IBM gets more end-pointy

To be specific, I should say IBM ISS. This time, they're getting in bed with with BigFix (the press release is here). Here's the first paragraph of the release:

"Today, IBM announced a first-of-a-kind endpoint security offering, IBM Proventia Endpoint Secure Control (ESC), that is designed to enable enterprises to escape from the constraints of vendor lock-in and to enhance endpoint security, compliance and operations at a lower cost. This new endpoint security offering is delivered by IBM Internet Security Systems (IBM ISS) leveraging IBM's depth in security experience and technology from BigFix, Inc. for endpoint security management."

It sounds like it's some sort of OEM agreement with BigFix to offer up security-focused, endpoint systems management. Essentially, it's to allow for organisations to manage all the bits and bobs of software that end up having to be deployed on endpoints (laptops, desktops etc.) and become a nightmare to manage over time. IBM harps on about "vendor lock-in" and stress that having ESC/BigFix in place makes it much easier to swap out software and replace it with new stuff (McAfee AV with Symantec's, for example). Sounds nice in theory and marketing slides. Not so simple in reality, even with a shiny new toy.

I won't get into the minefield relating to it being a good idea to have some sort of common security policy management or decision point across everything (which is what Symantec and McAfee are trying to do across their bag of toys) that this doesn't address, but I'm sure IBM are working on that. By the way IBM ISS, the boys at Tivoli might have some stuff that you could use? You should try talking to them...which brings me to my next point.

I can't help but notice that there's some level of overlap with what IBM Tivoli provides in the way of their systems management software, but this is IBM so it doesn't surprise me that the left hand doesn't seem to be talking to the right hand. It's business as usual and somewhere within IBM, a bunch of people in Tivoli are going to be wondering why IBM ISS keeps trying to compete with them. To be fair, the IBM Tivoli stuff isn't as endpoint-focused when it comes to security and isn't as security-focused when it comes to endpoints (this is confusing unless you know the Tivoli products - you IBM Tivoli people know what I'm talking about don't you). The press release does make a reference to Tivoli:

"The new tool will complement IBM Tivoli's operational desktop management offerings with robust endpoint operational security solutions, allowing customers the ability to address end point security. IBM Proventia ESC will also provide key endpoint security audit data to IBM Tivoli Security Information and Event Manager (TSIEM), further strengthening TSIEM's enterprise-wide compliance reporting capabilities."

But that statement sounds to me like it was thrown in to "keep Tivoli happy". TSIEM could get its endpoint security audit data from any other competitive endpoint source. It doesn't need ESC specifically! Of course, the marketing department will throw in comments like it'll be better integrated and have "out of the box connectors" but we know how true these things are. Unless development is managed by the same brand, this is extremely difficult to achieve in an adequate amount of time. My money's on the fact that the implementation partner is going to have to be the one that picks up the pieces if/when the integration at a client's site is required.

Strategically however, this move makes sense. If your memories go back to late 2007 (yeah I know that's quite some time ago), you may remember IBM ISS dipping its toe into data security by offering managed services using a combination of Verdasys, Fidelis and PGP software. I'm not sure they got very much traction out of that initiative, but this is a continuation of an increasing focus on the endpoint by IBM ISS, and they want to manage it all too:

"'The killer application in endpoint security is management,' said Dan Powers, vice president of business development at IBM Internet Security Systems."

I don't really agree that management is "the killer app" in the endpoint game, but it's certainly a key piece. The likes of Sophos, Symantec, McAfee, Checkpoint have all been progressively coming out with their own versions of "one agent to rule them all" and wrapping a management layer around it all. I suppose IBM ISS didn't want to get left behind because when it comes to data security, if you ignore the endpoint you've lost the game.

Novell joins Identity monitoring scrum

I mentioned IBM, CA and Oracle's forays into the monitoring of their Identity Management products here, here, here and here. Now Novell's adding to the scrum, but their focus is different from the other vendors mentioned above. In their announcement, Novell says that:

"Tight integration with Sentinel from Novell gives Identity Manager 3.5 the capability to provide critical feedback of system, network and application event activity within the context of an identity."

What this means is that Novell's definition of monitoring here is more along the lines of the business context monitoring I talk about in this post...which does not seem to be explicitly being addressed by IBM, CA or Oracle in their Identity monitoring offerings. I also mentioned in this post that each vendor has taken a different approach with their respective offerings. Novell looks to have taken yet another different approach to the others by focusing on compliance and identity based monitoring rather than infrastructure monitoring. If you combine all the focus areas of these 4 vendors, you have a pretty complete identity monitoring offering. Unfortunately, no single vendor has a satisfactory solution that covers all the important parts of monitoring their Identity Management suite.

To get a better understanding of what Novell seems to be doing with their monitoring integration between Sentinel and their Identity Manager, have a look at the solutions from SailPoint Technologies and IBM Consul. These focus very much on the identity centric compliance of enterprise systems. IBM only acquired Consul late last year so they're still "blue-rinsing" the products. Once that is done, they'll be placed into the Tivoli software portfolio and no doubt integrated with the IBM Tivoli Security products to give the business context identity centric functionality so sorely lacking at the moment in all the identity suites (although Novell looks to be addressing this now). Of course, once "blue-rinsed", IBM will claim that the Consul products integrate natively with the Identity Management portfolio. Perhaps this will be partially true, but I don't expect this to be 100% until the next release of the Consul products (probably renamed and properly released under the Tivoli banner by then).

