The big news in the Identity & Access Management (IAM) world today is Oracle's acquisition of Passlogix. In fact, I made the observation 2.5 years ago (when talking about IBM's acquisition of Encentuate) that the most logical suitor for Passlogix was indeed Oracle.
It was only a matter of time, but I'm surprised it's taken Oracle this long to officially add enterprise single sign-on (ESSO) to their suite. I use the word "officially" because Oracle's long-standing OEM agreement with Passlogix means customers are unlikely to see much change in the short term. It simply means Oracle will officially own the technology powering their ESSO product instead of having to "repaint" it red & white. You might also see quicker turnaround times in getting your queries answered and your support calls resolved, so I suppose that's a plus.
Congratulations to all the Passlogix gals and guys.
Showing posts with label oracle. Show all posts
Showing posts with label oracle. Show all posts
Wednesday, October 06, 2010
Thursday, October 23, 2008
Part 2 of my conversation with Amit Jasuja from Oracle
I mentioned yesterday that I spoke with Amit Jasuja, Oracle's Vice President of Development for their Identity Management Product Suite. This is the follow up post to part 1, which focused on Oracle Adaptive Access Manager (OAAM). In this post, I'll cover some of the other things we discussed.
It's probably a good idea to point out that we discussed some roadmap items and even though Amit didn't remind me that items on a roadmap are not guarantees that functionality will make it into the planned release, I'll do Oracle the favour of mentioning it on their behalf. I used to have to do this all the time so I'm aware of the drill :-)
Apart from discussing OAAM, I revisited some of the questions I asked Oracle President Charles Phillips when I met him earlier this year (because Charles didn't really answer them completely) and Amit obliged.
Essentially, part of the strategy for Oracle's overall software stack (particularly Fusion Middleware) is to have everything be "hot pluggable" with their Identity Management suite. But let me take a step back for a moment. Like many other large vendors out there, Oracle's been pushing an open strategy around Service-Oriented Architectures (SOA) and the fact that all their products will eventually support the ability to leverage (and underpin) an enterprise service bus (or whatever buzzword you feel like using). One of the main benefits in doing so is to allow for a vendor agnostic architecture where organisations aren't "locked in" to specific products (note that the industry is a long way from this being a reality despite all the hype). There are other benefits but that's a topic for another day.
The organisations arguably making the most noise around SOA are IBM and Oracle. But Oracle is making more noise (and it seems progress) around the notion of Enterprise Identity Services (Nishant Kaushik in particular seems to be spending lots of time on this) and Amit was quick to point out that the Identity Management group will be keeping with the strategy of openness while being mindful of having to show the value Oracle's products can provide over their competitors. In short, most of Oracle's software will eventually be built to support the use of SOA-like interfaces thus allowing for interoperability with competitive solutions (assuming the likes of IBM, CA, Sun and Novell build products that support the relevant standards for the relevant use cases). It will then be up to Oracle to convince organisations that even though they could use a competitor's product, Oracle's Identity and Access Management suite is the best option because of additional benefits. Amit mentioned some examples like certified support for the Identity Governance Framework (which I should point out was originally an Oracle initiative but has since been submitted to the Liberty Alliance to carry forward) and perhaps things like "quick start" initiatives with pre-built policies for use with Oracle software.
It's great to see Oracle's strategy is to make all their software "play nice together" while being open at the same time. In reality however, the sales teams will sell whatever combination of products that will fit into a customer's budget. If they have to drop products out of the solution proposal to bring it under budget, they will. It's just how the sales teams work, especially if their numbers aren't 100% tied in to Oracle Identity and Access Management software sales :-)
We also briefly touched on various pieces of the Identity and Access Management suite being "pre-baked" into other Oracle software products (e.g. there's a lot of work being done to embed Oracle Virtual Directory within other products) before moving on to exploring Oracle's relatively new Entitlements Server (OES), itself a prime candidate for being embedded within other products. I didn't want to focus on functionality because I already knew about it at a high level. I was more interested in where Oracle's headed with the product from a strategic standpoint.
The obvious direction is to have OES be the fine-grained authorisation engine for just about everything, but Oracle's software stack is HUGE. In other words, it's not an easy task (even if they go with the SOA approach) and I don't think it's going to happen very quickly. Knowing this, I shifted the focus purely to the Identity and Access Management products and their use of OES to externalise authorisation. The answer: yes, but not yet. I used Oracle Identity Manager (OIM) as an example and Amit told me that the plan is to allow for the externalisation of OIM authorisation policies to OES in the next release (e.g. delegated administration settings). He did note that OIM can already provision to OES out of the box (I would have been VERY surprised if that wasn't the case).
Finally, we moved on to speaking briefly about Governance, Risk and Compliance (GRC) that controversial "catch all" three letter acronym. I wanted to know Oracle's plans around identity-centric GRC. If you aren't familiar with the whole GRC thing, I've written about it in the past so have a quick read and then come back.
As it stands today, Oracle's GRC product is much more focused on the financial and enterprise governance (and compliance) aspects and is hooked into their Finance, ERP and CRM applications. In terms of Identity Management and compliance however, we tend to hear a lot more about identity and user account focused access controls, attestation and segregation of duties (SoD). The products in this area receiving the most press of late are SailPoint's IdentityIQ and Aveksa's Compliance Manager.
Oracle's GRC product doesn't actually compete in the identity-centric GRC area (at least not directly). But in light of Sun's very recent launch of its Identity Compliance Manager and Novell's entry into this space through their Access Governance Suite (which is actually Aveksa re-branded via an OEM agreement), I wanted to know if Oracle had any plans to expand their GRC offering to address identity-centric compliance.
Amit's answer was that Oracle does in fact have plans to do this and they are looking at expanding the capabilities of the existing GRC product instead of building a brand new one. This essentially means that the GRC product will get additional features and hooks into the Identity and Access Management suite and vice versa. This includes things like building on the existing attestation capabilities of OIM and supporting the ability to deal with SoD policies through mining existing user entitlements and also using preventative measures (like CA will have once they finish integrating the features of the recently acquired IDFocus product).
Despite Amit almost calling me a journalist on the call, I'm far from one. What I'm trying to say is that I didn't really take any notes. I just spoke to him about a topic I find very interesting and now I'm writing about it. Hence if any of you in the Oracle community (Nishant? Clayton? Mark? Anyone else?) want to confirm, deny, correct or add to any of this (or part 1) feel free to do so via the comments. If not, we'll all just take everything I've said as fact and hold product management to my claims :-)
Ultimately, talking about plans which make a lot of sense means very little other than to communicate intentions. They key will be how Oracle executes and how quickly they do it. Otherwise, they might as well be telling us they want to put a guy on Jupiter.
It's probably a good idea to point out that we discussed some roadmap items and even though Amit didn't remind me that items on a roadmap are not guarantees that functionality will make it into the planned release, I'll do Oracle the favour of mentioning it on their behalf. I used to have to do this all the time so I'm aware of the drill :-)
Apart from discussing OAAM, I revisited some of the questions I asked Oracle President Charles Phillips when I met him earlier this year (because Charles didn't really answer them completely) and Amit obliged.
Essentially, part of the strategy for Oracle's overall software stack (particularly Fusion Middleware) is to have everything be "hot pluggable" with their Identity Management suite. But let me take a step back for a moment. Like many other large vendors out there, Oracle's been pushing an open strategy around Service-Oriented Architectures (SOA) and the fact that all their products will eventually support the ability to leverage (and underpin) an enterprise service bus (or whatever buzzword you feel like using). One of the main benefits in doing so is to allow for a vendor agnostic architecture where organisations aren't "locked in" to specific products (note that the industry is a long way from this being a reality despite all the hype). There are other benefits but that's a topic for another day.
The organisations arguably making the most noise around SOA are IBM and Oracle. But Oracle is making more noise (and it seems progress) around the notion of Enterprise Identity Services (Nishant Kaushik in particular seems to be spending lots of time on this) and Amit was quick to point out that the Identity Management group will be keeping with the strategy of openness while being mindful of having to show the value Oracle's products can provide over their competitors. In short, most of Oracle's software will eventually be built to support the use of SOA-like interfaces thus allowing for interoperability with competitive solutions (assuming the likes of IBM, CA, Sun and Novell build products that support the relevant standards for the relevant use cases). It will then be up to Oracle to convince organisations that even though they could use a competitor's product, Oracle's Identity and Access Management suite is the best option because of additional benefits. Amit mentioned some examples like certified support for the Identity Governance Framework (which I should point out was originally an Oracle initiative but has since been submitted to the Liberty Alliance to carry forward) and perhaps things like "quick start" initiatives with pre-built policies for use with Oracle software.
It's great to see Oracle's strategy is to make all their software "play nice together" while being open at the same time. In reality however, the sales teams will sell whatever combination of products that will fit into a customer's budget. If they have to drop products out of the solution proposal to bring it under budget, they will. It's just how the sales teams work, especially if their numbers aren't 100% tied in to Oracle Identity and Access Management software sales :-)
We also briefly touched on various pieces of the Identity and Access Management suite being "pre-baked" into other Oracle software products (e.g. there's a lot of work being done to embed Oracle Virtual Directory within other products) before moving on to exploring Oracle's relatively new Entitlements Server (OES), itself a prime candidate for being embedded within other products. I didn't want to focus on functionality because I already knew about it at a high level. I was more interested in where Oracle's headed with the product from a strategic standpoint.
The obvious direction is to have OES be the fine-grained authorisation engine for just about everything, but Oracle's software stack is HUGE. In other words, it's not an easy task (even if they go with the SOA approach) and I don't think it's going to happen very quickly. Knowing this, I shifted the focus purely to the Identity and Access Management products and their use of OES to externalise authorisation. The answer: yes, but not yet. I used Oracle Identity Manager (OIM) as an example and Amit told me that the plan is to allow for the externalisation of OIM authorisation policies to OES in the next release (e.g. delegated administration settings). He did note that OIM can already provision to OES out of the box (I would have been VERY surprised if that wasn't the case).
Finally, we moved on to speaking briefly about Governance, Risk and Compliance (GRC) that controversial "catch all" three letter acronym. I wanted to know Oracle's plans around identity-centric GRC. If you aren't familiar with the whole GRC thing, I've written about it in the past so have a quick read and then come back.
As it stands today, Oracle's GRC product is much more focused on the financial and enterprise governance (and compliance) aspects and is hooked into their Finance, ERP and CRM applications. In terms of Identity Management and compliance however, we tend to hear a lot more about identity and user account focused access controls, attestation and segregation of duties (SoD). The products in this area receiving the most press of late are SailPoint's IdentityIQ and Aveksa's Compliance Manager.
Oracle's GRC product doesn't actually compete in the identity-centric GRC area (at least not directly). But in light of Sun's very recent launch of its Identity Compliance Manager and Novell's entry into this space through their Access Governance Suite (which is actually Aveksa re-branded via an OEM agreement), I wanted to know if Oracle had any plans to expand their GRC offering to address identity-centric compliance.
Amit's answer was that Oracle does in fact have plans to do this and they are looking at expanding the capabilities of the existing GRC product instead of building a brand new one. This essentially means that the GRC product will get additional features and hooks into the Identity and Access Management suite and vice versa. This includes things like building on the existing attestation capabilities of OIM and supporting the ability to deal with SoD policies through mining existing user entitlements and also using preventative measures (like CA will have once they finish integrating the features of the recently acquired IDFocus product).
Despite Amit almost calling me a journalist on the call, I'm far from one. What I'm trying to say is that I didn't really take any notes. I just spoke to him about a topic I find very interesting and now I'm writing about it. Hence if any of you in the Oracle community (Nishant? Clayton? Mark? Anyone else?) want to confirm, deny, correct or add to any of this (or part 1) feel free to do so via the comments. If not, we'll all just take everything I've said as fact and hold product management to my claims :-)
Ultimately, talking about plans which make a lot of sense means very little other than to communicate intentions. They key will be how Oracle executes and how quickly they do it. Otherwise, they might as well be telling us they want to put a guy on Jupiter.
Wednesday, October 22, 2008
Part 1 of my conversation with Amit Jasuja from Oracle
For those that are unaware, Amit is Oracle's Vice President of Development for their Identity Management Product Suite.
I tried to catch him during his last visit to London but our schedules didn't allow for it. This time, it hasn't quite gone 100% to plan either as I'm not available on the day he's in London this week. So we had to make do with a chat on the phone today while he's in Prague for the Burton Group Catalyst Conference. And before anyone asks, yes Oracle PR set up the call. I'm not one to turn down interesting conversations about Identity Management.
