The rationales behind the Oracle-Sun deal

28.04.2009 by Martin Kuppinger

The (planned) Oracle/Sun deal has gained a lot of attention. There was a lot of discussion of the rationales behind. But most of them didn’t really touch the point why Oracle will spend so much money for Sun. Have a look at the rationales:

The hardware?

Not really. Oracle never has done hardware business before. That is another type of business. For sure there are some advantages. It is a little easier for Oracle to offer appliances, but they could have done this with standard hardware and some flavour of Linux. For sure, for big shops that might become interesting – highly scalable hardware and the database or application server or a business system. But on the other hand, the overall margins will decrease for these deals. And the aspect that it becomes cheaper for Oracle to equip its own cloud data centers in the future isn’t worth to take the risk of a hardware business.

The Solaris operating system?

As well – some few advantages but no real one. With hardware and a high-level server operating system, Oracle is more competitive with companies like IBM and Oracle, the (from a revenue perspective) real big guys in the industry. And Oracle might even bring some market share back to Solaris, by preferring that OS. But overall, there is not that much value in there. Solaris is fine for large cloud data centers, but it is overkill for many appliances. The overall value of obtaining an OS thus is somewhat limited for Oracle.

The IAM and GRC tools?

Even while we are experts around IAM and GRC – that wasn’t the reason behind. In contrast, that is one of the areas with a huge overlap and thus a lot of potential problems in defining a roadmap and migration paths for existing customers.

The cloud?

Again – not really. There are some advantages in having own hardware and an operating system for high scale cloud data centers. But Oracle would have been well able to manage the move towards the cloud without that. And if it were about the cloud, there probably would have been better choices than Sun.

The psychology?

Yes, to some degree. Oracle now really competes with IBM at any level. It has an own operating system. But that is not the real rationale behind the deal, even while that thought might have influenced the decision making.

The market share?

Which market share? Oracle is buying market share, no doubt. They have done this with acquisitions like PeopleSoft, they have done this especially when acquiring BEA. But there is a rationale behind that about which I will talk later.

The Java stack?

No. There are probably more risks than advantages. Improving the stack itself is an investment without direct return. That might improve the position of Oracle in the application server field. But given that Sun has “owned” Java and nevertheless hasn’t been the leader in the market of application infrastructures shows that this is not the main reason. Besides this, there might be sort of a trust issue in Oracle owning that stack – Sun has been more trusted in supporting open source than Oracle is. And other companies like IBM and SAP which are heavily relying on Java might as well be somewhat disappointed. Oracle is a much more heavyweight competitor for them than Sun has been.

And yes. Oracle will be able to drive some things forward in the stack. Think about an integration of JAAS (Java Authentication and Authorization Service) with Oracle’s concept of SOS (Service Oriented Security). By doing this, Oracle might gain some advantage for their “engines” which provide these services and some tighter integration than others can provide.

The application server?

Yes, to some degree. The market share of what Sun provides around application infrastructures (development tools and so on) is somewhat relevant but not the main reason. But overall there is the question whether Oracle really wants to maintain Glassfish, Fusion, and WebLogic. And for sure Oracle expands its grip on that market.

The expanded lead in application infrastructures?

Here you go. That is the real target of Oracle. That is why they have bought BEA, that is why they have been heavily investing in IAM and other areas of the IT market. For a long time, there have been the operating systems and the business applications as the instruments of power in the IT industry. That is changing, with the business processes and the supporting application infrastructure becoming the new instrument of power. That is the reason why companies like Oracle, SAP and IBM (based on Java) as well as Microsoft (based on the .NET Framework) are heavily competing for that market. The one who is in control of the business process platform has managed to achieve the vendor lock-in – the more specific features of the platform are used, the more lock-in.

That is, from my perspective, the real rationale behind that deal. From that perspective, it is not that much a market share deal but a market power deal. That is the reason why Oracle buys several elements of limited value for Oracle (not of limited value from an overall perspective, for sure!). That is the reason why Oracle again spends a lot of money and takes some risks. Java helps, the market share in the application server market helps. But they are not the key reasons for that decision.

