for this year.

I’ve blogged several times about PAM (Privileged Account/Access Management) in the last few months, stating that I expect more integration of PAM with existing IAM applications (Here, here, here, and here). Now IBM is moving forward on this with their PIM offering. It’s interesting to observe what IBM is doing these days. There hadn’t been that many news from IBM for a pretty long time. But this year IBM has increased its speed significantly. The release of TIM 5.1 with many significant improvements, their approaches around risk and compliance with tight integration to TIM as well as other IBM products, and some other news prove that IBM is back on track and should be rated amongst the leading vendors in the broader IAM space again – with some interesting visions and strategies, becoming a trendsetter in some areas.

Amongst them is their PIM approach. IBM isn’t new in that market. Their TAMOS (Tivoli Access Manager for Operating Systems) products is out for many years. But right now, they are building a solution which is tightly integrated with TIM and TAM E-SSO (Tivoli Access Manager Enterprise Single Sign-On). Shared IDs can be provisioned by TIM and TIM as well manages pools of shared IDs. TAM E-SSO checks out/in shared IDs when accessing apps. Thus, IBM drives the tight integration of provisioning, E-SSO, and PAM which definitely makes sense. However, the integration is currently within the IBM world of IAM apps, not beyond. Anyhow, this is an interesting approach and IBM is currently leading this trend.

The solution is currently deployed as IBM Global Strategic Solution, e.g. bei IBM Global Services to selected customers, thus at the first stage to general availability. But for existing IBM customers (TIM, TAM E-SSO) it is definitely worth to talk with IBM about that.

An interesting question in this context is whether this will affect the overall PAM market. First of all, it confirms what I’ve described earlier in my blogs: There will be a convergence of PAM with provisioning and other IAM solutions. And with more vendors providing such integrations (some are providing some integration or are working on that), customers are likely to pick the “integrated PAM”. However, there is no doubt that at that point of time the PAM specialists in most cases have more feature-rich offerings, which might complement even these integrated PAM approaches or replace them in case that specific features are required. Thus, there will be a “stand-alone” PAM market for the foreseeable time. On the other hand I expect more acquisitions of PAM specialists to happen given that the larger vendors might want to speed-up the development of their integrated PAM offerings by acquiring a product and integrating it. Another point to mention: IBM’s approach shows that PAM is moving out of a niche towards a mainstream IAM market segment.

For now, it is to me to wish you all a MERRY CHRISTMAS and a HAPPY NEW YEAR!

And don’t miss EIC 2010 and Cloud 2010 next year! Hope to see you there and to discuss some of my thoughts with you in person.

Some few weeks ago, the “Simple Cloud API” has been announced. The company behind this is Zend technologies, which calls itself “The PHP Company”. More important is the fact that Microsoft and IBM are amongst the supporters of Simple Cloud API. That means that there is a significant momentum behind that approach from the very beginning.

One could argue that this is just another standard or API besides so many approaches we’ve seen recently. However, the Simple Cloud API is somewhat unique for some reasons:

• It is focused on PHP. You may like PHP or not but it is an important language for web development.
• It is currently focused on the infrastructure layer, with (at the beginning) support for file services, document services, and simple queueing. That might change over time, but it adds to the mainly management-oriented standard approaches which dominate the emerging cloud standards.
• It is usable. It is not a XML-based protocol but really an API which interfaces with existing services. Ready to use from the beginning – look here. However, it is under development so some things might change.

The approach of the Simple Cloud API is simple: A PHP API and adapters to existing services, including the ones of Amazon EC2 and Windows Azure.

Thus the Simple Cloud API is not only simple but close to be ready-to-use (close to because it still is under development). But it is definitely worth to have a look at.