Naturally the topic of conversation was related to all things Oracle, particularly their Identity Management products. Top of the list of topics was Oracle's release of the new version of their Adaptive Access Manager (OAAM) product. To his credit, Amit let me take the conversation wherever I wanted.
I did actually start by asking about OAAM, given how little I knew about it (never having seen it in action). This blog post details the part of our conversation that was focused on OAAM. We spoke about other things as well, which I will write about in a follow up post.
I'd only read about OAAM through articles, data sheets and whitepapers. Oracle's whitepapers are actually pretty good compared to the other large vendors as they give away quite a lot of information. Others tend to release short, crappy whitepapers that don't say a lot so you're forced to speak to their sales reps in person if you want to learn anything.
I didn't want to focus on the press release because to a person who doesn't know a great deal about a product (i.e. me), being told about new features is pretty useless. My aim was to understand OAAM a little better. So I started by asking how Oracle positions OAAM against Access Manager (OAM), and Entitlements Server (OES) (which they got via the BEA acquisition earlier this year).
Oracle sells their products much like other large vendors. They go with a solution approach and then figure out which products fit the specific customer requirements. Oracle does this by using an "Access Management Suite" umbrella, under which they slot OAM, OES, Oracle Identity Federation and to a certain extent their Enterprise Single Sign-On (ESSO) offering (which is actually Passlogix re-branded via the OEM agreement).
The other bits and pieces I just mentioned are as you would expect: OAM does web access management and course-grained access control (just like the other large vendors), OES does fine-grained access management and is very much focused on programmatic controls and SOA (with a big dose of XACML), Identity Federation does all the Federated Identity stuff (SAML, Liberty, WS-* etc.) and ESSO does desktop single sign-on.
OAAM on the other hand, is another animal altogether. None of the other large vendors have a product like it (I wrote about the Bharosa acquisition last year) and it does do a lot of useful things (assuming it works as prescribed). Amit mentioned that OAAM is typically implemented by organisations that are looking to address fraud or simply want more than prescriptive, static, course-grained access controls that the standard web access management products provide.
OAAM does this via behavioural analysis based on risk scoring. I don't know how sophisticated the policies can get but the key is that it does this in real time based on a multitude of factors including the meta-data around the user's persona, session details, contextual information and historical aspects of the user's known actions. For example, if a person typically puts through a trade once a week of a value around $1000 and they suddenly do multiple trades on a single day, each of a value greater than $5000 then this could raise a flag or even prevent the actions. There are obviously thresholds and a bunch of policies that need to be implemented to make this happen and I'm under no illusions that it's the easiest thing in the world to do.
Amit was also correct in pointing out that people have to be careful when implementing these policies because you can potentially get lots of false positives and will have to spend time tuning them. This is something I'm quite familiar with from my time spent in data security. Whenever there are a bunch of contextual factors in play, you will no doubt get false positives. If you don't manage it properly, you will get LOTS of false positives effectively rendering your solution useless.
The thing that surprised me was that it also takes into account the information you're dealing with, not just identity and session information. I'm talking about the business data, which allows for more data-centric policies (something that is sorely lacking in many access control environments). Of course, I'm a bit biased in this respect because thanks to my time in data security, I now think everything should be related back to data in some way instead of being based on static, reactive access controls. In other words, I think real-time security controls need to take identities, context and data into account. Again, Amit did warn against balancing the data-centric stuff against performance. The more in-line data you watch for, the slower OAAM is going to get.
OAAM does have more features than I've mentioned (including additional authentication mechanisms you won't find in stock standard web access management products) but I don't work for Oracle so I won't go through all of them. If you're really interested, go read the supporting materials.
I still think there's more that could be done to improve the product. They've only scratched the surface of sophistication that one could have in performing data-centric, identity and context aware controls based on real-time behavioural analysis. But it's a decent start towards making access control more pro-active instead of the traditional reactive measures we've had to implement in the past. Most importantly, it's something the other large vendors don't have (but would love to be able to whip out in a sales situation). So for now, Oracle can wave it around in the faces of the competition.
I should stress once again that I have yet to see it in action so I can't speak for its reliability, ease of implementation or that it does everything Oracle says it can do. But as the saying goes: "in the kingdom of the blind, the one-eyed-man is king" :-)
I'll write about the other things we spoke about in a follow up post.
I tried to catch him during his last visit to London but our schedules didn't allow for it. This time, it hasn't quite gone 100% to plan either as I'm not available on the day he's in London this week. So we had to make do with a chat on the phone today while he's in Prague for the Burton Group Catalyst Conference. And before anyone asks, yes Oracle PR set up the call. I'm not one to turn down interesting conversations about Identity Management.
Naturally the topic of conversation was related to all things Oracle, particularly their Identity Management products. Top of the list of topics was Oracle's release of the new version of their Adaptive Access Manager (OAAM) product. To his credit, Amit let me take the conversation wherever I wanted.
I did actually start by asking about OAAM, given how little I knew about it (never having seen it in action). This blog post details the part of our conversation that was focused on OAAM. We spoke about other things as well, which I will write about in a follow up post.
I'd only read about OAAM through articles, data sheets and whitepapers. Oracle's whitepapers are actually pretty good compared to the other large vendors as they give away quite a lot of information. Others tend to release short, crappy whitepapers that don't say a lot so you're forced to speak to their sales reps in person if you want to learn anything.
I didn't want to focus on the press release because to a person who doesn't know a great deal about a product (i.e. me), being told about new features is pretty useless. My aim was to understand OAAM a little better. So I started by asking how Oracle positions OAAM against Access Manager (OAM), and Entitlements Server (OES) (which they got via the BEA acquisition earlier this year).
Oracle sells their products much like other large vendors. They go with a solution approach and then figure out which products fit the specific customer requirements. Oracle does this by using an "Access Management Suite" umbrella, under which they slot OAM, OES, Oracle Identity Federation and to a certain extent their Enterprise Single Sign-On (ESSO) offering (which is actually Passlogix re-branded via the OEM agreement).
The other bits and pieces I just mentioned are as you would expect: OAM does web access management and course-grained access control (just like the other large vendors), OES does fine-grained access management and is very much focused on programmatic controls and SOA (with a big dose of XACML), Identity Federation does all the Federated Identity stuff (SAML, Liberty, WS-* etc.) and ESSO does desktop single sign-on.
OAAM on the other hand, is another animal altogether. None of the other large vendors have a product like it (I wrote about the Bharosa acquisition last year) and it does do a lot of useful things (assuming it works as prescribed). Amit mentioned that OAAM is typically implemented by organisations that are looking to address fraud or simply want more than prescriptive, static, course-grained access controls that the standard web access management products provide.
OAAM does this via behavioural analysis based on risk scoring. I don't know how sophisticated the policies can get but the key is that it does this in real time based on a multitude of factors including the meta-data around the user's persona, session details, contextual information and historical aspects of the user's known actions. For example, if a person typically puts through a trade once a week of a value around $1000 and they suddenly do multiple trades on a single day, each of a value greater than $5000 then this could raise a flag or even prevent the actions. There are obviously thresholds and a bunch of policies that need to be implemented to make this happen and I'm under no illusions that it's the easiest thing in the world to do.
Amit was also correct in pointing out that people have to be careful when implementing these policies because you can potentially get lots of false positives and will have to spend time tuning them. This is something I'm quite familiar with from my time spent in data security. Whenever there are a bunch of contextual factors in play, you will no doubt get false positives. If you don't manage it properly, you will get LOTS of false positives effectively rendering your solution useless.
The thing that surprised me was that it also takes into account the information you're dealing with, not just identity and session information. I'm talking about the business data, which allows for more data-centric policies (something that is sorely lacking in many access control environments). Of course, I'm a bit biased in this respect because thanks to my time in data security, I now think everything should be related back to data in some way instead of being based on static, reactive access controls. In other words, I think real-time security controls need to take identities, context and data into account. Again, Amit did warn against balancing the data-centric stuff against performance. The more in-line data you watch for, the slower OAAM is going to get.
OAAM does have more features than I've mentioned (including additional authentication mechanisms you won't find in stock standard web access management products) but I don't work for Oracle so I won't go through all of them. If you're really interested, go read the supporting materials.
I still think there's more that could be done to improve the product. They've only scratched the surface of sophistication that one could have in performing data-centric, identity and context aware controls based on real-time behavioural analysis. But it's a decent start towards making access control more pro-active instead of the traditional reactive measures we've had to implement in the past. Most importantly, it's something the other large vendors don't have (but would love to be able to whip out in a sales situation). So for now, Oracle can wave it around in the faces of the competition.
I should stress once again that I have yet to see it in action so I can't speak for its reliability, ease of implementation or that it does everything Oracle says it can do. But as the saying goes: "in the kingdom of the blind, the one-eyed-man is king" :-)
I'll write about the other things we spoke about in a follow up post.
Saturday, May 10, 2008
Roundtable with Oracle President Charles Phillips
I mentioned Oracle not so long ago and the fact that they are starting to reach out to the blogging community. They've now extended those efforts properly to the UK.
Last week, I was contacted by Oracle about my availability for a meeting today with Charles Phillips, Oracle's President who has been visiting customers around Europe this week. The theme of the meeting was to be Web 2.0 and linking this into Enterprise 2.0, specifically with regards to how Oracle is addressing these areas.
I initially thought it was an open event in a large auditorium full of people and assumed I would simply be in the audience - more or less the type we're used to when someone gives a keynote speech at a conference. I later found out that it was a small event that was being held in a meeting format where the attendees had to be invited. I was a little apprehensive at first because I'm not a writer/journalist by trade, but thought it would be interesting to meet the man in person, hear what he had to say and ask a question or 2 of my own.
It turned out to be a meeting around a table with a mixture of invited participants and a handful of Oracle attendees including Chief Marketing Officer Judith Sim and Charles Phillips of course. Oracle's rationale behind selecting the invitees was basically that we were all regular bloggers about a topic of interest (related to Oracle's business somehow) and based locally in or around the UK. Whether we were media types, analysts or consultants, it did not really matter.
The only real bit of news that came out of the meeting was that Oracle are taking the Enterprise 2.0 initiative forward by implementing an "Enterprise 2.0 sales force" to take their solutions to market and more importantly, to educate their customers.
The format was "open". Oracle stressed that they wanted it to be a discussion and they hoped to have many more in future. To his credit, Charles didn't preach to us. He simply gave a brief 2 minute introduction about why he wanted to speak to us, what he's been doing all week and then opened the floor to questions for discussion.
Charles started by saying that he understands PR as we know it is no longer working and he doesn't need it. If he wants to get at his customers, he can go directly to them very easily. He also mentioned that the purpose of his European visit was to get a feel for customer needs and how they were leveraging Oracle technology. Essentially, many are looking to simplify computing environments and of course Oracle are only too happy to help. He also noted that as a result of all the acquisitions they've made over the past few years, Oracle technology is now firmly embedded in many more organisations and is becoming a strategic platform (which means more CEO meetings as opposed to the past where they only got as far as the CIO).
I won't go through everyone's questions and Charles' answers because they weren't particularly focused or even related (I'll get to that later) and if I detail everything, this post will sound even more like the meeting minutes it is starting to resemble :-)
The topics that came up were:
As for my question, I started by taking note of Oracle's very fast growth to now being one of the leaders in the security space, particularly the Identity and Access Management arena through their flurry of acquisitions (Charles responded by saying "I'm glad you noticed"). I also noted that they announced their strategy for Service-Oriented Security (which I mentioned here) and how it clearly feeds into their Enterprise 2.0 strategy from a middleware perspective. My question was around how Oracle would move forward with the following things:
I followed up by asking if he thought a lot of the work would or needed to be done internally or whether there were more acquisitions on the horizon. I'm not sure if I said those words specifically, but that's what I meant. He reiterated that he thought they already had most of what they need and it was a matter of driving the initiatives forward with what they currently have.
His answers to my questions were a little bit generic and I could easily imagine other large Enterprise Identity and Access Management vendors like IBM, Sun or CA coming up with that answer. In fact, it was the type of answer I would have given in my IBM days when customers asked similar things (albeit in a different context to Enterprise 2.0). To be fair, I may have been too specific about Identity and he just didn't have the right product marketing people around him to answer my questions in more detail.
