By: Mark McGregor, Research Director, Bloor Research (Moved) Posted: 26th October 2011 Copyright Bloor Research © 2011

Earlier this year we saw the acquisition of Metastorm by OpenText, who then went on to acquire Global 360 as well. For many observers, whilst the opening moves being from OpenText may have been a surprise, the fact that vendors were looking at cross acquisitions certainly was not.

In some ways, BPM vendors may well have been positioning themselves for takeover when they launched into Case Management, for in doing so they will have raised their profile with ECM vendors and potentially made it clearer to them why they needed to beef up process within their portfolio.

The linkage between the two markets makes a lot of sense, and Case Management just proves it, especially in the financial and insurance sectors. These sectors have been highly document-focused with heavy regulation and, of course, the routing of and acting on of documents has been a key part of their many process initiatives over the years. It is likely that, in some part, the purchases will have been driven by the view that BPMS sales were beginning to hurt traditional ECM sales, at least in some vertical markets.

What may be most surprising is that, until this week, we had not seen any similar moves by other players in the ECM sector. EMC, Adobe and Xerox might have been expected to follow the lead of OpenText, but it seems for now they are either happy to let others lead, or are still trying to find a position that works for them.

So, this week, the unexpected announcement was that Lexmark was the first to follow OpenText, by acquiring Dutch BPMS vendor Pallas Athena. It is taking Pallas Athena into its standalone business unit, Perceptive Software.

With a reported price paid of $50m, this also marks one of the smaller number of BPMS acquisitions where the purchase price was publicly stated. Industry watchers will be sure to be looking at the Pallas Athena deal along with the Global 360 one in order to get stronger ideas on the value of remaining BPMS players.

Of course, while OpenText  may be credited with being the first in the current round, others would suggest that IBM actually started the trend with their acquisition of Filenet some years ago.

This latest acquisition is one of many over the past couple of years in the BPM space causing some to question the long-term survivability of BPM vendors. I think it is true that now people are starting to see what value others are putting on companies, further acquisitions are likely, but probably no more than one would expect in a relatively fragmented market.

What will be more interesting is to see which type of convergence will dominate, the taking of BPM into ECM, or the folding of BPM into applications by ERPM or CRM type vendors, or integration markets. The initial rounds of acquisition were certainly driven by Integration - witness the TIBCO acquisitions and the WebMethods acquisitions at the start.

In the short term don't be surprised to see another two or three BPM vendors joining up with or being acquired by others in the ECM sector. It does not make sense for those without a strong BPM story to remain on the sidelines much longer.

Whichever way you look at it, process is being increasingly seen as a key driver and the need to provide customers with easy ways to gain insight into, improve and create agile processes is a must.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 20th May 2010 Copyright Interarbor Solutions © 2010

The latest BriefingsDirect panel discussion centers on improving data-center productivity by leveraging all available sourcing options and moving to modernized applications and infrastructure.

IT leaders now face a set of complex choices, knowing that discretionary and capital IT spending remain tight, even as demand on their systems increases. Economists are now seeing the recession giving a way to growth, at least in several important sectors and regions. Chances are that demands on IT systems to meet this growing economic activity will occur before IT budgets appreciably go up.

So what to do? A panel of experts examines here how to gain new capacity from existing data centers through both modernization and savvy exploitation of all sourcing options. And—by outsourcing smartly, migrating applications strategically, and modernizing effectively—IT leaders can improve productivity while still under tightly managed costs.

One choice that may be the least attractive is to stand still as the recovery gets under way and demands on energy and application support outstrips labor, systems supply, and available electricity.

Learn more on managing for growth by examining three data-center transformation examples that uncover how effective applications and infrastructure modernization improves enterprise IT capacity outcomes. The panel also examines modernization in the context of outsourcing and hybrid sourcing, so that the capacity goals facing IT leaders can be more easily and affordably met, even in the midst of a fast-changing economy.