Interestingly, most customers haven’t yet understood what is happening in the IT market from a strategic point of view. Otherwise, they wouldn’t leave platform decisions in the area of IT infrastructure to some developers and architects or, in best case, the CIO, but understand that as a decision with a long-term strategic impact on the entire organization.

Posted in Uncategorized | Comments Off

The balance act of changing the business model

27.04.2009 by Martin Kuppinger

Last week Microsoft has announced that they will offer own cloud computing services in nineteen different countries. The approach is “hosted by Microsoft, offered by partners”. That is an interesting approach and it is obviously the result of Microsoft’s thoughts about how to manage the balance act between the existing business model and the upcoming cloud computing business.

On one hand, Microsoft relies on their partners which sell software licenses today. On the other hand, Microsoft has to provide offerings as cloud services. Until now, there have been some limited offerings for example with value-adding services for Exchange infrastructures or, in a specific market segment, the Office LiveMeeting product. With last week’s announcement, Microsoft provides core services like Exchange Online and SharePoint Online by themselves. The services aren’t sold directly by Microsoft but via 2.500+ specialized partners.

Microsoft has as well announced that this is just the beginning of their “Software and Services” strategy, thus other solutions will be added. Given that the pretty prominent URL (or or similar URLs) is used it becomes clear that this type of business shall provide a significant part of the future revenue stream of Microsoft.

Even with this business model which focuses on sharing revenues between Microsoft and the partners, there is still some potential conflict with partners. The price tag defined by Microsoft is sort of the upper border for Hosted Exchange and Hosted SharePoint Services. Thus, some of the existing hosting partners of Microsoft will have to change their price tags. Microsoft now is the one who controls the price tag. Partners might add services, for sure.

But many partners will have to rethink their business model. On one hand, participating in a constant revenue stream is interesting. On the other hand, the more parts of the environment are delivered from the cloud, the less project revenues will occur. That is a risk for partners.

From a Microsoft perspective, the model looks more interesting. Microsoft has the biggest network of resellers for cloud services in the market, Microsoft can compete with other cloud vendors and Microsoft adds a service-based revenue model to its existing license-based models.

It will be interesting to observe how that model affects the existing partnerships as well as the entire cloud market. Despite some scepticism I think that the chosen model is the best solution for the balance act Microsoft has to do. And I’m as well convinced that it will allow Microsoft to take a significant share of that particular area of the cloud market. It might again prove that Microsoft is pretty well able to adopt to changes – like they have done multiple times before.

By the way: Don’t miss Cloud ’09 and EIC 2009!

Posted in Cloud | Comments Off

Liberty Alliance moves to Kantara

20.04.2009 by Martin Kuppinger

Today, Liberty Alliance will move to a new organization named Kantara. That is based on the analysis that security, privacy, and minimal disclosure of end users’ personal information are becoming more and more important. In this area, several initiatives are on their way. The idea of Kantara now is to build an umbrella organization for the entire identity industry and to streamline different initiatives. Liberty Alliance will become a part of that bigger effort.

The interesting question will be: Will Kantara become a big umbrella or a small one? There are several interesting initiatives within the Liberty Alliance today, but there are many initiatives outside of that. There are OASIS standardizations like SPML and SAML, there is the Information Card Foundation (ICF), there are many other activities on different levels up to industry specific standardizations.

Thus it might appear that Kantara becomes more sort of a Liberty Alliance relaunch – if they don’t succeed in integrating at least most of the other relevant initiatives. Let’s wait and see…

Sun and Oracle – I would have won my bet

20.04.2009 by Martin Kuppinger

Today Oracle announced that they will acquire Sun. That isn’t a real surprise to me. When the potential acquisition of Sun by IBM has been discussed some weeks ago, I’ve been asked about my view on that. From my perspective that would have been mainly a market share deal. And when big market share deals are discussed, Larry Ellison isn’t far away. Thus I’ve said at that point of time that Oracle might as well make a bid. The third company I had in mind was Cisco, but they have missed that opportunity (which would have improved their strategic positioning significantly).