In my opinion, Oracle haven't quite worked out what to do with security in the context of Enterprise 2.0. They are clinging on to their notion of "Service-Oriented Security" for now as being their Enterprise 2.0 security layer. The initial focus looks to be on the whole notion of collaboration and Oracle WebCenter. For those of you familiar with the IBM world, think IBM Lotus Web 2.0. I don't know enough about each of the technologies to comment on which I think is better, but IBM and Oracle are going head to head yet again in trying to be the leader in this space.
Some of the other attendees have posted their reactions to the meeting. Here are the ones I've found (I'll add more as I find them so stay tuned):
I'm not trying to detract from the event. All things considered, it was a worthwhile activity and a very good first attempt here in the UK. Essentially, I think what Oracle were trying to achieve was a real world manifestation of what happens in the Blogosphere: real time open discussion based on varied opinions with a theme at the centre. It was a good effort from the Oracle PR team and I think everyone in attendance appreciated the gesture. One of the other attendees remarked to me that he was VERY surprised at being invited to such an event because Oracle in the past has been particularly formal about public relations. They are obviously doing a lot of work to change that perception and the more of these types of event they do, the better they will be for it. How very "Public Relations 2.0" of them (cringe if you want at that comment but I couldn't resist).
P.S. There are some photos of the meeting and in the single photo that I'm in where you can see my face (there were a few of the back of my head), I look like I'm asleep! I obviously wasn't otherwise I would have had a lot of trouble writing this post. They must have caught me in mid-blink! No, I'm not going to post it on here :-)
Last week, I was contacted by Oracle about my availability for a meeting today with Charles Phillips, Oracle's President who has been visiting customers around Europe this week. The theme of the meeting was to be Web 2.0 and linking this into Enterprise 2.0, specifically with regards to how Oracle is addressing these areas.
I initially thought it was an open event in a large auditorium full of people and assumed I would simply be in the audience - more or less the type we're used to when someone gives a keynote speech at a conference. I later found out that it was a small event that was being held in a meeting format where the attendees had to be invited. I was a little apprehensive at first because I'm not a writer/journalist by trade, but thought it would be interesting to meet the man in person, hear what he had to say and ask a question or 2 of my own.
It turned out to be a meeting around a table with a mixture of invited participants and a handful of Oracle attendees including Chief Marketing Officer Judith Sim and Charles Phillips of course. Oracle's rationale behind selecting the invitees was basically that we were all regular bloggers about a topic of interest (related to Oracle's business somehow) and based locally in or around the UK. Whether we were media types, analysts or consultants, it did not really matter.
The only real bit of news that came out of the meeting was that Oracle are taking the Enterprise 2.0 initiative forward by implementing an "Enterprise 2.0 sales force" to take their solutions to market and more importantly, to educate their customers.
The format was "open". Oracle stressed that they wanted it to be a discussion and they hoped to have many more in future. To his credit, Charles didn't preach to us. He simply gave a brief 2 minute introduction about why he wanted to speak to us, what he's been doing all week and then opened the floor to questions for discussion.
Charles started by saying that he understands PR as we know it is no longer working and he doesn't need it. If he wants to get at his customers, he can go directly to them very easily. He also mentioned that the purpose of his European visit was to get a feel for customer needs and how they were leveraging Oracle technology. Essentially, many are looking to simplify computing environments and of course Oracle are only too happy to help. He also noted that as a result of all the acquisitions they've made over the past few years, Oracle technology is now firmly embedded in many more organisations and is becoming a strategic platform (which means more CEO meetings as opposed to the past where they only got as far as the CIO).
I won't go through everyone's questions and Charles' answers because they weren't particularly focused or even related (I'll get to that later) and if I detail everything, this post will sound even more like the meeting minutes it is starting to resemble :-)
The topics that came up were:
- Customer Relationship Management (CRM).
- Supply Chain Management (SCM).
- Cultural differences especially in the Asian region and how Oracle looks to handle this without "pushing technology down their throats".
- Extending the Enterprise 2.0 initiatives and reaching out to the wider developer community. Judith Sim mentioned Oracle Mix as a good example of how they are currently doing it and will continue to use that avenue.
- Salesforce CEO Marc Benioff's Web 3.0 announcement.
- Convincing middle management about the value Enterprise 2.0 can offer.
- Linking business processes and Enterprise 2.0 concepts.
- Security/Identity 2.0 and Oracle's position on how it fits with Enterprise 2.0 (I asked him this in a rather long winded way).
- Finding the right expert internally within an organisation to help with something you are doing - Charles talked about how Oracle encourages their employees to tag themselves as being "experts" in certain areas. In addition to this, others get to vote on whether you are really an expert in the areas you claim. It's the whole notion of reputation...very Identity 2.0. I was tempted to ask him about where he thought reputation fit into their Identity strategy but thought it might have been too specific and targeted a question and not appropriate for the topic we were discussing at the time (collaboration).
- Sharing of information between sales people within CRM systems - Teams of people typically share material informally through various methods including word of mouth or email. Oracle wants to move this informal information sharing into the CRM system to facilitate more collaborative interaction between the sales teams and help identify useful material using things such as tagging and voting so they can more easily find materials and not have to re-invent the wheel. Doing this also gives management more visibility with regards to what is working, what is useful and how to potentially improve things.
- Expense approval processes - Currently, the typical process involves the approval step being left to the judgement of the individual. For example, if someone expenses a flight from New York to San Francisco, the approver will look at the cost and make a "best guess" as to whether it looks reasonable. Oracle's view of how this should evolve is to allow the approver real time and historical information to help them make a more informed decision instead of guessing.
As for my question, I started by taking note of Oracle's very fast growth to now being one of the leaders in the security space, particularly the Identity and Access Management arena through their flurry of acquisitions (Charles responded by saying "I'm glad you noticed"). I also noted that they announced their strategy for Service-Oriented Security (which I mentioned here) and how it clearly feeds into their Enterprise 2.0 strategy from a middleware perspective. My question was around how Oracle would move forward with the following things:
- Making sure that the whole security layer becomes more pervasive in their application and middleware portfolio.
- Using the Enterprise 2.0 initiative to help organisations realise a better and more complete enterprise security model especially around data privacy and governance without having to spend years implementing the so called "off the shelf" solutions.
- How they would look to drive their leadership position forward and become more active in the Identity and Security community with some of the Identity 2.0 initiatives, noting that he had mentioned the concept of reputation (which is a very new and misunderstood area in Digital Identity) when giving his example on collaboration and voting on whether someone was indeed an expert.
I followed up by asking if he thought a lot of the work would or needed to be done internally or whether there were more acquisitions on the horizon. I'm not sure if I said those words specifically, but that's what I meant. He reiterated that he thought they already had most of what they need and it was a matter of driving the initiatives forward with what they currently have.
His answers to my questions were a little bit generic and I could easily imagine other large Enterprise Identity and Access Management vendors like IBM, Sun or CA coming up with that answer. In fact, it was the type of answer I would have given in my IBM days when customers asked similar things (albeit in a different context to Enterprise 2.0). To be fair, I may have been too specific about Identity and he just didn't have the right product marketing people around him to answer my questions in more detail.
In my opinion, Oracle haven't quite worked out what to do with security in the context of Enterprise 2.0. They are clinging on to their notion of "Service-Oriented Security" for now as being their Enterprise 2.0 security layer. The initial focus looks to be on the whole notion of collaboration and Oracle WebCenter. For those of you familiar with the IBM world, think IBM Lotus Web 2.0. I don't know enough about each of the technologies to comment on which I think is better, but IBM and Oracle are going head to head yet again in trying to be the leader in this space.
Some of the other attendees have posted their reactions to the meeting. Here are the ones I've found (I'll add more as I find them so stay tuned):
- Dennis Howlett's ZDNet blog entry (which made the ZDNet front page for a few hours) - He lists the questions he asked and was generally positive.
- One of Dennis Howlett's twitter statuses during the meeting - I wonder if he included me in the "no idea about Enterprise 2.0 category". In the group's defence, we are all from different backgrounds and have different interests. Just because we didn't approach the whole Enterprise 2.0 thing from his angle doesn't mean we don't know anything about it. Sure there's still a lot of educating to be done because Enterprise 2.0 is still largely open to interpretation. We simply got a taste of what Oracle thinks it is. IBM probably has a different view, as will other vendors. Heck, the industry hasn't even agreed on what Web 2.0 means yet! So Dennis, give the group a break.
- Matthew Aslett - Good overview of the collaboration technologies mentioned and how they fit in with the Enterprise 2.0 initiative.
- Neil Ward-Dutton - Review of the meeting and some views on Oracle's "reaching out to bloggers" initiative.
- Stuart Lauchlan - Review of the meeting concentrating on the Enterprise 2.0 related news.
I'm not trying to detract from the event. All things considered, it was a worthwhile activity and a very good first attempt here in the UK. Essentially, I think what Oracle were trying to achieve was a real world manifestation of what happens in the Blogosphere: real time open discussion based on varied opinions with a theme at the centre. It was a good effort from the Oracle PR team and I think everyone in attendance appreciated the gesture. One of the other attendees remarked to me that he was VERY surprised at being invited to such an event because Oracle in the past has been particularly formal about public relations. They are obviously doing a lot of work to change that perception and the more of these types of event they do, the better they will be for it. How very "Public Relations 2.0" of them (cringe if you want at that comment but I couldn't resist).
P.S. There are some photos of the meeting and in the single photo that I'm in where you can see my face (there were a few of the back of my head), I look like I'm asleep! I obviously wasn't otherwise I would have had a lot of trouble writing this post. They must have caught me in mid-blink! No, I'm not going to post it on here :-)
Tuesday, April 22, 2008
Oracle reaches out to the blogging community
Oh, and they made a rather significant announcement at the RSA Conference too. Both are tied together. Allow me to explain.
I was first contacted by a representative of Oracle's PR department about an invitation to attend an exclusive blogger luncheon with Oracle executives on April 10 in San Francisco around their impending RSA announcement. During the luncheon, Hasan Rizvi (Vice President of Identity Management and Security Products at Oracle) was to provide attendees with an exclusive preview of Oracle's keynote announcement at the RSA Conference.
My first thought was "Oooooooo, free lunch". Then it hit me. It was in San Francisco and I live in London. "D'oh". So I had to politely decline, despite being tempted to ask if Oracle would pay for my air ticket and accommodation.
That's not the end of the story though. They subsequently followed up by inviting me to an alternate event. A blogger exclusive call the morning of that same day (April 10) to be held by Amit Jasuja (Vice President of development for Oracle's Identity Management and Security products) with the caveat that information shared on the call was to be embargoed until noon PT that day. Those who read this blog regularly know that there's no risk of me talking about anything so soon after finding out about it because I just don't have the time nor the urgency to behave like a journalist...or Robert Scoble.
The announcement itself is not the main purpose of this post. I'm not a fan of regurgitating information that's available, so I'll just point you at what I've found so far (admittedly the links are very Oracle centric in terms of content, but most others out there have just been regurgitating the press release and not adding to it):
Now I'll get to what I actually wanted to say. I applaud Oracle for reaching out to the blogging community because:
They did mention that this was the first time they had reached out formally to bloggers and they would like to continue doing so moving forward. Being the first time also meant that they didn't quite know how to conduct the call and generate some interactivity. Amit Jasuja basically gave a more detailed version of the press release and presented the rationale behind a lot of it. When it came time for questions, no one asked anything. I tried very hard to think of one, but I just couldn't. Not quite what they were hoping I'm guessing. They needed more stimulant material to get people's creative juices flowing. Also, it was an audio only call. Perhaps in future they could have some visual aspects. I'm not advocating slides, but at least that would be better than an audio only presentation. Hopefully they'll get better at these calls as they do more of them. But it was a nice first attempt at extending the olive branch to the community. They also followed up a few days after the call to see if I had any questions, which was a nice touch. In case you were wondering, I still had no questions :-)
The other large juggernauts of the software industry in the security space need to take note. Oracle's marketing is very good. If their products keep getting better and they keep rounding out their portfolio, they're going to be very tough to stop.