Please welcome the panel: Shawna Rudd, Product Marketing Manager for Data Center Services at HP; Larry Acklin, Product Marketing Manager for Applications Modernization Services at HP, and Doug Oathout, Vice President for Converged Infrastructure in HP’s Enterprise Services. The discussion is moderated by Dana Gardner, principal analyst at Interarbor Solutions.

Here are some excerpts:

Oathout: When you look at the budgets still being tight, but business is starting to grow again, IT leaders really need to look strategically at how they're going to tackle their budget problems.

What they need to do is to start to think about how, and what, major projects they want to take on, so that they can improve their cash flow in the short-term while improving their business outcomes in the long-term.

In the past, companies have looked at outsourcing as a final step, versus an alternate step in IT. We're seeing more clients, especially in the tight economy that we have gone through, looking at a hybrid model.

There are multiple sourcing options, there are multiple modernization tasks as well as application culling that they could do to improve their cost structure. At HP we look at modernization of the software and we look at outsourcing options and cloud options as ways to improve the financial situation and to improve the long-term cost structures.

There is a model evolving, a hybrid model between outsourcing and in-sourcing of different types of applications in different types of infrastructure.

Acklin: If you look at your current spend and how you are spending your IT budgets today, most see a steady increase in expenses from year-by-year, but aren't seeing the increases in IT budgets. By doing nothing, that problem is just going to get worse and worse, until you're at a point where you're just running to keep the lights on. Or, you may not even be able to keep up.

We call that "the cost of doing nothing." That's the real challenge.

The number of changes that have been requested by the business continues to grow. You're putting bandages on your applications and infrastructure to keep them alive. Pretty soon, you're going to get to a point where you just can't stay ahead of that anymore. This is the cost of doing nothing.

If you don’t take action early enough, your business is going to have expectations of your IT and infrastructure that you can't meet. You're going to be directly impacting the ability for the company to grow. The longer you wait to get started on this journey to start freeing up and enabling the integration between your portfolio and your business the more difficult and challenging it's going to be for your business.

Rudd: Clients or companies have a wider variety of outsourcing mechanisms to choose from. They can choose to fully outsource or selectively out-task specific functions that should, in most cases, be able to provide them with substantial savings by looking at their operating expenses.

It's not going to get any cheaper to continue to do nothing. To support legacy infrastructure and applications, it's going to require more expensive resources. It's going to require more effort to maintain it.

The same applies for any non-virtualized or unconsolidated environment. It costs more to manage more boxes, more software, more network connections, more floor space, and also for more people to manage all of that.

The risk of managing these more heterogeneous, more complex environments is going to be greater—a greater risk of outages—and the expense to integrate everything and try to automate everything is going to be greater.

We help clients maintain their legacy environments and increase asset utilization, while undertaking those modernization and transformation efforts. From an outsourcing standpoint, the types of things that a client can outsource could vary, and the scope of that outsourcing agreement could vary—the delivery mechanism or model or whether we manage the environment at a client’s facility or within a leveraged facility.

Working with a service provider can help provide a lot of that insurance associated with the management of these environments—and help you mitigate a lot of that risk, as well as reduce your cost.

The risk to the client, to the client's business, should be better mitigated, because they're not having to coordinate with four or five different vendors, internal organizations, etc. They have one partner who can help them and can handle everything.

Oathout: As you look at service providers or outsourcers, there is a better menu of options out there for customers to choose from. That better menu allows you to compare and contrast yourself from a cost, service availability, and delivery standpoint, versus the providers in the marketplace.

IT managers have choices on where to source, but they also have choices on how to handle the capacity that fits within their four walls of the data center.

We see a lot of customers really looking at: How do I balance my needs with my cost and how do I balance what I can fit inside my four walls, and then use outsourcing or service providers to handle my peak workloads, some of my non-critical workloads, or even handle my disaster recovery for me?

So IT managers have choices on where to source, but they also have choices on how to handle the capacity that fits within their four walls of the data center.

