Why cloud services will sell despite slowdowns in outsourcing and MSS growth

05.11.2009 by Martin Kuppinger

Within the last few months, I’ve read several news about slowdowns in the growth of the outsourcing business and particularly the MSS (Managed Security Services) business, at least compared to the high expectations raised in the years before. Does that mean that the cloud is dead before it really starts? I don’t believe, for several reasons:

  1. There are different numbers regarding the status and grwoth of the MSS and outsourcing market. Some are much positiver than others – and it is no surprise that the negative ones are cited most (even the IT press more and more acts in the yellow press way…).
  2. In days of economic turmoil (and we are still in these days, despite the quick recovery of the bonus mentality in financial institutions), customers tend to first drop external services before they fire employees – that affects MSS.
  3. Outsourcing is sort of a “big beast” which is diffcult to tame. It takes a long preparation, it is inflexible. Overall, it needs to adopt to become more flexibile and easier to use. Cloud Computing with its granularity of services is an approach to address the shortcomings of outsourcing.
  4. A feedback I had from multiple CISOs regarding MSS is that the quality of service and the level of contol frequently is insufficient – thus it is about implementation and delivery of MSS, not the overall concept.

Two reasons why the Cloud (in my understanding of an approach for a flexible use of IT services with the ability to switch between and choose the best provider, internal or external – e.g. much more about service than about external things from the Internet) will be successful shortly explained:

  1. If you think about a matrix like shown below with two axis, Outsourcing is just sort of the specialized approach to the cloud. And from our expectations, the sweet spot for most providers will be around “community clouds”, in the centre of this. That potential for industry clouds, community clouds, and point solutions isn’t unveiled yet. Thus, there is much more in the cloud than is discussed today.
  2. The cloud is not new. It didn’t just appear at the sky but grew over years. SaaS is out there for a while, service management as well. Not even to talk about outsourcing. The cloud is, from my perspective, just the result of an evolution from a tactical, opportunistic use of external services towards an strategic approach on how to best provide IT services (external vs. internal). We’re at sort of the “break-even”, to use an analogy.
Cloud Matrix

Cloud Matrix

By the way: The biggest risk for the cloud is too much marketing. But that was the same with Client Server, the Internet, and many other things. None of them disappeared, but all big changes took years to become reality. The same is true for the cloud.

I appreciate your feedback on that! And see you at EIC 2010 and Cloud 10, both to be held in Munich, May 4th to 7th, 2010.


Identity as a Service

21.01.2009 by Martin Kuppinger

Some days ago, I had a very interesting discussion with John de Santis and some of his colleagues from TriCipher, one of the vendors which provide IaaS (Identity as a Service) solutions, in that case particularly with their MyOneLogin service. That discussion is one in a row of others I had with several of the other vendors in the IaaS space like Multifactor Authentication, Arcot Systems, or Ping Identity, to mention just a few.

On the other hand, my colleague Jörg Resch (currently very active in organizing the European Identity Conference 2009, where we will have, amongst many other topics around thought leadership and best practice for IAM and GRC, definitely much content about IaaS) some weeks ago asked me about my opinion about approaches like Facebook Connect and related standards (Google Friend Connect, Myspace Data Availability) and, as a result, my overall opinion about IaaS. First of all, the positive things with all these initiatives is that they address the lock-in issues in todays social networks, which I’ve discussed more than a year ago in this blog (by the way a discussion we’ve started at our European Identity Conference 2007).

So where is the link between these two discussions? It is all about the way we can and should deal with identities in the future. In business as well as privately. First of all, identity is core to any of these initiatives like cloud computing and SaaS or Enterprise 2.0 or Web 2.0 – even while many people haven’t understood the impact of identity yet. How will you ever fulfill compliance requirements in an IT infrastructure which consists of multiple SaaS services provided by different companies as well as some still existing internal IT services? How is allowed to do what in that environment? Just think about SoD controls across multiple SaaS services… How do we control the way our employees act in the Internet, still representing our company? What about consistency and reliability there? How about the integration of Web 2.0 services into the enterprise, for corporate use – that what sometimes is called Enterprise 2.0 (I use this term here even while most of the 2.0-terms are just ridiculous)?