P.S. You may notice that the Oracle call I attended was almost 2 weeks ago. It's taken me this long to write about it because I've just moved apartments in London. What that means is that I've been very busy with the move and I don't have Internet connectivity in the new place yet. It's apparently going to take 3 weeks for my ISP to get my connection enabled again (even though I gave them advance warning and my new phone line was active for over a week prior to the move). When I asked why I had to pay for the 3 weeks of ABSOLUTELY NO SERVICE, they just said it wasn't their fault. I don't understand why ISPs in the UK are soooooooooooooooo bad at providing decent customer service. But that's another whole issue that I probably shouldn't get started on. I'm writing this from my hotel room in Prague (I have business meetings here over the next few days).
I was first contacted by a representative of Oracle's PR department about an invitation to attend an exclusive blogger luncheon with Oracle executives on April 10 in San Francisco around their impending RSA announcement. During the luncheon, Hasan Rizvi (Vice President of Identity Management and Security Products at Oracle) was to provide attendees with an exclusive preview of Oracle's keynote announcement at the RSA Conference.
My first thought was "Oooooooo, free lunch". Then it hit me. It was in San Francisco and I live in London. "D'oh". So I had to politely decline, despite being tempted to ask if Oracle would pay for my air ticket and accommodation.
That's not the end of the story though. They subsequently followed up by inviting me to an alternate event. A blogger exclusive call the morning of that same day (April 10) to be held by Amit Jasuja (Vice President of development for Oracle's Identity Management and Security products) with the caveat that information shared on the call was to be embargoed until noon PT that day. Those who read this blog regularly know that there's no risk of me talking about anything so soon after finding out about it because I just don't have the time nor the urgency to behave like a journalist...or Robert Scoble.
The announcement itself is not the main purpose of this post. I'm not a fan of regurgitating information that's available, so I'll just point you at what I've found so far (admittedly the links are very Oracle centric in terms of content, but most others out there have just been regurgitating the press release and not adding to it):
- Oracle's press release
- Oracle's Nishant Kaushik on the announcement
- Oracle's David Chappell on the announcement
- Oracle's Thomas Kurian's keynote at RSA
- Oracle's whitepaper to accompany the announcement
- Dave Kearn's article at NetworkWorld
Now I'll get to what I actually wanted to say. I applaud Oracle for reaching out to the blogging community because:
- They've certainly understood the whole blogging thing for a lot longer than the other big vendors out there (just look at the large list of people working in key Oracle positions that actually blog about their technology).
- They understand there's more than issuing a press release and hoping something happens that justifies the marketing costs.
- They understand that it's about creating discussion and awareness. Multi-way discussions are much more interesting and have the added bonus that something well written and insightful can have a viral effect.
- They know a lot of key decision makers read blogs.
- An opinion written by a non-Oracle employee holds a lot more credibility (assuming the author is credible themselves) than something written by an internal Oracle person who has to "toe the line". And if something written turns out to be less than positive, that's fine too because Oracle's bloggers can respond to it in a very interactive and hopefully constructive manner that makes Oracle's products better in the long run (if product management listen).
- Press releases are just boring and don't offer anything people couldn't otherwise find by looking on a company's website.
They did mention that this was the first time they had reached out formally to bloggers and they would like to continue doing so moving forward. Being the first time also meant that they didn't quite know how to conduct the call and generate some interactivity. Amit Jasuja basically gave a more detailed version of the press release and presented the rationale behind a lot of it. When it came time for questions, no one asked anything. I tried very hard to think of one, but I just couldn't. Not quite what they were hoping I'm guessing. They needed more stimulant material to get people's creative juices flowing. Also, it was an audio only call. Perhaps in future they could have some visual aspects. I'm not advocating slides, but at least that would be better than an audio only presentation. Hopefully they'll get better at these calls as they do more of them. But it was a nice first attempt at extending the olive branch to the community. They also followed up a few days after the call to see if I had any questions, which was a nice touch. In case you were wondering, I still had no questions :-)
The other large juggernauts of the software industry in the security space need to take note. Oracle's marketing is very good. If their products keep getting better and they keep rounding out their portfolio, they're going to be very tough to stop.
P.S. You may notice that the Oracle call I attended was almost 2 weeks ago. It's taken me this long to write about it because I've just moved apartments in London. What that means is that I've been very busy with the move and I don't have Internet connectivity in the new place yet. It's apparently going to take 3 weeks for my ISP to get my connection enabled again (even though I gave them advance warning and my new phone line was active for over a week prior to the move). When I asked why I had to pay for the 3 weeks of ABSOLUTELY NO SERVICE, they just said it wasn't their fault. I don't understand why ISPs in the UK are soooooooooooooooo bad at providing decent customer service. But that's another whole issue that I probably shouldn't get started on. I'm writing this from my hotel room in Prague (I have business meetings here over the next few days).
Saturday, March 15, 2008
I wonder if my ex-IBM colleagues will still speak to me
My thoughts regarding the IBM acquisition of Encentuate have been drawing quite a bit of traffic, so I guess it's a topic of interest this week.
Nishant Kaushik, Oracle's Architect for Identity Management Products gives his views on the whole thing including cheekily quoting me. I know it's all in good fun, so I'll respond in the same spirit...although I should ask if they've given him a new role as a member of the sales team? :-) Yes yes I know, the people in the product management/architecture team are evangelists by default, so they have a responsibility to help sell/evangelise their products.
He pinpoints my comments that the upgrade from IBM Tivoli Access Manager for Enterprise Single Sign-On (ITAM ESSO) 6.0 (the current version and OEM of Passlogix v-GO) to version 7.0 (the "blue-rinsed" version of Encentuate) is a "rip and replace". He suggests (tongue in cheek) that instead of going through the pain of upgrading to ITAM ESSO 7.0, customers should "upgrade" to Oracle's OEM version of Passlogix v-GO, the Oracle Enterprise Single Sign-On suite, because it'll be much easier moving forward and...
While that's true in theory, customers could also go the direct route to Passlogix and just upgrade to the next version of v-GO. It's the same product with a different skin. I'm not saying I have a preference for Passlogix over Oracle. I'm just saying you have a choice.
Before you go rushing off and telling IBM where to shove their Encentuate product, the first question you need to ask yourself is, "do I have any other IBM Tivoli security products deployed?" In most cases, the answer will be "yes". If you do, the smart thing to do is to stay calm. Because if you have already invested in other IBM Tivoli security products, it's going to cost you a heck of a lot more to "upgrade" them to Oracle's versions. A "rip and replace" of your core Identity and/or Access Management infrastructure is going to be 1,000,000 times more painful than a "rip and replace" of your ESSO solution. If you only have ITAM ESSO, then maybe you can consider the "upgrade" to Oracle or Passlogix because you aren't as heavily invested in the IBM Tivoli technology. But I know IBM, and I know they will do their utmost to ensure they don't lose their valued customer base...especially over something like a strategic acquisition. I just hope IBM understands the position they have put their existing ITAM ESSO customers in by acquiring Encentuate and do everything possible to minimise the pain (IBM, please don't say "eliminate the pain" because that would just be lying, aka marketing).
Here's more food for thought, especially if ITAM ESSO is the only thing you have implemented from IBM Tivoli. If you "upgrade" from ITAM ESSO toPasslogix v-GO or Oracle's OEM version of v-GO, you will have to buy the product again. Your IBM licenses will not carry over, unless Passlogix and/or Oracle get very aggressive and agree to "upgrade" your deployment and waive the software costs (there's a thought for the sales management team in Oracle and Passlogix, assuming the latter feels like testing their already tenuous relationship with IBM)(UPDATE: Passlogix have responded to me via email in relation to their position. I have written a new blog entry addressing this). IBM will not charge you to upgrade to ITAM ESSO 7.0 if you already have 6.0 and your yearly support and maintenance haven't lapsed. That's just business as usual (assuming IBM haven't changed the policy since I left). The only cost you will likely have to incur as I said before, are the services costs (and any internal, intangible costs to business productivity because of the need to upgrade). If IBM want to keep customers happy, they'll need to somehow subsidise these additional costs. Charging customers the usual fees will not go down well. Remember, Oracle and Passlogix are just waiting in the wings and would like nothing better than to "upgrade" your customer.
So there's the choices as I see them. As a customer, you are actually sitting in a position of power at the moment. You just have to wear the pain of the potential "rip and replace" from ITAM ESSO 6.0 to whatever you choose as the "upgrade". IBM will be nice to you because they want you to upgrade to version 7.0. Oracle and Passlogix (I shouldn't count Sun, BMC, RSA or any other company Passlogix has "gotten under the sheets with" out of the equation here) will want to displace IBM from your environment. Just work out what's best for your organisation in the longer term after careful consideration.
As for my ex-IBM colleagues, the last I checked they were still talking to me, taking my calls and answering my emails. In fact, I know some of them subscribe to this blog (hi guys!). But if any of their existing customers read my previous post (or even this one), they may be getting some irate phone calls asking what IBM is going to do to help them upgrade painlessly and possibly getting yelled at for selling them a product that is essentially about to be "decommissioned" by IBM.
Sorry guys. I'm just telling it like it is ;-)
Nishant Kaushik, Oracle's Architect for Identity Management Products gives his views on the whole thing including cheekily quoting me. I know it's all in good fun, so I'll respond in the same spirit...although I should ask if they've given him a new role as a member of the sales team? :-) Yes yes I know, the people in the product management/architecture team are evangelists by default, so they have a responsibility to help sell/evangelise their products.
He pinpoints my comments that the upgrade from IBM Tivoli Access Manager for Enterprise Single Sign-On (ITAM ESSO) 6.0 (the current version and OEM of Passlogix v-GO) to version 7.0 (the "blue-rinsed" version of Encentuate) is a "rip and replace". He suggests (tongue in cheek) that instead of going through the pain of upgrading to ITAM ESSO 7.0, customers should "upgrade" to Oracle's OEM version of Passlogix v-GO, the Oracle Enterprise Single Sign-On suite, because it'll be much easier moving forward and...
"could save many an enterprise many a headache."
While that's true in theory, customers could also go the direct route to Passlogix and just upgrade to the next version of v-GO. It's the same product with a different skin. I'm not saying I have a preference for Passlogix over Oracle. I'm just saying you have a choice.
Before you go rushing off and telling IBM where to shove their Encentuate product, the first question you need to ask yourself is, "do I have any other IBM Tivoli security products deployed?" In most cases, the answer will be "yes". If you do, the smart thing to do is to stay calm. Because if you have already invested in other IBM Tivoli security products, it's going to cost you a heck of a lot more to "upgrade" them to Oracle's versions. A "rip and replace" of your core Identity and/or Access Management infrastructure is going to be 1,000,000 times more painful than a "rip and replace" of your ESSO solution. If you only have ITAM ESSO, then maybe you can consider the "upgrade" to Oracle or Passlogix because you aren't as heavily invested in the IBM Tivoli technology. But I know IBM, and I know they will do their utmost to ensure they don't lose their valued customer base...especially over something like a strategic acquisition. I just hope IBM understands the position they have put their existing ITAM ESSO customers in by acquiring Encentuate and do everything possible to minimise the pain (IBM, please don't say "eliminate the pain" because that would just be lying, aka marketing).
Here's more food for thought, especially if ITAM ESSO is the only thing you have implemented from IBM Tivoli. If you "upgrade" from ITAM ESSO to
So there's the choices as I see them. As a customer, you are actually sitting in a position of power at the moment. You just have to wear the pain of the potential "rip and replace" from ITAM ESSO 6.0 to whatever you choose as the "upgrade". IBM will be nice to you because they want you to upgrade to version 7.0. Oracle and Passlogix (I shouldn't count Sun, BMC, RSA or any other company Passlogix has "gotten under the sheets with" out of the equation here) will want to displace IBM from your environment. Just work out what's best for your organisation in the longer term after careful consideration.
As for my ex-IBM colleagues, the last I checked they were still talking to me, taking my calls and answering my emails. In fact, I know some of them subscribe to this blog (hi guys!). But if any of their existing customers read my previous post (or even this one), they may be getting some irate phone calls asking what IBM is going to do to help them upgrade painlessly and possibly getting yelled at for selling them a product that is essentially about to be "decommissioned" by IBM.
Sorry guys. I'm just telling it like it is ;-)
Wednesday, October 24, 2007
Oracle integrates Bharosa
I spoke about having a to blog list of things back in August. One of the things on that list was some thoughts on the Oracle acquisition of Bharosa. In light of Oracle announcing a few days ago that they had completed the integration, I thought now would be a good time to cross the item off my list.