The identity monitoring scrum is getting more crowded, but this is simply in reaction to what the market has been asking for in the past few years. It's about time the vendors started listening. What about Sun and BMC and HP? They're behind the 8 ball at this stage. To be fair, BMC has started to move in this direction with their announcement of having their systems management solutions line up with ITIL and COBIT, but these aren't identity centric. They are systems management and infrastructure centric.

Watch out for Oracle Systems Management

Oracle's just released a new version of their Oracle Enterprise Manager. Oracle President Charles Phillips said:

"We've been in the management business for awhile but I think we were more narrowly focused in the past," Phillips said. "We've probably undersold this product. It's been selling on its own on the back of other deals."

I've commented on this in the past but this looks to be the first deliberate public step towards stomping on the toes of IBM, CA, BMC and HP. Prior to this, they've been rather quiet about their systems management capabilities. The new release claims to cover management of SOA, identity management, change management, process orchestration, key performance indicators, patch management and Oracle's CRM application stack. This is in addition to prior capabilities in monitoring and managing their core middleware and database products.

I don't claim to be an expert on this Oracle product family but at face value, it looks like they mean business. Where they lose out to the incumbents (IBM, CA, BMC, HP) is in the area of network and infrastructure management and monitoring. Where they have a distinct advantage however, is in the area of their application management and monitoring capabilities - particularly with regards to their CRM stack. They fact they own the software means that they should be able to manage it better than anyone else. I say "should" because I've seen companies make hopeless attempts at trying to add value to their own software products and having their lunch eaten by smaller niche players who do a better job (of course, when this happens the large vendor usually just acquires the smaller player).

I doubt it'll take Oracle too much time to catch up with the others in the infrastructure and network space. Why? Because it's a mature market and the best practice solutions and processes are out there...as are the expertise. In other words, Oracle don't need to spend a lot of time figuring out how to do infrastructure and network management. They can either hire the right people or more likely just acquire the mature niche technologies out there. When this happens, the others better watch out because they are going to have their hands full with Oracle in the systems management space. Want evidence of Oracle's prior track record of executing successfully on something very similar? Just take a look at what they did with their Identity Management capabilities.

Oracle a systems management vendor?

Oracle announced today the release of a management pack for their Identity Management suite. It's apparently a systems management and monitoring suite for Identity Management environments. It'll obviously work with (I didn't say work well, but it should at least plug into) the Oracle products, but an interesting tidbit is that it's supposed to work with other Identity Management infrastructure too. They could just mean LDAPs and Active Directory rather than the suites from other vendors. In fact, I'd be very surprised if it does work with other vendors' suites without having to do a lot of integration work...which begs the question why not just buy a monitoring/systems management solution from CA, IBM, BMC, HP or even the latest, hyped Open Source alternative in Hyperic if you're not using Oracle's Identity products? Maybe Oracle realise this but have a longer term strategy in mind. More on this later in this post.

That aside, it probably makes sense for an organisation using Oracle Identity Management (IdM) software to use it if "out of the box" monitoring of their IdM environment is desired. The biggest problem Oracle have? They are not a systems management vendor so they'll have a tough time selling into accounts where one of the previously mentioned system vendors' products is the incumbent. I do however, applaud them for this move. It's something customers have been crying out for awhile. No vendor I know of (IBM included) has done a particularly good job of working out how to monitor their Identity Management infrastructure both from a business perspective and a software infrastructure perspective. It's pretty much just been a services engagement that is not exactly easily repeatable because of the very nature of services. I get asked by customers all the time: "so how do you monitor this stuff". It was because of this fact that we made a high level attempt in the IBM redbook I co-authored to address the issue but it was prescriptive rather than a detailed "get your hands dirty" approach. You really need a systems management/monitoring expert to work with an Identity Management expert (in whatever products you happen to be working with) to work out the kinks and the details. With a software solution built exactly for this specific purpose, one could argue you cut that time in half.

The gauntlet has been thrown down by Oracle to the other vendors to address this issue. Identity Management infrastructure is fast becoming core to an organisation's infrastructure and figuring out a nice, easy way to perform systems management activities on this infrastructure is paramount to building out the whole story. It's not like we are all running around acting surprised that customers actually want an easy way to monitor the critical part of the environment they have just been sold and implemented. It's just a matter of prioritising this within the product roadmap and understanding that it's a very important aspect and will help sell the core solution and also serve as a way to cross sell the systems management solutions (and vice versa). Systems management vendors should view this as a way to leverage their strengths and provide a compelling story for customers to make a sizable investment in a vendor's brand of solutions.

Perhaps this is a preview of Oracle's strategy moving forward? Are they going to be buying a systems management company soon? Wouldn't surprise me the least bit. And when they do, watch out CA, IBM, BMC and HP. Could you imagine Oracle coming out saying they can monitor data, identity management, application servers and ERP systems out of the box? CA, BMC and HP had better get their act together or Oracle's going to come out and eat their lunches (even more so that Oracle already is). They'd potentially also have a leg up on IBM simply by rounding out the picture. Of course, IBM has all these pieces except the ERP software...and they've stated they do not want to get into the "applications" game. IBM however, is still well ahead of Oracle in the systems management game. For how long, I don't know. Maybe not much longer.

Oracle should just fork out the cash and buy BMC. Or if they're looking at the bigger picture and want to go head to head with IBM, then they should buy HP.

Note: I know how big HP are, so I'm not even sure if Oracle would have the cash to buy HP. Maybe a merger would be more realistic. Maybe someone should ask Larry Ellison at the next keynote speech he gives.

Update: Vince Padua correctly reminds me with his comment in response to this post that Oracle already took a step towards becoming a systems management vendor. They have their "Oracle Enterprise Manager" offering. Read his comment for a good summation of what it does and go the Oracle's site for more product info if you're interested.