... We can get a 10:1 consolidation ratio on servers. We can get a 5-6:1 consolidation ratio on storage platforms. Then, with virtual connectivity or virtual I/O, we can actually have a lot less networking gear associated with running those applications on the servers and the storage platform.

So, if we look at just standard applications, we have a way to migrate them very simply over to modern infrastructure, which then gives you a lower cost point to run those applications.

When you look at modernizing your applications and look at modernizing infrastructure, they have to match. If you have a plan, you don't have to buy extra capacity when you start. You can buy the right capacity then grow it, as you need it.

Acklin: Outsourcing can drive some initial savings, maybe up to 40 percent, depending on the scope of what you're looking at for a client. That's a significant improvement on its own.

Not every client sees that high of a saving, but many do. The next step, that migration step, where we’re also migrating over to a consolidated infrastructure, allows you to take immediate actions on some of your applications as well.

In that application space, you can move an application that may be costing you significant amounts of the dollars, whether it be license fees or due to a lack of skilled resources and so forth on a legacy platform. Migrating those or keeping the application intact, running on that new infrastructure, can save you significant dollars, in addition to the initial work you did as part of the outsourcing.

The nice thing, as you do these things in parallel, is that it's a phase journey that you are going through, where they all integrate. But, you don't have to. You can separate them. You can do them one without the other, but you can work on this whole holistic journey throughout.

The migration of those applications basically leaves those applications intact, but allows them to have a longer lifespan than you may typically would. ... We can still drive significant 40–50 percent saving, just through this migration phase of moving that application onto this new infrastructure environment and changing the way that those cost structures around software and so forth are allocated toward that. It frees up short-term gain that can turn around to be reinvested in the entire modernization journey that we're talking about.

As you continue that journey, you're starting to get your cost structures aligned and you're starting to get to a place where your infrastructure is now flexible and agile. You’ve got the capacity to expand. When you move into that modernized phase, you're really trying to change the structure of those applications, so that you can take advantage of the latest technology to run cloud computing and everything operating as a service.

... The idea of putting the outsourced, migrated, modernized phases together is that they're not sequential. You don't have to do one, then the other, and then the other. You can actually start these activities in parallel. So, you can start giving benefits back to the business immediately.

For example, while you're doing the outsourcing activities and getting that transition set up, you're starting to put together what your future architecture is going to look like for your future state. You have to plan how the business processes should be implemented within the application and the strategic value of each application that you currently have in your portfolio.

You're starting to build that road map of how you are going to get to the end state. And then Even as you continue through that cycle, you're constantly providing benefits back to both the business and IT at the same time.

Oathout: One example that we worked very closely was in services with our customer France Telecom. France Telecom transitioned 17 data centers to two green data centers. Their total cost of ownership (TCO) calculation said that they were going to save 22 million (US $29.6 million) over a three-year period.

They embarked on this journey by looking at how they were going to modernize their infrastructure and how they were going to set up their new architecture so that it was more flexible to support new mobile phone devices and customers as they came online. They looked at how to modernize their applications so they could take advantage of the new converged infrastructure, the new architectures, that are available to give them a better cost point, a better operational expense point.

France Telecom emphasized the migration. They migrated a number of applications to newer architectures and they also modernized their application base. They focused on the modernization and the migration as the key components for them in getting their cost reductions.

Rudd: The things we're talking about don't have to occur in this particular order. I know of other clients for whom we've saved around 20 percent by outsourcing their mainframe environments.

Then, after successfully completing the transition of those management responsibilities, we've been able to further reduce their cost by another 20 percent simply by identifying opportunities for code optimization. This was duplicate code that was able to be eliminated or dead code, or runtime inefficiency that enabled us to reduce the number of apps that they required to manage their business. They reduced the associated software cost, support cost, etc.

Then there were other clients for whom it made more sense for us to consider outsourcing after the completion of their modernization or migration activities. Maybe they already had modernization and migration efforts under way or they had some on the road map that were going to be completed fairly quickly. It made more sense to outsource as a final step of cost reduction, as opposed to an upfront step that would help generate some funding for those modernization efforts.