First of all, the product name. It's now called Oracle Adaptive Access Manager (OAAM). They've kept to the boring naming convention that seems to be the norm in the Enterprise Identity and Access Management (IDM) industry (with an exception which I talked about here).
Oracle also acquired Bridgestream recently (I wrote about that here). As I've said previously, couple that with the Bharosa acquisition and this gives Oracle 2 products in their suite that the other major vendors do not have the capability to match.
I've spoken with many a customer who has commented on the fact that it would be great if web access management solutions provided some protection against fraudulent activity. This used to occur on a monthly basis, so it's something that the market has been asking for (which is exactly why Bharosa filled a need). The large vendor answer used to be "well, just hook the audit logs of the access management product to a security event management product and write in some rules for alerting". To be truthful, this answer was crap. Unfortunately, it was the only answer that could be given without being kicked out of the room.
With the Bharosa acquisition, Oracle filled this need and added much needed and very useful capability into their suite. Sure, OAAM gives Oracle additional features around authentication. But the most important thing is that it monitors and reacts to potentially risky or fraudulent behaviour in real time. For example, a user could have access to perform certain actions or access certain parts of a web application, but if they exhibit risky behaviour leading up to the sensitive transaction, they can either be challenged further or be denied access completely. This is extremely powerful and can be a preventative measure which stops fraud dead in its tracks instead of only allowing for follow up analysis after an incident, assuming someone even noticed in the first place. This is true dynamic authorisation based on behaviour rather than traditional "yes/no" authorisation decisions that are so prevalent in the access management technologies today.
There will of course be times where the technology gets it wrong and prevents legitimate users from doing things. This will no doubt cause some pain on the user's part and subsequently on the service provider's part (e.g. customer satisfaction issues). But this is a lot better than allowing fraudulent activity to occur and then telling the user about it after the fact. In the case of banks, the costs are usually absorbed (although they are not necessarily required to - they just do it to keep their customers happy). In other cases, the user has to wear the loss. Ask someone if they would rather be denied access as opposed to losing their money and 99% of the time, they'll pick the "deny access" option. Of course, there are trade offs. If they get denied too often, then they go somewhere else. It's a balance and this is where getting the rules and policies correct are critical. You want to be able to protect against fraudulent activity without getting in the way of business. This should be the mantra of all security departments. DO NOT get in the way of business while keeping things secure. The best security technologies are business enablers, NOT business inhibitors. It's how one gets the balance correct that will go a long way towards measuring the success of a security department and subsequently the IT department.
What I'm about to say may sound familiar to those that read my Oracle and Bridgestream post.
Having OAAM gives Oracle an additional dimension to the way they can perform access controls and access management in their Identity and Access Management deployments. It also puts them ahead of their competition in terms of feature/function comparisons. So from a technical marketing standpoint, they are ahead and may win some deals this way. I mention this because it's only going to help if someone REALLY wants this type of functionality. It possibly also makes Oracle more favourable when analysts do their quadrants and charts.
But the main thing to keep in mind is that most software sales are not made based on feature/function comparisons. They are only useful in tenders (RFIs, RFTs, RFPs) to allow vendors to answer "yes" to more questions. Having something extra will generally not win a deal. NOT having something that is mandatory however, can lose a deal. That's all Oracle have done. Bought insurance against losing a bid. From a technical and IDM suite perspective however, it's a good move. It's also great to have the capabilities in place if you're implementing it in your environment. Whether it actually works as prescribed however, I don't know. I've never implemented Bharosa. Time will tell.
First of all, the product name. It's now called Oracle Adaptive Access Manager (OAAM). They've kept to the boring naming convention that seems to be the norm in the Enterprise Identity and Access Management (IDM) industry (with an exception which I talked about here).
Oracle also acquired Bridgestream recently (I wrote about that here). As I've said previously, couple that with the Bharosa acquisition and this gives Oracle 2 products in their suite that the other major vendors do not have the capability to match.
I've spoken with many a customer who has commented on the fact that it would be great if web access management solutions provided some protection against fraudulent activity. This used to occur on a monthly basis, so it's something that the market has been asking for (which is exactly why Bharosa filled a need). The large vendor answer used to be "well, just hook the audit logs of the access management product to a security event management product and write in some rules for alerting". To be truthful, this answer was crap. Unfortunately, it was the only answer that could be given without being kicked out of the room.
With the Bharosa acquisition, Oracle filled this need and added much needed and very useful capability into their suite. Sure, OAAM gives Oracle additional features around authentication. But the most important thing is that it monitors and reacts to potentially risky or fraudulent behaviour in real time. For example, a user could have access to perform certain actions or access certain parts of a web application, but if they exhibit risky behaviour leading up to the sensitive transaction, they can either be challenged further or be denied access completely. This is extremely powerful and can be a preventative measure which stops fraud dead in its tracks instead of only allowing for follow up analysis after an incident, assuming someone even noticed in the first place. This is true dynamic authorisation based on behaviour rather than traditional "yes/no" authorisation decisions that are so prevalent in the access management technologies today.
There will of course be times where the technology gets it wrong and prevents legitimate users from doing things. This will no doubt cause some pain on the user's part and subsequently on the service provider's part (e.g. customer satisfaction issues). But this is a lot better than allowing fraudulent activity to occur and then telling the user about it after the fact. In the case of banks, the costs are usually absorbed (although they are not necessarily required to - they just do it to keep their customers happy). In other cases, the user has to wear the loss. Ask someone if they would rather be denied access as opposed to losing their money and 99% of the time, they'll pick the "deny access" option. Of course, there are trade offs. If they get denied too often, then they go somewhere else. It's a balance and this is where getting the rules and policies correct are critical. You want to be able to protect against fraudulent activity without getting in the way of business. This should be the mantra of all security departments. DO NOT get in the way of business while keeping things secure. The best security technologies are business enablers, NOT business inhibitors. It's how one gets the balance correct that will go a long way towards measuring the success of a security department and subsequently the IT department.
What I'm about to say may sound familiar to those that read my Oracle and Bridgestream post.
Having OAAM gives Oracle an additional dimension to the way they can perform access controls and access management in their Identity and Access Management deployments. It also puts them ahead of their competition in terms of feature/function comparisons. So from a technical marketing standpoint, they are ahead and may win some deals this way. I mention this because it's only going to help if someone REALLY wants this type of functionality. It possibly also makes Oracle more favourable when analysts do their quadrants and charts.
But the main thing to keep in mind is that most software sales are not made based on feature/function comparisons. They are only useful in tenders (RFIs, RFTs, RFPs) to allow vendors to answer "yes" to more questions. Having something extra will generally not win a deal. NOT having something that is mandatory however, can lose a deal. That's all Oracle have done. Bought insurance against losing a bid. From a technical and IDM suite perspective however, it's a good move. It's also great to have the capabilities in place if you're implementing it in your environment. Whether it actually works as prescribed however, I don't know. I've never implemented Bharosa. Time will tell.
Friday, October 05, 2007
Oracle and Bridgestream
This news is about a month old, but in case you've been in a cave for the past month (like I have, well not a cave but I've been in China so that's close enough) and don't know, Oracle bought Bridgestream. Now that's 2 things they have on the competition. The Bharosa and Bridgestream acquisitions give them 2 things their major competitors (IBM, Sun, CA, BMC, Novell) don't have.
Role management is a bit of an ambiguous term. It means different things to different people. In the software world, this usually refers to some sort role mining, automation and discovery. There are a few vendors out there doing this (Bridgestream was one, Eurekify is another) and they end up calling their offering role management because it helps automate the whole process of figuring out what the heck an organisation's roles should look like and who should be in these roles.
This all sounds good in theory, but role management in the form I've just described has not exactly taken off. It's one of those things that people keep saying they need to do. Except all they end up doing is sticking a bunch of roles they think will work into their provisioning systems and waiting to see what needs changing later on. Of course, by then it's too late and they have to re-do all the roles. As always, they pay an exorbitant amount of money to a consulting firm (I'm looking at you Accenture and Deloitte, and perhaps IBM too) to do the work.
It's also been a victim of priorities and security maturity levels in organisations. Most are not at the stage where they are ready to look at role mining and automation. Provisioning and access controls are usually the first things that get implemented, then some sort of audit, compliance and reporting capabilities are tagged on to feed off phase 1. Role management ends up being the nice to have...and by then there's no money, no time and no resources available. So we get into the near enough is good enough syndrome.
Yes I know proper role management helps with proper segregation of duties and also keeps auditors happy. But role management as a single discipline does not solve the whole issue. It needs to be used in conjunction with all the other Identity Management capabilities that typically get implemented. The role management/mining vendors have also suffered from being too low on the food chain and not being tied into a major vendor to be dragged along as part of the sale. It's also usually too difficult to integrate into whatever Identity Management software solution an organisation is implementing and becomes another moving part that is usually one of the first things to get thrown away...or at best pushed to phase 5. I've yet to see organisations get past phase 2 or 3 in the space of a few years. Phase 5 will show up...eventually.
And this is where Oracle have just placed themselves in the driver's seat. By buying Bridgestream, they've got another selling point over their competitors. And when organisations do indeed get to that phase 5 (or whatever), guess what...Oracle's going to ride in on their white horse and say they have a tightly integrated solution that has been tested and kicked around in production. I'm sure a few of their customers will want to be early adopters. Oracle will throw in a bunch of financial incentives to ensure that happens. It's the smart thing to do.
And when Oracle's doing this, whoever buys Eurikify (SAP, are you listening? You want to get in the Identity game get ahead - also makes perfect sense if you want to link it all nicely into R/3 and NetWeaver) will be left behind (although they'll still be ahead of the others that are just sitting there hoping sales will fall into their laps while their Identity Management technologies lag behind the competition).
And at some stage, someone's going to realise that just sucking in all your roles (and users) in from HR into your provisioning system only does half the job. Operational roles (stuff that is useful for day-to-day use) are not usually representative of what you find in HR. It helps to have an automated way to figure out what the operational roles really are. It's not going to be easy, and putting in a tool won't be a no brainer, but if it's integrated nicely into the provisioning system it certainly helps cut out a lot of the work...and takes business away from consulting firms that roll out whole teams of fresh graduates (who know nothing) to implement your enterprise security infrastructure for you. Scary isn't it. But we know that's what they do.
The Bridgestream acquisition isn't a huge game breaker. It's just Oracle buying insurance for the future. They may get a few deals here and there because a customer happens to think the world of role management/mining. But it's a smart strategic move.
They're fleshing out their capabilities nicely in the game we know as Enterprise Identity Management. I don't know what the other vendors are doing. For their sake, I hope they're not sitting there in blissful ignorance thinking their market share will not get eaten up by Oracle.
Role management is a bit of an ambiguous term. It means different things to different people. In the software world, this usually refers to some sort role mining, automation and discovery. There are a few vendors out there doing this (Bridgestream was one, Eurekify is another) and they end up calling their offering role management because it helps automate the whole process of figuring out what the heck an organisation's roles should look like and who should be in these roles.
This all sounds good in theory, but role management in the form I've just described has not exactly taken off. It's one of those things that people keep saying they need to do. Except all they end up doing is sticking a bunch of roles they think will work into their provisioning systems and waiting to see what needs changing later on. Of course, by then it's too late and they have to re-do all the roles. As always, they pay an exorbitant amount of money to a consulting firm (I'm looking at you Accenture and Deloitte, and perhaps IBM too) to do the work.
It's also been a victim of priorities and security maturity levels in organisations. Most are not at the stage where they are ready to look at role mining and automation. Provisioning and access controls are usually the first things that get implemented, then some sort of audit, compliance and reporting capabilities are tagged on to feed off phase 1. Role management ends up being the nice to have...and by then there's no money, no time and no resources available. So we get into the near enough is good enough syndrome.
Yes I know proper role management helps with proper segregation of duties and also keeps auditors happy. But role management as a single discipline does not solve the whole issue. It needs to be used in conjunction with all the other Identity Management capabilities that typically get implemented. The role management/mining vendors have also suffered from being too low on the food chain and not being tied into a major vendor to be dragged along as part of the sale. It's also usually too difficult to integrate into whatever Identity Management software solution an organisation is implementing and becomes another moving part that is usually one of the first things to get thrown away...or at best pushed to phase 5. I've yet to see organisations get past phase 2 or 3 in the space of a few years. Phase 5 will show up...eventually.