It is interesting to observe that there are some initiatives and products trying to address at least some of the problems. Vendors start providing strong authentication as a service, sometimes focused on authenticating to SaaS. Social networks start to open up, even while there is a lack of standards. Information cards might become virtual corporate business cards.

Thus, we have some standards (like OpenID, Information Cards and the underlying federation standards, XACML,…), some IaaS services (mainly for authentication and federation and some provisioning), and some proprietary approaches for exchanging information from social networks. Many areas like policy management and auditing aren’t covered yet. And in the area of social networks, there should be one standard, which might make use of Information Cards instead of some vendor implementations. From my perspective, we are still at the very beginning of the IaaS market. We will need to create more standards and implement more use cases. There is a lot of room for vendors and service providers.

From a corporate perspective, we will observe approaches where companies fully rely on IaaS, putting everything into the cloud. There will be companies which use just some cloud services, like federation or strong authentication. And there will be companies which still mainly rely on their own IAM and GRC infrastructure, with the need to integrate that with cloud services they use.

Today, you can’t fully rely on IaaS but enhance your IAM and GRC infrastructure with some very interesting solutions to become more flexible in your move to cloud computing. But you definitely should analyze which opportunities IaaS provides – and how to do IAM and GRC for cloud computing, Enterprise 2.0, Web 2.0 and all these other initiatives.

Not to forget: I’d like to once again ask for your participation in our current surveys. Thanks!


SaaS – unmanageable, but (still) successful

21.05.2008 by Martin Kuppinger

SaaS is becoming more and more popular, especially in the US. In Europe the growth is much slower, but that is no surprise – Europe is usually some 12 to 36 months behind the US in adopting new technologies.

But there is one thing to be considered regarding SaaS – most of the SaaS offerings are more or less unmanageable. The interfaces for identity management, event management and logging and other necessary functionalities are missing. Defined APIs for controlling and integrating the SaaS applications into the existing own IT infrastructure are missing in most cases – or they are so weak that they aren’t useful.

Even more, it is virtually impossible to get the own data back in an useful format. SaaS vendors seem to consider that every information which someone stores in their SaaS application is their data – but it is the data of the SaaS customer. This is some form of aggressive lock-in.

How weak the APIs of SaaS providers are today is visible when you look at approaches like myOneLogin (which is very interesting) – only three of roundabout 60 supported SaaS applications support federation. And virtually none supports an efficient approach for provisioning users from your own directories to the SaaS application. Or have you ever asked your SaaS provider about SPML (Service Provisioning Markup Language) support? The answer probably has been something like “SPML what???”.

The missing support for standards or at least a comprehensive set of APIs for accessing, integrating and managing SaaS is, from my perspective, the biggest risk for SaaS. At some point of time the customers will ask for these features. The vendors which still believe that the world ends at their own perimeter and who claim that every data which someone enters into their SaaS application belongs to them will be shaken out of the market.  For good reason.


Posted in SaaS | Comments Off

The quest for the grail: Identity Providers in the cloud

06.05.2008 by Martin Kuppinger

These days I have had a briefing with John De Santis, Chairman and CEO of TriCipher, about the new myOneLogin service. This service provides strong authentication and Single Sign-On for SaaS applications, supporting many SaaS apps as well as features like SAML-based federation to the few SaaS providers which are already at that level.

One of the things John mentioned was that Salesforce.com has allowed Google to be the authoritative source of identity assertion. In that relationship, Google is acting as identity provider. Besides the question whether Google is the best choice to trust on that leads to another question: There is no established identity provider in the so called “cloud” [By the way: Has the term “cloud” been chosen because everything out there is a bit “cloudy” in the sense of “fuzzy”?].

Read the rest of this entry »


© 2015 Martin Kuppinger, KuppingerCole