I had several interesting discussion with some vendors about the future of some market segments in the IAM market. And when I look at these markets (and many other IT markets, including the emerging cloud market) one thing becomes obvious: Established vendors tend to act as sort of lemmings. What do I mean by that? There is an idea that appears to be successful for one vendor. Then other vendors tend to follow without really analyzing whether this is really the best approach. They frequently claim that their customers are requesting that type of solutions. But: Their customers are frequently just looking at different solutions which are available at that point and pick features which are available. Once they have the tool in production, they might ask for additional features. But customers don’t tend to invite the products they might need for being successful for the next years.

This customer focus (most product management is focused on customers only, with some competitive analysis) is important – no doubt about. But there are some threats:

• It is hard to create an USP when being sort of a follower to the market. OK – larger vendors might rely on their sales strength but that doesn’t always work.
• Building products and product architectures for what is common might lead into dead rows. Changing that, either by acquisitions and their integration or re-architecting products, is expensive.

Overall I strongly recommend that vendors add the look beyond the current state and the obvious next steps. Some of the more innovative features might require significant changes to the product, thus development has to start early. Besides: Adding this view to your roadmap neither hinders you in developing mainly for the features which are requested today by customers nor is it really expensive – some few days of workshops with thought leaders and the creative guys within the vendors will probably lead to a big step forward towards this.

But until now, there are more lemmings than other species. Or, to stay within another comparison from a management book I’ve read years ago (“Dolphin strategies”, I can’t remember the author – sorry): There are more sharks than dolphins. The author divided the business people into three categories:

• Sharks: Aggressive, trying to make their own way with elbows out.
• Carps: Doing there job at the minimum level, nothing else.
• Dolphins: Jumping out of the water, trying to detect new horizons (and, by the way, very willing to kill the holy cows of other people – I liked that…).

And dolphins are what is needed to detect new horizons, with some carps making things real and the sharks selling it. But lemmings seem to avoid dolphins, for some reason.

German vendor Beta Systems, one of the well established vendors in the core IAM market, e.g. provisioning (notably, they provide other solutions as well), has recently unveiled the new version of its provisioning product, now called SAM Enterprise Identity Manager – in contrast to its former name SAM Jupiter. That highlights that this product is part of a specific market segment, the identity provisioning products – most of them are named “Identity Manager”. It as well shows that Beta Systems understands this release as a really major release.

And, in fact, it is. Amongst the broad set of new features, there are two really important ones:

• Beta Systems has finally managed to merge the two releases of its product. Until now, there has been a host-based and a Windows/UNIX based version. The new version runs on all platforms and has, in addition, broader platform support as well for databases and other infrastructure components. Thus, maintenance and development right now is easier for Beta Systems. And, furthermore, customers can now much easier pick their platform of choice.
• Beta Systems has added multi-tenancy capabilities, being amongst the first provisioning vendors to do that. That is not only interesting to (external and internal) service providers but as well to large organizations in industries with strong compliance regulations which for example have to enforce different segments of IT administration for different parts of the organization – like sometimes in banks.

I especially like the multi-tenancy approach because that will become a mandatory feature in provisioning tools over time.

One issue when dealing with GRC (Governance, Risk Management, Compliance) is that there is no single person which is responsible within organizations. And there is a simple reason for that: There are far too many GRCs out there. Vendors provide completely different offerings using the same acronym. That’s not new, but in the case of GRC, there is even more uncertainty raised than usual in the IT industry.

From my perspective, the solutions might be segmented into four layers:

• The so called “Enterprise GRC” which should be better named “Business GRC” or something because the other technologies are as well around the “Enterprise” but sometimes more focused on IT. Vendors in that space are, amongst others, companies like OpenPages, Bwise, Mega. The focus is on business risks and business controls, a high level view and frequently mainly on manual controls.
• The layer which is best described with the term “Continuous Controls Monitoring”, which is about looking at specific IT systems and issues from a business perspective. Order processes, delivery status, and such things. Typically there is a mix of automated and manual controls, and some systems focus more on specific enterprise applications (billing,…), whilst others focus more on the consistency of the entire process. Vendors here are, amongst others, companies like SAP (Process Control, Risk Control) and Oracle, mainly for their environments, and such ones like Approva.
• The layer which I’d call “specific/specialized GRCs”, amongst which IAM-GRC solutions (sometimes called “access governance”) and SIEM solutions are the most popular ones, even while I’d add several service management tools as well as long as they focus on service fulfillment and the service management process itself. These tools provide much more depth on specific controls, typically only a small subset of all IT controls. IAM-GRC for example focuses on roundabout 4 of 210 COBIT controls, the ones around identity and access. However, the level of automation is significantly higher and controls are much more specific. In each of the segments here we have a lot of vendors.
• System-level tools around operations management, system-level auditing, integration of system-level logs and that stuff – tools which really do a deep dive into the access controls of file servers and shares and other aspects.