And this is where Oracle have just placed themselves in the driver's seat. By buying Bridgestream, they've got another selling point over their competitors. And when organisations do indeed get to that phase 5 (or whatever), guess what...Oracle's going to ride in on their white horse and say they have a tightly integrated solution that has been tested and kicked around in production. I'm sure a few of their customers will want to be early adopters. Oracle will throw in a bunch of financial incentives to ensure that happens. It's the smart thing to do.
And when Oracle's doing this, whoever buys Eurikify (SAP, are you listening? You want to get in the Identity game get ahead - also makes perfect sense if you want to link it all nicely into R/3 and NetWeaver) will be left behind (although they'll still be ahead of the others that are just sitting there hoping sales will fall into their laps while their Identity Management technologies lag behind the competition).
And at some stage, someone's going to realise that just sucking in all your roles (and users) in from HR into your provisioning system only does half the job. Operational roles (stuff that is useful for day-to-day use) are not usually representative of what you find in HR. It helps to have an automated way to figure out what the operational roles really are. It's not going to be easy, and putting in a tool won't be a no brainer, but if it's integrated nicely into the provisioning system it certainly helps cut out a lot of the work...and takes business away from consulting firms that roll out whole teams of fresh graduates (who know nothing) to implement your enterprise security infrastructure for you. Scary isn't it. But we know that's what they do.
The Bridgestream acquisition isn't a huge game breaker. It's just Oracle buying insurance for the future. They may get a few deals here and there because a customer happens to think the world of role management/mining. But it's a smart strategic move.
They're fleshing out their capabilities nicely in the game we know as Enterprise Identity Management. I don't know what the other vendors are doing. For their sake, I hope they're not sitting there in blissful ignorance thinking their market share will not get eaten up by Oracle.
Wednesday, July 04, 2007
Managed Identity Services are a hard sell
I came across an announcement today where Wipro and Oracle have apparently partnered to offer customers Managed Identity Services and found it a rather curious move to make on Oracle's part. The only question I have for them is...why?!
I can understand Wipro wanting to explore the opportunities in Identity Management (IDM) outsourcing (they're an Indian company and are trying to get into IDM with a vengeance so it seems a logical move on their part), but Oracle doesn't need something like this. Why? Because they'll fail. The market is not ready for outsourced IDM and may never be. Most are still busy trying to work out their internal processes. Even the companies that have IDM software solutions are still working the kinks out of their processes.
The concept of outsourcing IDM has been around for a while. Access360 (now IBM Tivoli Identity Manager) explored the concept by designing their Enrole product to support the potential that someone might want to outsource their IDM. This feature got quietly thrown out not long after IBM acquired Access360. The reason (I'm guessing) is because there wasn't enough market demand for such a feature.
Think about it. If you outsource your IDM, you're outsourcing the keys to your kingdom. It's akin to giving someone the keys to your front door and asking them to decide who to let in and what they can do in your house. Are they really going to understand that the vase you have on the coffee table is an antique from the Ming dynasty and should under no circumstances be touched and that no kid under the age of 13 should go within 2 metres of it? You really have to trust your outsourcing provider not to screw things up because your business operations rely on the IDM infrastructure being there and functioning properly. Imagine if all of a sudden no one could change passwords or the authentication and access control mechanisms weren't working? Business would just stop.
What about the security implications and risks? Taking the house analogy further, outsourcing your IDM is like giving someone your keys and an inventory of all the things in your house and everything about what can be done to those things. This inventory will also contain the details of every inhabitant within your house or that has a right to visit your house. The keys and this inventory with all this private, sensitive information is now sitting in someone else's place. Sure they tell you it's "locked in a safe"...one which you've never actually seen and have no actual control over who can get to this safe. What assurances do you have that they have the right security measures in place to protect this safe? Or that they have the adequate screening processes to ensure that people that can get into this safe are trustworthy and will not compromise your keys and inventory? These security risks should be enough for an organisation to say "thanks but no thanks."
But if for some insane reason these risks are not compelling enough to say no, let's explore the other issues...
Take into account the experiences most people have in outsourced IT environments and it's not a pretty picture. I've been in enough outsourced accounts to know (and not just ones managed by IBM) that customers tend to be bitter about the outsourcing provider and cannot wait until the day the contract re-negotiations are due so they can throw them out of the account. In fact, I know of a few ex-customers of mine back in Australia that have done just that (some are big financial institutions so the size of the contracts are going to make a dent in someone's ledger). You throw in giving an outsourcing provider the responsibility to manage your IDM processes and infrastructure and it gets a whole lot more complicated.
Outsourcing IT operations is just that. You let someone else worry about where to put those Unix servers and how to connect those cables. You just need to know that there is a server room full of Unix servers that are guaranteed to be up 99.9999999% of the time and they run your business applications which just need to keep running (yes I'm over-simplifying, but you get what I mean). When you outsource a critical function like IDM, you are outsourcing a whole bunch of business processes that are very specific to your organisation and throwing into the mix a whole bunch of IT management issues. Add to that the political and cultural issues prevalent in all IDM projects (most will say this is the hardest part) and you've got a heck of a problem.
Yes people outsource business processes, but they are usually very standard, mature business functions like Payroll or HR. These don't get thrown into the IT management mix. IDM is like taking HR functions, "one-of-a-kind" custom business processes, all your people and all your IT systems and throwing these together into a mixing bowl and hoping you get a nice cake out of it. It usually takes a few attempts before you can even get a simple sponge cake. The first few attempts usually result in some inedible mess of a cake that you give to the dog to eat while you go try again. Problem with IDM is that there is no dog. You have to eat it yourself while trying to figure out why you've got dog food.
All the variables make IDM outsourcing destined to fail (for now). There are too many moving parts. Business processes are too specific to your organisation (e.g. every bank has different processes for the same thing). You're kidding yourself if you think you can make it someone else's problem just by outsourcing it. IDM will never be someone else's problem. It is always your own problem because you're managing YOUR users using YOUR business processes.
Wipro may be on to something because there's definitely a business opportunity for those not put off by the security risks. Who wouldn't want to make their IDM problems someone else's? But until the whole market works on standards and the solutions are commoditised, IDM outsourcing is just too difficult and is destined for failure.
Until IDM can be defined end-to-end as a set of standardised services from IT all they way through to business processes, you can't outsource your IDM with any level of confidence that it'll all hang together. Standardisation is only beginning with things like XACML, SAML, SPML, OpenID etc. But you can't escape the fact that these are technology focused standards. Real life use cases are not about technology.
When the day comes where all the underlying standards to support an IDM SOA infrastructure are there (and we're still working out the whole picture here), then we can start to get somewhere. And even then it'll still be difficult to make IDM someone else's problem. Sure, someone can probably host the stuff for you, but the business process issues are still going to be yours and you'll still need the technologists around to facilitate everything. The day when you can comfortably outsource all your IDM functions is the day where you are able to hire a bunch of business analysts to model and maintain your internal identity , access, security, audit and compliance related processes in an industry ratified and standardised fashion that can be sent straight to the IDM service and enforced with immediate effect. And this is ONLY after you can be assured that the sensitive data you are letting out of your environment is adequately protected.
I can understand Wipro wanting to explore the opportunities in Identity Management (IDM) outsourcing (they're an Indian company and are trying to get into IDM with a vengeance so it seems a logical move on their part), but Oracle doesn't need something like this. Why? Because they'll fail. The market is not ready for outsourced IDM and may never be. Most are still busy trying to work out their internal processes. Even the companies that have IDM software solutions are still working the kinks out of their processes.
The concept of outsourcing IDM has been around for a while. Access360 (now IBM Tivoli Identity Manager) explored the concept by designing their Enrole product to support the potential that someone might want to outsource their IDM. This feature got quietly thrown out not long after IBM acquired Access360. The reason (I'm guessing) is because there wasn't enough market demand for such a feature.
Think about it. If you outsource your IDM, you're outsourcing the keys to your kingdom. It's akin to giving someone the keys to your front door and asking them to decide who to let in and what they can do in your house. Are they really going to understand that the vase you have on the coffee table is an antique from the Ming dynasty and should under no circumstances be touched and that no kid under the age of 13 should go within 2 metres of it? You really have to trust your outsourcing provider not to screw things up because your business operations rely on the IDM infrastructure being there and functioning properly. Imagine if all of a sudden no one could change passwords or the authentication and access control mechanisms weren't working? Business would just stop.
What about the security implications and risks? Taking the house analogy further, outsourcing your IDM is like giving someone your keys and an inventory of all the things in your house and everything about what can be done to those things. This inventory will also contain the details of every inhabitant within your house or that has a right to visit your house. The keys and this inventory with all this private, sensitive information is now sitting in someone else's place. Sure they tell you it's "locked in a safe"...one which you've never actually seen and have no actual control over who can get to this safe. What assurances do you have that they have the right security measures in place to protect this safe? Or that they have the adequate screening processes to ensure that people that can get into this safe are trustworthy and will not compromise your keys and inventory? These security risks should be enough for an organisation to say "thanks but no thanks."
But if for some insane reason these risks are not compelling enough to say no, let's explore the other issues...
Take into account the experiences most people have in outsourced IT environments and it's not a pretty picture. I've been in enough outsourced accounts to know (and not just ones managed by IBM) that customers tend to be bitter about the outsourcing provider and cannot wait until the day the contract re-negotiations are due so they can throw them out of the account. In fact, I know of a few ex-customers of mine back in Australia that have done just that (some are big financial institutions so the size of the contracts are going to make a dent in someone's ledger). You throw in giving an outsourcing provider the responsibility to manage your IDM processes and infrastructure and it gets a whole lot more complicated.
Outsourcing IT operations is just that. You let someone else worry about where to put those Unix servers and how to connect those cables. You just need to know that there is a server room full of Unix servers that are guaranteed to be up 99.9999999% of the time and they run your business applications which just need to keep running (yes I'm over-simplifying, but you get what I mean). When you outsource a critical function like IDM, you are outsourcing a whole bunch of business processes that are very specific to your organisation and throwing into the mix a whole bunch of IT management issues. Add to that the political and cultural issues prevalent in all IDM projects (most will say this is the hardest part) and you've got a heck of a problem.
Yes people outsource business processes, but they are usually very standard, mature business functions like Payroll or HR. These don't get thrown into the IT management mix. IDM is like taking HR functions, "one-of-a-kind" custom business processes, all your people and all your IT systems and throwing these together into a mixing bowl and hoping you get a nice cake out of it. It usually takes a few attempts before you can even get a simple sponge cake. The first few attempts usually result in some inedible mess of a cake that you give to the dog to eat while you go try again. Problem with IDM is that there is no dog. You have to eat it yourself while trying to figure out why you've got dog food.
All the variables make IDM outsourcing destined to fail (for now). There are too many moving parts. Business processes are too specific to your organisation (e.g. every bank has different processes for the same thing). You're kidding yourself if you think you can make it someone else's problem just by outsourcing it. IDM will never be someone else's problem. It is always your own problem because you're managing YOUR users using YOUR business processes.
Wipro may be on to something because there's definitely a business opportunity for those not put off by the security risks. Who wouldn't want to make their IDM problems someone else's? But until the whole market works on standards and the solutions are commoditised, IDM outsourcing is just too difficult and is destined for failure.
Until IDM can be defined end-to-end as a set of standardised services from IT all they way through to business processes, you can't outsource your IDM with any level of confidence that it'll all hang together. Standardisation is only beginning with things like XACML, SAML, SPML, OpenID etc. But you can't escape the fact that these are technology focused standards. Real life use cases are not about technology.
When the day comes where all the underlying standards to support an IDM SOA infrastructure are there (and we're still working out the whole picture here), then we can start to get somewhere. And even then it'll still be difficult to make IDM someone else's problem. Sure, someone can probably host the stuff for you, but the business process issues are still going to be yours and you'll still need the technologists around to facilitate everything. The day when you can comfortably outsource all your IDM functions is the day where you are able to hire a bunch of business analysts to model and maintain your internal identity , access, security, audit and compliance related processes in an industry ratified and standardised fashion that can be sent straight to the IDM service and enforced with immediate effect. And this is ONLY after you can be assured that the sensitive data you are letting out of your environment is adequately protected.
Friday, March 16, 2007
Oracle Identity Architect sets the record straight himself
I made a post yesterday about Oracle's Identity Management product architect Nishant Kaushik's blog post relating to IBM Tivoli Identity Manager (ITIM) and its reconciliation behaviour, specifically around pattern matching during automatic adoption of accounts.