Right now, Larry Ellison has made it again. And from his perspective, that makes sense. He acquires market share in the application infrastructure and IT infrastructure market, and he gains access to much more Java intellectual property. Despite some overlaps in the portfolio, Oracle benefits from that. They become the “Java company” and they have acquired several other interesting pieces of software. Regarding Solaris, the advantages aren’t that obvious. But at least Oracle has an own operating system right now which might become interesting for appliances and for other new types of solutions. The other way round, Solaris might benefit from other Oracle offerings as part of larger packages or enterprise license agreements – and given that Oracle right now is a hardware vendor as well, they might provide interesting bundles to their customers.

It is noteworthy that Oracle doesn’t talk much about the hardware business in the initial press release. But the sentence of “Oracle will be the only company that can engineer an integrated system – applications to disk – where all pieces fit together…” is an indicator of Oracle planning to keep the hardware business and not to sell it. And given the opportunities for selling larger projects, for the appliance market, and for future cloud offerings (based on own hardware), there is some potential in that combination.

Specifically for IAM and GRC, there are some overlaps. But there are also specific strengths in both portfolios, with for example the very fast Sun Directory Server – and with the installed base of Sun. Anyhow, customers will have to carefully analyze the combined roadmaps of both companies. There are overlaps and that might lead to scenarios where customers have to migrate at some point of time in the future.

Identity Management and the Cloud

14.04.2009 by Martin Kuppinger

Cloud Computing will be the next big paradigm shift in IT. I have no doubt about that. But like with in many other cases, there is first of all a vision, then a buzzword, then some basic technology – and then people start to think about things like reliability and security. The same is true with Cloud Computing. There are many services out there, but IAM and GRC for the cloud are heavily underestimated.

That is somewhat funny given that some of these services appeared in the big New Economy bubble some ten years ago. is just one example, some of the online conferencing providers are as well in the market for years now. But only few of them support at least basic standards like SAML (Security Assertion Markup Language) for Identity Federation. And many still lack the support for such standards, not to talk about more advanced approaches like Information Cards or XACML.

Beyond the fact of missing support for existing standards, there is the issue of missing standards. There are virtually no standards for GRC, for example for auditing and alerting (and SNMP isn’t the solution for the cloud). Even XACML is more sort of a technical standard, which needs a lot of additional work to really support the authorization management issues in the cloud.

There are some additional offerings for example for Single Sign-On to the cloud, there are some identity providers for the very lightweight OpenID and even less for Information Cards, and there are few offerings for Identity Provisioning from the cloud, e.g. managed services for Identity Management. Some of the more interesting vendors in the market are, amongst others, companies like Fischer (Provisioning), Ping Identity (Federation), TriCipher (Authentication), Arcot Systems (Authentication), Multifactor Authentication (again Authentication), and Fun Communications (Information Cards). But the number of offerings is still relatively small.

On the other hand it is obvious that IAM and GRC will become a very fast growing segment of the IT market, for ISVs as well as for Identity Providers. And it will be as well an interesting opportunity for consultants supporting all the other providers in the cloud in enabling their applications for the IAM and GRC requirements of their customers.

To become successful as a provider in the cloud, the “externalization” of the management of authentication and authorization as well as externalized auditing will become mandatory. Customers can’t afford to manage authorizations per cloud service but will have to apply pre-defined policies. Thus, we need new standards and we need new semantics for existing standards like XACML on a much higher level than today.

The entire industry, e.g. cloud providers as well as customers and IAM/GRC vendors have to work together on this. Feel free to send me your ideas and proposals on this – we’re currently preparing a launch of a standards initiative on some IAM/GRC issues and that might be the next one.

More on IAM and GRC for the Cloud at the European Identity Conference 2009 (Munich, May 5th to 8th).

