IBM tries to rain on Novell and HP's parade

The cynic in me is crying out for this blog post, so here I go.

It's not that I enjoy pointing out my ex-employer's boneheaded moves, but...ok so I do just a little bit.

IBM issued a press release today harping on about:

"migration services and competitive migration pricing for abandoned HP Identity Center security software customers aimed at helping them benefit from IBM's broad capabilities for securing and efficiently running IT for their business."

For those that don't remember, HP got out of the Identity Management software business earlier this year and left their existing customers with a bit of a problem. Then along came Novell on their horse offering to ease the pain in partnership with HP.

From what I can gather by reading the Novell and HP partnership press release, existing customers get equivalent Novell Identity Management software for free (until the middle of 2009) and some migration tools jointly developed by HP and Novell. There is no mention of free services however, so I assume there's some cost there.

I didn't see the word "free" anywhere within IBM's announcement. So my question is, are they going to guarantee that the combined software and services costs are going to be less than Novell's? If not then what the heck is the point of offering to "Bail Out HP Security Software Customers" (part of the press release's headline)?

Oh, it gets better:

"In response to HP's discontinued identity management products, IBM offers competitive migration pricing for software and migration services through IBM Internet Security Systems (ISS)..."

Notice the problem? IBM ISS specialise in network security! Talk about picking the wrong business unit to offer up as the service provider. It would have made a bit more sense if they had said IBM Security and Privacy Services (which was the division I worked for before doing my IBM Tivoli thing) or IBM Software Group Services (who used to try to bill me out to customers because I knew stuff, even though I worked for the IBM Tivoli technical sales team - management usually said no by the way, except for a few times I had to run customer training sessions because they supposedly "asked for me by name"). Both these business units have had years more experience deploying the Tivoli Security suite of products. They also have a heck of a lot more people that have the necessary skills to do the work.

Here's a few speculative reasons why they might have made this announcement:

1. To piss Novell off a little bit and also hopefully catch all the existing HP customers that don't like Novell for some reason. Of course, there's nothing stopping customers from going to Oracle, CA or Sun. I dare say they'd willingly give existing HP customers "competitive pricing", which by the way means nothing becase it's not quantifiable.
   
2. A boneheaded IBM ISS executive was trying to figure out how to increase ISS revenue and decided on this particular tactic.
3. A boneheaded IBM executive was trying to figure out how to increase IBM revenue and decided on this particular tactic. The executive then thought that since it was security related, they would use the ISS business unit to deliver the solution because "hey, we acquired them 2 years ago as one of the world leaders in providing security solutions right?"

I wonder if the other consulting and services business units within IBM knew about this before the press release. My guess is not, but all you IBMers out there can correct me if I'm wrong. And if I'm right, there's going to be a few IBMers walking around today asking the same question and wondering why IBM has once again decided to compete with themselves.

This ISS rant assumes one thing of course, and that is that they actually find customers who want to switch from HP's Identity products to IBM Tivoli at a potentially higher monetary cost. I've already said I don't really see the financial value (I won't argue all the other bits because I'm trained to argue IBM Tivoli business value in my sleep).

In short, all of you working for ISS can just go about your business as if none of this ever happened. Well, all except the sales people who I'm sure will be told that they now have a new "innovative offering" to be peddling.

In other news buried within the same press release (I don't know why IBM keeps mashing multiple bits of news into the same press release), they announced:

"IBM Tivoli Security Policy Manager -- Brand new IBM software that provides customers the ability to develop centralized security policy management for managing application entitlements driven by compliance, data security and intellectual property protection. The adoption of SOA and Web 2.0 technologies poses unique security policy management challenges for managing user entitlements -- the loose coupling of services and mash-up applications across a business creates multiple policy management points, each of which may require its own administration. The IT reality to manage these policies and entitlements in an environment full of different vendors' technology is manual, error-prone and creates costly islands of security administration. Tivoli Security Policy Manager, available by end of 2008, provides standards-based, centralized application entitlement and SOA security policy management capabilities to help users strengthen access to new applications and services and improve policy compliance and operational governance."

Are you back from your eyes glazing over yet? Let me cut to the chase for you: the long marketing blurb basically means IBM Tivoli are releasing their Entitlement Management product later this year. I've seen it in action but am not at liberty to say anything at this stage thanks to the NDA. That said, it's probably not fair for me to be commenting anyway because I've only seen the Beta version, not the fully-fledged "we've tested the crap out of it and made it all nice and pretty" version. Well, maybe not the "nice and pretty" bit. If you've seen IBM software interfaces, they are rarely "nice and pretty". But I'm biased because I use a Macbook Pro as my personal computer :-)

If you work for IBM ISS, feel free to send any hate mail my way...

Novell does data security

Sort of.

Novell announced yesterday, the availability of ZENworks Endpoint Security Management with expanded encryption functionality. All this means is that they can now do encryption of folders and devices (USB storage devices, DVDs). It doesn't get very granular and it's not data centric.