My point was that ITIM does indeed support pattern matching. Nishant had come to the incorrect conclusion based on a presentation given by IBM's Stuart McIrvine at this year's RSA Conference and mentioned in his post that ITIM does not support this while Oracle Identity Manager (OIM) does.
I went on to say that I posted a comment on Nishant's blog attempting to correct the misconception, but could not for the life of me find the comment until I searched for it using Google.
Today I have to give credit to Nishant for setting the record straight publically in his latest post. He even quotes straight from my comments, including my not so subtle dig at IBM for sending someone without the deep product knowledge required to respond adequately to technical questions.
Good on you Nishant. There's one problem though...I still can't find those comments very easily!
UPDATE: Nishant's just updated his blog with this post where he mentions that he knows there are a few gremlins in the system. This includes my observation about comments not appearing against the relevant posts. In other words, he didn't do it on purpose. The software is just acting up. I assume he'll try to figure out what's going on and get it fixed eventually.
My point was that ITIM does indeed support pattern matching. Nishant had come to the incorrect conclusion based on a presentation given by IBM's Stuart McIrvine at this year's RSA Conference and mentioned in his post that ITIM does not support this while Oracle Identity Manager (OIM) does.
I went on to say that I posted a comment on Nishant's blog attempting to correct the misconception, but could not for the life of me find the comment until I searched for it using Google.
Today I have to give credit to Nishant for setting the record straight publically in his latest post. He even quotes straight from my comments, including my not so subtle dig at IBM for sending someone without the deep product knowledge required to respond adequately to technical questions.
Good on you Nishant. There's one problem though...I still can't find those comments very easily!
UPDATE: Nishant's just updated his blog with this post where he mentions that he knows there are a few gremlins in the system. This includes my observation about comments not appearing against the relevant posts. In other words, he didn't do it on purpose. The software is just acting up. I assume he'll try to figure out what's going on and get it fixed eventually.
Thursday, March 15, 2007
Watch out for Oracle Systems Management
Oracle's just released a new version of their Oracle Enterprise Manager. Oracle President Charles Phillips said:
I've commented on this in the past but this looks to be the first deliberate public step towards stomping on the toes of IBM, CA, BMC and HP. Prior to this, they've been rather quiet about their systems management capabilities. The new release claims to cover management of SOA, identity management, change management, process orchestration, key performance indicators, patch management and Oracle's CRM application stack. This is in addition to prior capabilities in monitoring and managing their core middleware and database products.
I don't claim to be an expert on this Oracle product family but at face value, it looks like they mean business. Where they lose out to the incumbents (IBM, CA, BMC, HP) is in the area of network and infrastructure management and monitoring. Where they have a distinct advantage however, is in the area of their application management and monitoring capabilities - particularly with regards to their CRM stack. They fact they own the software means that they should be able to manage it better than anyone else. I say "should" because I've seen companies make hopeless attempts at trying to add value to their own software products and having their lunch eaten by smaller niche players who do a better job (of course, when this happens the large vendor usually just acquires the smaller player).
I doubt it'll take Oracle too much time to catch up with the others in the infrastructure and network space. Why? Because it's a mature market and the best practice solutions and processes are out there...as are the expertise. In other words, Oracle don't need to spend a lot of time figuring out how to do infrastructure and network management. They can either hire the right people or more likely just acquire the mature niche technologies out there. When this happens, the others better watch out because they are going to have their hands full with Oracle in the systems management space. Want evidence of Oracle's prior track record of executing successfully on something very similar? Just take a look at what they did with their Identity Management capabilities.
"We've been in the management business for awhile but I think we were more narrowly focused in the past," Phillips said. "We've probably undersold this product. It's been selling on its own on the back of other deals."
I've commented on this in the past but this looks to be the first deliberate public step towards stomping on the toes of IBM, CA, BMC and HP. Prior to this, they've been rather quiet about their systems management capabilities. The new release claims to cover management of SOA, identity management, change management, process orchestration, key performance indicators, patch management and Oracle's CRM application stack. This is in addition to prior capabilities in monitoring and managing their core middleware and database products.
I don't claim to be an expert on this Oracle product family but at face value, it looks like they mean business. Where they lose out to the incumbents (IBM, CA, BMC, HP) is in the area of network and infrastructure management and monitoring. Where they have a distinct advantage however, is in the area of their application management and monitoring capabilities - particularly with regards to their CRM stack. They fact they own the software means that they should be able to manage it better than anyone else. I say "should" because I've seen companies make hopeless attempts at trying to add value to their own software products and having their lunch eaten by smaller niche players who do a better job (of course, when this happens the large vendor usually just acquires the smaller player).
I doubt it'll take Oracle too much time to catch up with the others in the infrastructure and network space. Why? Because it's a mature market and the best practice solutions and processes are out there...as are the expertise. In other words, Oracle don't need to spend a lot of time figuring out how to do infrastructure and network management. They can either hire the right people or more likely just acquire the mature niche technologies out there. When this happens, the others better watch out because they are going to have their hands full with Oracle in the systems management space. Want evidence of Oracle's prior track record of executing successfully on something very similar? Just take a look at what they did with their Identity Management capabilities.
Setting the record straight on Oracle Identity Architect's blog
Those of you that read Oracle's Identity Management product architect Nishant Kaushik's blog may have recently read this post where he comments on the behaviour or IBM Tivoli Identity Manager's (ITIM) reconciliation function and contrasts it with Oracle Identity Manager (OIM).
Nishant had attended the RSA conference and sat in on a session titled "Delivering Security Integration with Compliance" by IBM's Stuart McIrvine. The following question was asked by an attendee:
Apparently Stuart's answer was:
Nishant's critique on ITIM was that it should really support pattern recognition based matching like OIM does. I have news for readers...ITIM does. I'm not here to defend ITIM. Remember, I no longer work for IBM. I just happen to be in a position where I know ITIM inside out and felt the need to set the record straight.
I actually did attempt to do this by commenting on Nishant's blog in response to his post about a month ago. I waited and wondered why it didn't appear. I was about to rant about how Oracle suppresses information that does not aid OIM's case until our good friend Google found my response here.
While this isn't exactly suppressing information, it is still not good enough in my opinion because it's almost impossible to find unless you're specifically looking for it like I was. My observation of Nishant's blog is that he seems to route all comments relating to his posts into his discussion forum. If you look at his posts, it looks like no one's commenting (the footers all say "comment[0]"). Not exactly useful because there's no easy way to track the comment thread from the original post. Heck, I can't even find a link to the discussion forum itself. Maybe I'm not looking hard enough.
I seriously doubt Nishant reads my blog so if anyone knows him please pass this message on. I'd email him, but I have a feeling it'll be ignored.
UPDATE: I received an email from Nishant shortly after publishing this post. The email was sent in reply to my comment on his blog which I mentioned above (looks like he gets an email everytime someone posts a comment). So maybe he doesn't ignore emails...he just takes a very long time to answer them...or maybe you need to make a blog post which provides him with a compelling reason to act :-)
Nishant had attended the RSA conference and sat in on a session titled "Delivering Security Integration with Compliance" by IBM's Stuart McIrvine. The following question was asked by an attendee:
"How do you figure out and correlate the account [say account 'jsmith2345'] with the identity [John Smith] it belongs to".
Apparently Stuart's answer was:
"It is based on matching of a common attribute tracked on both the account and the identity. This could be an employee id, a social security number or some other attribute that makes sense."
Nishant's critique on ITIM was that it should really support pattern recognition based matching like OIM does. I have news for readers...ITIM does. I'm not here to defend ITIM. Remember, I no longer work for IBM. I just happen to be in a position where I know ITIM inside out and felt the need to set the record straight.
I actually did attempt to do this by commenting on Nishant's blog in response to his post about a month ago. I waited and wondered why it didn't appear. I was about to rant about how Oracle suppresses information that does not aid OIM's case until our good friend Google found my response here.
While this isn't exactly suppressing information, it is still not good enough in my opinion because it's almost impossible to find unless you're specifically looking for it like I was. My observation of Nishant's blog is that he seems to route all comments relating to his posts into his discussion forum. If you look at his posts, it looks like no one's commenting (the footers all say "comment[0]"). Not exactly useful because there's no easy way to track the comment thread from the original post. Heck, I can't even find a link to the discussion forum itself. Maybe I'm not looking hard enough.
I seriously doubt Nishant reads my blog so if anyone knows him please pass this message on. I'd email him, but I have a feeling it'll be ignored.
UPDATE: I received an email from Nishant shortly after publishing this post. The email was sent in reply to my comment on his blog which I mentioned above (looks like he gets an email everytime someone posts a comment). So maybe he doesn't ignore emails...he just takes a very long time to answer them...or maybe you need to make a blog post which provides him with a compelling reason to act :-)
Saturday, February 24, 2007
IBM responds to Oracle with Mickey Mouse monitoring tool
Before I start, I should point out that just because I no longer work for IBM does not mean I dislike IBM. I still have a great respect for "Big Blue" and will continue to do so until they do something that radically changes my mind. I say that up front because I'm about to be somewhat critical of them. I've always had my criticisms of the company, but now I can raise them in a public forum (instead of privately discussing them with my colleagues) without fear of having management "give me a stern talking to"...now I just have to put up with comments from my former colleagues. But a little healthy discussion never hurt anyone.
I am referring to the new monitoring offering from IBM Tivoli, specifically around the Identity and Access Manager products. The monitoring offerings can be found here and here. I'll probably get a little grief about this from those of you I know from IBM. Hey, I'm entitled to my opinion aren't I? Especially as I talked about Oracle's offering earlier this month.
Before I move on, I'll take a little detour and talk about IBM from a marketing standpoint. I used the term "respond" in the title to this post, but I'm not sure that's the case. I was simply referring to what the average person would perceive it as. As far as marketing and image is concerned, perception is the truth. Oracle made their announcement early in February. According to IBM's pages, the monitoring offerings were released mid to late January, which is before Oracle's announcement.
So it looks like it was being developed at the same time as Oracle, unless IBM have managed to trick those of us delving deeper into believing this is the case by listing the release dates in January. I don't know because even internally within IBM, there was no announcement to the greater community until my last week at IBM (week ending February 16)...and I worked for the field sales team whose job it is to sell the software and use announcements like this as "value add selling points". And herein lies the problem with IBM marketing when it comes to Identity and Access Management. If they do such a poor job of communicating this information internally (in a timely manner), how are they to do this effectively to the external audience? This lends itself to a belief I've had for as long as I've worked in this area.
The biggest barrier to sales and building a long term pipeline (even one that the sales people cannot see) and dare I say shortening the sales cycle (apologies for using all these sales "buzzwords") is that IBM is behind the eight ball when it comes to mind share in the Identity and Access Management arena. When it comes to enterprise identity, the press is filled with references to Oracle. When it comes to user centric identity, it's all Microsoft (and occasionally smaller niche players like Sxip and JanRain). Lately, even Symantec's getting into the act.
It never used to surprise me when people would look at me with bewilderment when I told them IBM was one of the leading vendors in this space. It still doesn't surprise me. IBM's PR and marketing machine does an extremely piss weak (i.e. very poor) job of talking up its Identity market leadership. It spends too much time harping on about Linux, Open Source, SOA and the services offerings from Global Business Services and Global Technology Services (at least I think that's what they're called now - they keep changing the names and re-organising the business units, and I have first hand experience that confirms how confusing it is even for employees). Even with these headline messages, they send out mixed signals!
Now that I've got that out of the way, back to the topic at hand. I'll be the first to admit that I don't know the deep technical details of what Oracle's offering actually does. I only know what I've read at a high level. At face value, it looks like Oracle's offering does more than IBM's. I won't outline the details because you can go read about it yourselves (unfortunately, the only link I can provide is this one to the announcement - Oracle's site is so crap that I couldn't find any specific information about their monitoring offering for identity management). I linked to IBM's offering earlier in this post but here are the links again if you don't want to scroll (here and here).
The monitoring offering from IBM tracks the following in Tivoli Identity Manager (TIM):
Of course, IBM usually doesn't do things without a few good reasons. In this case, it is possibly for the following reasons:
I am referring to the new monitoring offering from IBM Tivoli, specifically around the Identity and Access Manager products. The monitoring offerings can be found here and here. I'll probably get a little grief about this from those of you I know from IBM. Hey, I'm entitled to my opinion aren't I? Especially as I talked about Oracle's offering earlier this month.