Acklin: We offer something that's called the Modernization Transformation Experience Workshop. It's basically a one-day activity workshop, a slide-free environment, where we bring you and take you through the whole journey that you'll go on.

We'll cover everything from how to figure out what you have, what you are planning, how to build the road map for getting into the future state, as well as all the different ways that will impact your business and enterprise along the way, whether you are talking technology infrastructure, architecture, applications, business processes, or even the change management of how it impact your people.

You come out understanding what you're getting yourself into and how it can really affect you as you go forward. But, that's not the only starting point. You can also jump into this modernization journey at any point in the space.

We can do a full assessment of your environment and figure out how your apps and your infrastructure are working for your business or, in most cases not working for your business. HP can help you figure out the right place for beginning that journey.

... Many of our clients we talk to, don’t know how they would pay for a journey like this. Actually, you have a lot of options right in front of you. There are good methods on how to cover this, how to put things together like these three-phase activities (outsource, migrate, and modernize), or how to go on these journeys that can still work for you even in tough financial times.

Listen to the podcast. Find it on iTunes/iPod. Read a full transcript or download a copy.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 14th May 2010 Copyright Interarbor Solutions © 2010

Increasingly, sellers of IT are finding it harder to win large software and hardware capital purchases contracts, which traditionally followed three- to seven-year obsolescence and refresh cycles. The shifts in technology and business models accelerated by the recession are forcing these vendors in particular to adopt more of a professional services revenue model.

Buyers of technology, on the other hand, are moving to IT shared services and software-as-a-service (SaaS) models to get off of the capital outlays roller coaster. They want smoother and more predictable operating and charging models, beginning with long-term professional services and outsourcing engagements.

Both the buyer and seller of services therefore need to focus on the implementation and integration of solutions, placing a complex burden on the services delivery personnel themselves, as well as those who managing the services providers.

We’re here to find out some new, best ways of managing and automating these intellectual resources that support the professional services lifecycle. We’ll see how recent research shows that more of a just-in-time (JIT) methodology is required to keep the skills in balance with myriad project requirements and obligations.

To learn more about resource utilization and management in the global services economy, we're joined by Lori Ellsworth, Vice President of Changepoint Solutions at Compuware, the sponsor of this podcast, and by Mark Sloan, Chief Operating Officer of RTM Consulting. The discussion is moderated by BriefingsDirect's Dana Gardner, principal analyst at Interarbor Solutions.

Here are some excerpts:

Ellsworth: The change and the focus on professional services is moving from something that was nice to have, to something that is necessary to have to be successful.

Software companies are a great example. Historically, companies in that sector may have done mostly product business and less service. Services are now necessary to deliver success, and the services business is a very healthy part of the software business and is contributing significantly to the bottom-line.

Now, organizations have to understand how to get a handle on the people they have working for them, how best utilize them, and how to make sure that your employees, those assets, are challenged and happy, but that you are delivering that service to provide value to your customers.

There needs to be more discipline, more information, and a better process for decision-making and forward planning, so that the organization can scale and scale in a financially successful way.

So, the stakes are higher, in terms of the discipline and the approach that we need to take to manage that professional services part of the business.

Sloan: At RTM Consulting, one of our core areas of focus is in this area of resource management. How can you get the right person in the right place at the right time and drive up utilization, but at the same time, make sure that you're delivering value to your end customers and leaving them satisfied and coming back for more?

When a software company shows up with its professional services arm, the client is expecting that each and every one of the people who show up is an expert in the software, the technology, and the implementation process. The days of people learning on the job and coming up to speed are long gone.

The challenge today is for companies to get visibility into the type of work that’s coming down the pike, so that they can proactively train their internal resources and be prepared for that work, so that when they do show up, they are the experts.

We’ve actually taken the principles of JIT manufacturing and directed them to the professional services organization [via in new service definitions of JIT.]