From looking around at their product info, it looks to be just a bunch of "on/off" switches. e.g. you can use this USB device, but not this one. Or if you put something on this USB device or in this location, it must be encrypted. That doesn't give a lot of context...and we know that with security, context is everything (almost). And getting the policies right and linked to context is an art form in itself. This is darned near impossible without granularity.

What happens with I just want to put an innocuous picture on my USB device? If it's disabled by Novell, I can't do it. Or if I can, it's probably encrypted...which means it's not very useful to me if I take it off-site. I know, there's probably some sort of password protection capability which lets me unlock the file and decrypt it. But that's exactly my point. If the data is not sensitive, I don't want to have to go through the hassle.

Their solution is not granular enough to be useful. It'll get killed in the device control market because they'll lose the feature/function battle. It also won't register in the data security market until they get a heck of a lot more granular and let people write policies that can be data centric. Oh, and don't get me started on other potential leakage points. What are you actually trying to do by encrypting data? You're trying to secure it in case it ever gets out right? What happens if I email it? Game over as far as Novell is concerned...incidentally, it's also game over if you just focus your data security initiatives on device control. You're "sticking a finger in the dam" and hoping it doesn't leak somewhere else.

Novell do have one thing right though. They know that they need to help organisations control the endpoint. They will also no doubt tie this all back into their Identity and Access solutions (if not yet, then soon). I'm sure their professional services people are developing such an offering as we speak. A data security solution that is tied into identity is very appealing and ticks so many boxes (especially those regulatory and compliance ones) it's an easy sell. Implementing something that will work as specified is a heck of a lot more difficult though. First you have to get an adequate set of products together, and Novell can't provide that all by themselves.

There's a missing link in this space at the moment. Mainly because no one's worked out this whole data security thing yet. There's not even a commonly used term (we can't figure out if it's data security, data leakage prevention, information leakage protection/prevention or something else). The term is not important. What we're REALLY talking about is information security. Analysts and marketing people just want to be able to break this stuff up so they can sell more things (products, services, whitepapers, consulting etc.). What we eventually want to get to is an identity driven data security infrastructure that knows what people are doing and can control the movement of all information in a corporate environment, whether structured (e.g. databases and applications) or unstructured (file systems, other storage media) and is all tied into context sensitive security policies. When you simplify it, access controls are really just about limiting or allowing access to information/data based on what you are allowed to do to it. The ability to audit and report on everything is just to keep auditors happy and for the odd incident here and there where forensic analysis may be required. That's it. It's not a complicated concept.

No, there isn't an integrated solution that does this yet. For now, you have to buy the pieces and try to plug them all together. Novell's made little baby steps, but it'll only look good on the marketing slides...for now.

Novell joins Identity monitoring scrum

I mentioned IBM, CA and Oracle's forays into the monitoring of their Identity Management products here, here, here and here. Now Novell's adding to the scrum, but their focus is different from the other vendors mentioned above. In their announcement, Novell says that:

"Tight integration with Sentinel from Novell gives Identity Manager 3.5 the capability to provide critical feedback of system, network and application event activity within the context of an identity."

What this means is that Novell's definition of monitoring here is more along the lines of the business context monitoring I talk about in this post...which does not seem to be explicitly being addressed by IBM, CA or Oracle in their Identity monitoring offerings. I also mentioned in this post that each vendor has taken a different approach with their respective offerings. Novell looks to have taken yet another different approach to the others by focusing on compliance and identity based monitoring rather than infrastructure monitoring. If you combine all the focus areas of these 4 vendors, you have a pretty complete identity monitoring offering. Unfortunately, no single vendor has a satisfactory solution that covers all the important parts of monitoring their Identity Management suite.

To get a better understanding of what Novell seems to be doing with their monitoring integration between Sentinel and their Identity Manager, have a look at the solutions from SailPoint Technologies and IBM Consul. These focus very much on the identity centric compliance of enterprise systems. IBM only acquired Consul late last year so they're still "blue-rinsing" the products. Once that is done, they'll be placed into the Tivoli software portfolio and no doubt integrated with the IBM Tivoli Security products to give the business context identity centric functionality so sorely lacking at the moment in all the identity suites (although Novell looks to be addressing this now). Of course, once "blue-rinsed", IBM will claim that the Consul products integrate natively with the Identity Management portfolio. Perhaps this will be partially true, but I don't expect this to be 100% until the next release of the Consul products (probably renamed and properly released under the Tivoli banner by then).

The identity monitoring scrum is getting more crowded, but this is simply in reaction to what the market has been asking for in the past few years. It's about time the vendors started listening. What about Sun and BMC and HP? They're behind the 8 ball at this stage. To be fair, BMC has started to move in this direction with their announcement of having their systems management solutions line up with ITIL and COBIT, but these aren't identity centric. They are systems management and infrastructure centric.