24.09.2009 by Martin Kuppinger
It has been pretty quíet around the VIP (VeriSign Identity Protection) solution. I have played around with that solution some two years ago, when support for eBay and PayPal had been added. But after that I didn’t see much of VIP (and didn’t hear much of VeriSign, honestly). Until these days, when TriCipher and VeriSign announced a strong authentication solution for Google Apps. They call it “triple-sec” given that three different factors are used – the two provided by TriCipher and an out-of-band authentication based on VeriSign VIP Access for Mobile.
VeriSign VIP Accessfor Mobile is in fact an OTP (one time password) generator which runs on mobile phones. Overall, a strong authentication can be achieved that way for TriCipher’s MyOneLogin service which is the tool used. MyOneLogin is a cloud-based SSO solution for other (external) cloud or SaaS services which uses SAML to provide authentication information to Google Apps Premier.
The VIP support is offered for free for Google Apps Premier customers – as long as they use the strong authentication only for Google Apps Premier. If they’s like to extend this to other apps, it’s not free anymore. Anyhow, this is at least an interesting solution for companies who rely on these cloud services and require an relatively easy strong authentication solution. For sure you’d have to accept that you need your mobile phone in addition but the alternative would be to rely on some soft-token approach or to carry another token or device to support strong authentication.
Besides the fact, that the “for free” doesn’t last long in practice, given that most customers probably will secure other apps as well, the biggest question from my perspective is whether a cloud-SSO for cloud only (more or less) is the solution of choice. Customers which further rely heavily on internal (and non-web) applications might benefit more from a traditional E-SSO approach supporting internal as well as external applications of any type. However, integration of these tools with applications like Google Apps typically relies on traditional exchange of username/password in the background instead of the more advanced SAML approach provided for example by MyOneLogin. With other words: There are other options, but at least the TriCipher/VeriSign offering is an interesting approach worth to have a look at.
To learn more about what’s going on in the “cloud”: Attend the Kuppinger Cole Cloud 09 conference, December 2nd-4th, Munich.
18.09.2009 by Martin Kuppinger
During the last months I had a number of conversations with vendors about the licensing and business models for their cloud offerings. And frequently the conclusion was that the models aren’t really adequate for the cloud. Some might work today and for some period of time, but they are not likely to be successful on the longer term.
One ob the obvious shortcomings are accounting periods which are too long and thus don’t provide the required flexibility which is a key advantage of cloud services. Contracts which run at least 12 months or accounting periods which look at the peak use within a calendar month are not what we need for the cloud. Over time, customers will expect the ability to switch their provider quickly and to pay-per-use. For sure there are services where customers aren’t that likely to move ever or on short-term (salesforce.com, SAP BusinessByDesign). But I’ve seen that model as well at the platform and infrastructure level.
But pay-per-use models can be critical as well. If there are either too many elements in or elements which can’t be predicted, these models don’t provide the advantage of reliable cost models which are as well a key advantage that cloud services can and should provide. That is the same like with ISPs in the past – there will be a logical move to flatrate models. Noone likes to become bankrupt because he is too successful.
The reason for these sometimes inadequate business models are obvious:
- Many vendors in the cloud are experienced with classical, license-based business models and have no experience and sometimes little understanding of new cloud business models. They are insecure and have to learn.
- Customers currently frequently accept these business models – but that will change.
However it is very interesting to observe the change in these business models over time. In the cloud, business models are always under stress test. The impact of actions of other vendors is strong. For example, Microsoft in fact has defined an maximum price tag for hosted Exchange services with their own offering. Providers which want to earn more will have to very clearly show the added value to their customers.
That will not automatically lead to a situation in which the cheapest provider wins. But for sure cloud service providers will have to react on what others are doing. Thus, flexible business models and an efficient production of cloud services are mandatory. Vendors who are not able to pick up the pace of these changes in business models are likely to disappear from the market.