Just as 30 years ago, any manufacturing company had big inventories of supplies, finished products, sitting in their warehouse. Ten or 15 years ago, the big services organizations were able to have excess resources on the bench, in the office, waiting for that next project to arrive.

What we’ve done is taken those same principles -- forecasting what the future scenarios look like, what the demands look like, and then translating that back into how many resources you are going to need, the types of resources, the skills those resources need to have.

You can, at that right moment, bring on a new employee, go to a third-party contractor to fulfill that demand, or give yourself enough advanced notice to cross-train your existing resources on new technologies, new products, so that they can work across your portfolio and not just focus on one particular area.

Getting to the solution

Ellsworth: There are four critical success factors, but also the building-block approach. In other words, you need to start with the fundamental. You need to understand your people and their skills and get that view of your business. Then, you can start to add levels of maturity, look at forecasting, look at different models for resource allocation, and bring in project management.

As organizations start to put the buildings blocks in place, and adopt the disciplines and build the processes that work in their business, [they can have trouble] scaling that.

You can make that work within a small team or across a couple of small teams, but ... you need visibility ... to scale that to your entire services organization, including management. [But] you can't scale and reinforce that discipline without automation.

The two really have to go together. One won’t be successful without the other in a large professional services organization. Automation brings the scale factor.

The ability to measure and monitoring is something that Mark also highlights as critical success factors. Again, you’ve got a large group of people with a lot of activity going on. There's lots of data, but you have to roll that up to the management level to make it valuable to help drive decisions in the business.

... Our focus has been on driving that view as a professional services organization, but importantly driving that view inside the context of the broader company.

It starts with those building blocks around who are your resources, what are their capabilities, and where are they being utilized. It brings you to the next level of maturity in terms of being able to look at forecasts and do some demand and capacity planning.

And then it goes even further from a resource perspective to that professional development side. Let's look at the gaps in the next six to nine months. Where can we identify resources and put them on a development plan to fill those gaps?

We're managing the day-to-day business of a professional services organization and going beyond that to deal with project management, engagement management, and right through to billing for a professional services organization and for technology companies that also have a strong product side of a business.

The paybacks can be, and are, significant. First and foremost, is really speed to revenue and cash flow.

The Changepoint solution has been active and working with customers in their professional services organization for many years, going back to the late 1990’s. We also deliver a project portfolio management capability to allow them to manage products and manage delivery of those product applications.

Sloan: The paybacks can be, and are, significant. First and foremost, is really speed to revenue and cash flow. Lori mentioned that doing this in a large services organization is critical and an enabling technology is required to make that happen.

I’d argue the same for small professional services organizations. Having the information that tools like Changepoint can put at your fingertips, you can quickly identify people in your organization that have the right skills, that off the top of your head you might not think of, and staff projects quickly with the appropriate resources, ultimately enabling you to get that revenue.

Billable utilization

Secondly, you start to see a significant lift in overall billable utilization. This is for the professional services organization. Again, by getting better visibility into the skills that different resources have, you realize you have many more people in the organization that can do work than you think of.

For more information on resource utilization, read RTM's whitepaper "The ROI of Resource Utilization -- Measuring and Capturing the Real Business Value of Your People."

Learn more about Compuware Changepoint.

Other research points to the fact that companies who do this development of staff and get projects started on time are significantly more likely to finish their projects on budget and on time and drive significantly positive customer satisfaction.

Companies that aren’t able to do this -- take an extra five, 10, or 15 days to fill some of the slots on a project -- tend to go over-budget, don’t get it done on time, and, as a result, have poor customer satisfaction. If you think about it, it's back to that mantra, "Do it right the first time." This process helps you do that.

Ellsworth: As you're adding discipline and increasing maturity, there is participation from the practitioner, if you can position the value to them in terms of increased opportunity or an ability for them to better manage their schedule and not be burnt out. They have access to different opportunities. It's very valuable and can help them actively participate in moving the business forward and not kind of fight against it.