The Open Cloud Manifesto

08.04.2009 by Martin Kuppinger

At March 30th, several vendors, including IBM, Sun, and Cisco, announced an “open cloud manifesto” which pleads for open standards in the cloud. The “open cloud” shall allow choice and flexibility of cloud platforms and cloud providers. A main target is the easy portability of applications. But, if you read that manifesto, you’ll find the typical sentences about “openness”, “avoiding vendor lock-in”, “the need for standards”, and so on.

One of the most interesting things with the short and pretty lightweight (to avoid the harsh term of  “meaningless”) “manifesto” is which vendors are missing in the list of supporters:

Microsoft,, Amazon, Google

With other words: Several big ones don’t participate in that initiative yet. And most of them have established cloud platforms.

That doesn’t mean that the noble intention of the initiators of the Open Cloud Manifesto (which isn’t that noble given that all of them hope to earn money from the cloud) doesn’t make sense. Yes, we need standards. Yes, we need portability of applications between cloud platforms. But some nice words doesn’t solve anything.

What we really need are standardizations. For the application packaging, for cloud governance, for cloud management and monitoring, and so on… In some areas we might reuse existing standards like SAML for identity federation, in other areas standards are still missing. Thus, instead of talking about a “cloudy” target of an open cloud world, there should be precise actions. And these should take place in the existing standard bodies like OASIS, W3C, and so on.

Standards are important – not only to the cloud. At the European Identity Conference, May 5th to 8th in Munich, there will be a OASIS pre-conference workshop – and there will be a lot of discussion around the Identity and Governance standards which are required for IAM and GRC, as well for internal services as the cloud. Cloud Governance won’t work without such standards.

Posted in Cloud | 1 comment

The German ePA project – yes we can

06.04.2009 by Martin Kuppinger

OK, everyone has used that claim “yes we can” right now. But it fit’s pretty well to the German project ePA (Elektronischer Personalausweis) which is one amongst several projects in different European countries for a new type of personal identification card. It’s not an ePassport but an personal identification card – you have to have the latter in Germany, you can obtain the first if you require it for international travel.

In contrast to some other countries like the USA and the United Kingdom, a personal ID card is mandatory in Germany. Currently it is an “old-school” type of printed document. The ePA will replace this with an electronic ID card which will be issued by the German state –  using the same deployment mechanism with the so called “Meldeämter”, e.g. registration offices (local offices run by cities where every address change and so on has to be registred). Thus there is a personal identification included when requesting and deploying the ID card.

For a long time I have been a little sceptical regarding German eGovernment initiatives. Many of the didn’t convince me, either due to their obvious lacks of identity management (like in the area of tax declarations with the ridiculous ELSTER project) or because there was far too much ideology in (Linux vs. Microsoft). But the ePA proves that Germany is able to really run a leading-edge project not only in the manufacturing industry, but as well in eGovernment.

The ePA supports different use cases, from the identification at border controls, the police, and in other situations up to several public use cases. The interesting point is that these use cases will then be supported by a strong authentication, based on the ePA and readers for that ID card. It will be possible, to give an example, to provide age verification – while enforcing the concept of “minimal disclosure”. For example, the answer might be “yes” when asking for age verification above 18 years instead of supplying the full birth date. The ePA will as well provide the capability to store the qualified electronic signature which can be used to sign contracts and official documents as well in the private as governmental use.

All these features are implemented in a well-thought way, based on distributed stores on the ID card. And they are backed by valid business models as well for providers of digital certificates (qualified electronic signature) as for relying parties, e.g. service providers which plan to support the ePA as a means for strong authentication, age verification, or other purposes.

For sure there are still some open questions: What about foreigners (there will be interoperability, there will be other solutions)? How long will it take for the critical mass (the old ID card has a validity of ten years thus replacement will take some time)? How about integration with concepts like Information Cards (some companies are working on that)? But despite open questions, the concept of the ePA is a promising one which might as well support eGovernment concepts as the strong authentication for private use cases. I expect that we’ll see a lot of interesting use cases and applications around ePA soon – and some things you might learn as well at our European Identity Conference 2009 in Munich.

© 2015 Martin Kuppinger, KuppingerCole