With a big picture like that, it becomes obvious, that we have several elements within a GRC strategy. Business and IT have to work closely together to define what is needed in which area and how these tools interfere and how they have to be integrated. With this view, the need for a single person as responsible one for GRC diminishes. There are at least two, one at the business and one at the IT level. And there are even more for different “operational” tools at the lower levels.

If companies have defined their big pictures, it is easier for them to identify which tools they need to implement it. And it is easier for vendors to identify the persons to speak with.

More important from my analyst perspective is the first aspect: Companies which don’t have a clearly defined strategy on GRC will most likely end up with a mix of tools, non-integrated, not always providing the required features. Thus: A GRC roadmap and a GRC architectural blueprint are mandatory.

More about the system-level aspects might be heared (for the ones who read this soon) at our webinar today. A replay will be available soon.

Even more information about this topic and especially the IAM-GRC aspects (Access Governance) will be available at the Kuppinger Cole Virtual Conference on this topic December 8th to 9th. Registration for that conference is free.

Within the last few months, I’ve read several news about slowdowns in the growth of the outsourcing business and particularly the MSS (Managed Security Services) business, at least compared to the high expectations raised in the years before. Does that mean that the cloud is dead before it really starts? I don’t believe, for several reasons:

1. There are different numbers regarding the status and grwoth of the MSS and outsourcing market. Some are much positiver than others – and it is no surprise that the negative ones are cited most (even the IT press more and more acts in the yellow press way…).
2. In days of economic turmoil (and we are still in these days, despite the quick recovery of the bonus mentality in financial institutions), customers tend to first drop external services before they fire employees – that affects MSS.
3. Outsourcing is sort of a “big beast” which is diffcult to tame. It takes a long preparation, it is inflexible. Overall, it needs to adopt to become more flexibile and easier to use. Cloud Computing with its granularity of services is an approach to address the shortcomings of outsourcing.
4. A feedback I had from multiple CISOs regarding MSS is that the quality of service and the level of contol frequently is insufficient – thus it is about implementation and delivery of MSS, not the overall concept.

Two reasons why the Cloud (in my understanding of an approach for a flexible use of IT services with the ability to switch between and choose the best provider, internal or external – e.g. much more about service than about external things from the Internet) will be successful shortly explained:

1. If you think about a matrix like shown below with two axis, Outsourcing is just sort of the specialized approach to the cloud. And from our expectations, the sweet spot for most providers will be around “community clouds”, in the centre of this. That potential for industry clouds, community clouds, and point solutions isn’t unveiled yet. Thus, there is much more in the cloud than is discussed today.
2. The cloud is not new. It didn’t just appear at the sky but grew over years. SaaS is out there for a while, service management as well. Not even to talk about outsourcing. The cloud is, from my perspective, just the result of an evolution from a tactical, opportunistic use of external services towards an strategic approach on how to best provide IT services (external vs. internal). We’re at sort of the “break-even”, to use an analogy.

Cloud Matrix

By the way: The biggest risk for the cloud is too much marketing. But that was the same with Client Server, the Internet, and many other things. None of them disappeared, but all big changes took years to become reality. The same is true for the cloud.

I appreciate your feedback on that! And see you at EIC 2010 and Cloud 10, both to be held in Munich, May 4th to 7th, 2010.