A broader pool of resources comes there to help you respond to customers which just increases the need to understand who those resources are and what they can bring to the table to support these services.

Customers of mine, in Europe for example, are quoting that on a year-over-year basis, they are able to reduce non-productive time -- and therefore the cost of that non-productive time -- by 16 percent.

Other customers will articulate the value of this entire solution in terms of revenue increase, the focus of getting control over their resources, who they have and how they can most effectively deploy them. Another customer of mine in Europe talks about a 30 percent increase in revenue, linked directly to implementing some of these practices in getting that control over their resources.

Sloan: The same lessons apply to shared services organizations, such as internal, large IT departments managing multiple projects per year to deploy technology.

They can leverage the technology that Changepoint offers to keep track of the people, where they are deployed, what skills they have, what new projects are coming in, and achieve a similar increase in productive utilization of those resources. But to your point, in terms of creative organizations, this would apply to any organization that is focused on moving people with particular skill sets to a unique project.

When we architect a solution for clients, it’s a unique solution taking into account the various constraints and the environment of that client.

That includes engineering services organizations, creative agencies that are moving talent from one project to the next -- anyone who relies on definite skills and knowledge that aren’t just easily interchangeable. This helps forecast where you can get the biggest bang for the buck with those people.

In terms of getting started, when we typically work with clients, we come in and do a quick assess and architect phase where we’ll take a look at how resource management is being done today, compare that to the best practices that we’ve defined for JIT Resourcing, and identify areas where you are strong and areas where there is an opportunity for change and improvement. When we architect a solution for clients, it’s a unique solution taking into account the various constraints and the environment of that client.

JIT Resourcing is a defined approach. We have recognized that there are unique aspects to every business, and can tailor the solution to fit there.

By deploying these processes now, you can start to learn the continuous improvement that’s needed, but be enabled as more and more of your clients go to SaaS, but you’ve got to have to deploy people with the moment’s notice.

You're going to get much better at predicting and forecasting what your future needs are, enabling you to align your resources and capabilities accordingly. You want to achieve the benefits we talked about -- speed to revenue, speed to cash-flow, and zero idle resources.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Read a full transcript or download a copy. Sponsor: Compuware.

For more information on resource utilization, read RTM's whitepaper "The ROI of Resource Utilization -- Measuring and Capturing the Real Business Value of Your People."

Learn more about Compuware Changepoint.

You may also be interested in:

• Portfolio Management Techniques Help Rationalize IT Budgets in Tough Economy
  
  
• Transcript of BriefingsDirect Podcast on Developer Productivity
  
  
• Security Skills Offer Top Draw Across Still Challenging U.S. IT Jobs Outlook

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 13th May 2010 Copyright Interarbor Solutions © 2010

Gut-wrenching recessions have a way of changing things ... for people, families, and companies. They can also, perhaps like no other event, provoke change in large IT vendors like HP, IBM, TIBCO and Oracle.

Based on this week's HP announcements and last week's IBM Impact conference, these two of the very largest, full-service, global IT vendors are betting -- now that the recession has, at the least, bottomed out -- that the extent of change now upon us is more than just another business cycle come full circle.

Far more, these vendors see that the recession has provided a catalyst for a much larger shift in how IT is done and delivered. It's no coincidence that the interest in cloud computing and innovative IT sourcing options, for example, peaked when the recession was at its deepest.

The idea garnering wide attention in the darkest days was not just to save money by downsizing, but to also to start doing things very differently -- to truly innovate, to change the very economics of IT. But now that the worst is over, simply saving money via old IT methods, I'll wager, will prove a lot more expensive in real terms than rapidly investing in new ways of providing IT value as services.

That doesn't mean that some enterprise IT organizations won't try to go right back to business as usual. And some of the IT vendors, with their license auditors in tow, are counting on it.

It does mean that the enterprises that can actually change how they do and pay for IT in the post-recession economy may have an escalating advantage over those that do not.