Before I move on, I'll take a little detour and talk about IBM from a marketing standpoint. I used the term "respond" in the title to this post, but I'm not sure that's the case. I was simply referring to what the average person would perceive it as. As far as marketing and image is concerned, perception is the truth. Oracle made their announcement early in February. According to IBM's pages, the monitoring offerings were released mid to late January, which is before Oracle's announcement.
So it looks like it was being developed at the same time as Oracle, unless IBM have managed to trick those of us delving deeper into believing this is the case by listing the release dates in January. I don't know because even internally within IBM, there was no announcement to the greater community until my last week at IBM (week ending February 16)...and I worked for the field sales team whose job it is to sell the software and use announcements like this as "value add selling points". And herein lies the problem with IBM marketing when it comes to Identity and Access Management. If they do such a poor job of communicating this information internally (in a timely manner), how are they to do this effectively to the external audience? This lends itself to a belief I've had for as long as I've worked in this area.
The biggest barrier to sales and building a long term pipeline (even one that the sales people cannot see) and dare I say shortening the sales cycle (apologies for using all these sales "buzzwords") is that IBM is behind the eight ball when it comes to mind share in the Identity and Access Management arena. When it comes to enterprise identity, the press is filled with references to Oracle. When it comes to user centric identity, it's all Microsoft (and occasionally smaller niche players like Sxip and JanRain). Lately, even Symantec's getting into the act.
It never used to surprise me when people would look at me with bewilderment when I told them IBM was one of the leading vendors in this space. It still doesn't surprise me. IBM's PR and marketing machine does an extremely piss weak (i.e. very poor) job of talking up its Identity market leadership. It spends too much time harping on about Linux, Open Source, SOA and the services offerings from Global Business Services and Global Technology Services (at least I think that's what they're called now - they keep changing the names and re-organising the business units, and I have first hand experience that confirms how confusing it is even for employees). Even with these headline messages, they send out mixed signals!
Now that I've got that out of the way, back to the topic at hand. I'll be the first to admit that I don't know the deep technical details of what Oracle's offering actually does. I only know what I've read at a high level. At face value, it looks like Oracle's offering does more than IBM's. I won't outline the details because you can go read about it yourselves (unfortunately, the only link I can provide is this one to the announcement - Oracle's site is so crap that I couldn't find any specific information about their monitoring offering for identity management). I linked to IBM's offering earlier in this post but here are the links again if you don't want to scroll (here and here).
The monitoring offering from IBM tracks the following in Tivoli Identity Manager (TIM):
- Server availability and server process activity
- memory usage characteristics: heap size before and after garbage collection, max heap size, garbage collection time
- workflow queue backlog
- user page response times
- tablespace usage
- logged error messages
- Server availability and server process activity
- WebSEAL statistics
- Junction statistics
- response times
- workload
Of course, IBM usually doesn't do things without a few good reasons. In this case, it is possibly for the following reasons:
- They knew what Oracle was doing and didn't want to be seen as falling behind.
- IBM customers have been calling out for a monitoring solution to deal with the IBM Identity Suite for over 2 years and they decided to finally address it (in a half hearted sort of way). In other words, the sales team can finally say "yes" without looking guilty when customers ask if there's a monitoring solution for the Tivoli Identity and Access Management suite.
- It's a good way to up-sell customers who have the Tivoli Identity suite and get them to consider the Tivoli Monitoring suite.
- Customers no longer have to write their own shell scripts to do this.
- IBM services teams and IBM business partners no longer have to write scripts when they deploy the Tivoli Security products to deal with monitoring. Of course, any good services team will have already written the scripts and should just re-use as much of it as possible, so one could argue whether this is a benefit here. It's probably more beneficial for teams who are new at deploying the products.
- This is useless to me unless I have IBM Tivoli Monitoring.
- I cannot modify the solution for my own needs...at least not easily.
- Where is the monitoring offering for the underlying identity infrastructure? By that I mean the most important software support component used by TIM and TAM - IBM Tivoli Directory Server (TDS)! TDS is the LDAP component so one could argue that you could go find some open source alternative or find some LDAP monitoring solution out there. This defeats the whole purpose doesn't it? IBM's solution lets you monitor TIM and TAM for "infrastructure things" but doesn't actually let you monitor the core software components supporting the applications. So the answer is to use the new offering for TIM and TAM but go build your own or buy something else to monitor TDS? Sounds rather nonsensical to me. I may be over reacting here because monitoring an LDAP is not difficult. It's common and pretty standard practice. TDS even has a section of the LDAP tree that can be queried for monitoring stats. Problem here is that I've still got to somehow feed that into my monitoring solution. Back to writing scripts I guess! To illustrate this point, let me just point one thing out. TIM and TAM don't work without TDS. Enough said.
- It only monitors trivial infrastructure metrics. There is nothing that will give me the business context I need, which is often the biggest reason to monitor the security and identity infrastructure.
- Repeated failed authentication attempts.
- Tracking a user's session to alert of suspicious behaviour.
- Alerting of requests for access to "sensitive" parts of the environment (systems or additional access to what a user already has).
- Real time alerts of additional access privileges that do not meet defined security policies (an email to a person hoping they'll see it soon doesn't cut it I'm afraid).
Thursday, February 08, 2007
Oracle a systems management vendor?
Oracle announced today the release of a management pack for their Identity Management suite. It's apparently a systems management and monitoring suite for Identity Management environments. It'll obviously work with (I didn't say work well, but it should at least plug into) the Oracle products, but an interesting tidbit is that it's supposed to work with other Identity Management infrastructure too. They could just mean LDAPs and Active Directory rather than the suites from other vendors. In fact, I'd be very surprised if it does work with other vendors' suites without having to do a lot of integration work...which begs the question why not just buy a monitoring/systems management solution from CA, IBM, BMC, HP or even the latest, hyped Open Source alternative in Hyperic if you're not using Oracle's Identity products? Maybe Oracle realise this but have a longer term strategy in mind. More on this later in this post.
That aside, it probably makes sense for an organisation using Oracle Identity Management (IdM) software to use it if "out of the box" monitoring of their IdM environment is desired. The biggest problem Oracle have? They are not a systems management vendor so they'll have a tough time selling into accounts where one of the previously mentioned system vendors' products is the incumbent. I do however, applaud them for this move. It's something customers have been crying out for awhile. No vendor I know of (IBM included) has done a particularly good job of working out how to monitor their Identity Management infrastructure both from a business perspective and a software infrastructure perspective. It's pretty much just been a services engagement that is not exactly easily repeatable because of the very nature of services. I get asked by customers all the time: "so how do you monitor this stuff". It was because of this fact that we made a high level attempt in the IBM redbook I co-authored to address the issue but it was prescriptive rather than a detailed "get your hands dirty" approach. You really need a systems management/monitoring expert to work with an Identity Management expert (in whatever products you happen to be working with) to work out the kinks and the details. With a software solution built exactly for this specific purpose, one could argue you cut that time in half.
The gauntlet has been thrown down by Oracle to the other vendors to address this issue. Identity Management infrastructure is fast becoming core to an organisation's infrastructure and figuring out a nice, easy way to perform systems management activities on this infrastructure is paramount to building out the whole story. It's not like we are all running around acting surprised that customers actually want an easy way to monitor the critical part of the environment they have just been sold and implemented. It's just a matter of prioritising this within the product roadmap and understanding that it's a very important aspect and will help sell the core solution and also serve as a way to cross sell the systems management solutions (and vice versa). Systems management vendors should view this as a way to leverage their strengths and provide a compelling story for customers to make a sizable investment in a vendor's brand of solutions.
Perhaps this is a preview of Oracle's strategy moving forward? Are they going to be buying a systems management company soon? Wouldn't surprise me the least bit. And when they do, watch out CA, IBM, BMC and HP. Could you imagine Oracle coming out saying they can monitor data, identity management, application servers and ERP systems out of the box? CA, BMC and HP had better get their act together or Oracle's going to come out and eat their lunches (even more so that Oracle already is). They'd potentially also have a leg up on IBM simply by rounding out the picture. Of course, IBM has all these pieces except the ERP software...and they've stated they do not want to get into the "applications" game. IBM however, is still well ahead of Oracle in the systems management game. For how long, I don't know. Maybe not much longer.
Oracle should just fork out the cash and buy BMC. Or if they're looking at the bigger picture and want to go head to head with IBM, then they should buy HP.
Note: I know how big HP are, so I'm not even sure if Oracle would have the cash to buy HP. Maybe a merger would be more realistic. Maybe someone should ask Larry Ellison at the next keynote speech he gives.
Update: Vince Padua correctly reminds me with his comment in response to this post that Oracle already took a step towards becoming a systems management vendor. They have their "Oracle Enterprise Manager" offering. Read his comment for a good summation of what it does and go the Oracle's site for more product info if you're interested.
That aside, it probably makes sense for an organisation using Oracle Identity Management (IdM) software to use it if "out of the box" monitoring of their IdM environment is desired. The biggest problem Oracle have? They are not a systems management vendor so they'll have a tough time selling into accounts where one of the previously mentioned system vendors' products is the incumbent. I do however, applaud them for this move. It's something customers have been crying out for awhile. No vendor I know of (IBM included) has done a particularly good job of working out how to monitor their Identity Management infrastructure both from a business perspective and a software infrastructure perspective. It's pretty much just been a services engagement that is not exactly easily repeatable because of the very nature of services. I get asked by customers all the time: "so how do you monitor this stuff". It was because of this fact that we made a high level attempt in the IBM redbook I co-authored to address the issue but it was prescriptive rather than a detailed "get your hands dirty" approach. You really need a systems management/monitoring expert to work with an Identity Management expert (in whatever products you happen to be working with) to work out the kinks and the details. With a software solution built exactly for this specific purpose, one could argue you cut that time in half.
The gauntlet has been thrown down by Oracle to the other vendors to address this issue. Identity Management infrastructure is fast becoming core to an organisation's infrastructure and figuring out a nice, easy way to perform systems management activities on this infrastructure is paramount to building out the whole story. It's not like we are all running around acting surprised that customers actually want an easy way to monitor the critical part of the environment they have just been sold and implemented. It's just a matter of prioritising this within the product roadmap and understanding that it's a very important aspect and will help sell the core solution and also serve as a way to cross sell the systems management solutions (and vice versa). Systems management vendors should view this as a way to leverage their strengths and provide a compelling story for customers to make a sizable investment in a vendor's brand of solutions.
Perhaps this is a preview of Oracle's strategy moving forward? Are they going to be buying a systems management company soon? Wouldn't surprise me the least bit. And when they do, watch out CA, IBM, BMC and HP. Could you imagine Oracle coming out saying they can monitor data, identity management, application servers and ERP systems out of the box? CA, BMC and HP had better get their act together or Oracle's going to come out and eat their lunches (even more so that Oracle already is). They'd potentially also have a leg up on IBM simply by rounding out the picture. Of course, IBM has all these pieces except the ERP software...and they've stated they do not want to get into the "applications" game. IBM however, is still well ahead of Oracle in the systems management game. For how long, I don't know. Maybe not much longer.
Oracle should just fork out the cash and buy BMC. Or if they're looking at the bigger picture and want to go head to head with IBM, then they should buy HP.
Note: I know how big HP are, so I'm not even sure if Oracle would have the cash to buy HP. Maybe a merger would be more realistic. Maybe someone should ask Larry Ellison at the next keynote speech he gives.
Update: Vince Padua correctly reminds me with his comment in response to this post that Oracle already took a step towards becoming a systems management vendor. They have their "Oracle Enterprise Manager" offering. Read his comment for a good summation of what it does and go the Oracle's site for more product info if you're interested.
Thursday, November 30, 2006
Oracle announces identity governance framework
Oracle announced a project around managing the proliferation of identity information across the enterprise. They called it...wait for it...the Identity Governance Framework (IGF). Hmmm, no points for creativity here. At least it's clear.
Apparently the goal is to hand this over to a standards body like OASIS or Eclipse eventually. It also as the support of the following vendors:
Update 8 Feb 2007: Oracle released this to the Liberty Alliance royalty free.
Apparently the goal is to hand this over to a standards body like OASIS or Eclipse eventually. It also as the support of the following vendors:
- Ping Identity
- Sun Microsystems
- Securent
- CA
- Novell
Update 8 Feb 2007: Oracle released this to the Liberty Alliance royalty free.
Subscribe to:
Posts (Atom)