Not the same old song and dance

HP this week announced the equivalent of a Swiss Army knife for IT transformation, with about as many blades and instruments as there are ways to attack the data center transformation gordian knot. The HP services, software, and sourcing offerings are designed to guide enterprises -- from the starting points of their choosing -- through a seismic transition from cost containment to IT innovation. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Last week, IBM boldly scooped up Cast Iron Systems, a cloud-to-IT integration engine maker, and further polished its view that the way to a smarter planet is via better business processes and a deep understanding of vertical industries, automation and how IT (with professional services) can bring them together. My colleague Tony Baer at Ovum delves into IBM's recasting of the definition of business applications and acceptance of the partly cloudy future.

TIBCO this week at its annual user conference delivered a dozen major announcements and stepped even more boldly into cloud models, too. TIBCO's "Enterprise 3.0" vision emphasizes the importance of real-time and massive scale processing, an integrated development-to-deployment to business process management capability, and now the option of building out an enterprise private cloud to public cloud synergy using partners like Amazon Web Services. TIBCO is also embedding BI capabilities deeply across the portfolio. [Disclosure: TIBCO is a past-sponsor of BriefingsDirect podcasts.]

Oracle, for its part, made good on its "software, hardware, complete" vision via a cameo (and somewhat buffoon-like) appearance by Chairman and CEO Larry Ellison in the debut of the movie Iron Man 2 last week. Perhaps we should expect a fist-sized "arc reactor" for database appliances in the near future? Yet Oracle is also recently drinking deeply from the cloud well, given some its recent speeches by executives as it digests the Sun Microsystems acquisition.

The point is that these vendors know something big is up in IT, beyond business as usual. We're seeing bold moves by them all, from acquisitions to restructuring to Hollywood-delivered group-think and not-so-subliminal brand imagery.

HP tackles the IT funding conundrum

HP is looking to actually help enterprises fund these transformative times. HP's economic rationale for moving to innovation now goes beyond the need for swift and verifiable ROI in IT investments. Additionally, HP is banking on the high and painful costs of not being able to move well in dynamic markets, of incurring costs from inertia, rather than from investing for advancement.

Most urgently, IT cannot miss out in supporting businesses as they face rapid growth and savvy competitors across global markets, says HP.

More succinctly, HP's message from this week's announcements comes as a warning that going back to the old IT ways, of sliding back to the economics of expensive waste as a proxy for brittle peak reliability, risks missing the lessons of the recession.

HP is therefore taking a three-pronged approach to making adoption of innovations the new mantra of IT. The first approach finds way to deliver self-funding projects. The second leverages modern architecture and methodologies so IT organizations can quickly and easily add new functionality, making change the constant. The third approach shows how to freeing up funds trapped in on-going IT operations based on older IT economics.

As enterprises are faced with transformation from old to more modern IT, many are caught in an inertia of avoidance -- frozen by the complexity and scale of the task, according to new research supported by HP. What's needed is incremental change that pays for itself along the way, but which remains aligned with the strategic transformation and direction.

The HP focus on self-funding projects, therefore, includes offering qualified clients a complimentary, hands-on HP Applications Modernization Transformation Experience session that illustrates IT modernization and its benefits. The goal: By retiring legacy applications and eliminating complexity in technology environments, organizations are able to self-fund their modernization journeys.

Cost of lost opportunity

“The phrase ‘time is money’ rings true here, as 99 percent of organizations say that innovation gridlock cost them in lost time,” said Thomas E. Hogan, executive vice president of sales, marketing and strategy for HP Enterprise Business, in a release. “By breaking the innovation gridlock, organizations can regain time to market and capitalize on new opportunities.” More at www.hp.com/go/breakthegridlock2010.

According to research conducted on behalf of HP by Coleman Parkes Research:

• Some 95 percent of business and technology executives said innovation gridlock resulted in lost opportunities for their organizations.

• And 91 percent felt that innovation gridlock cost their organizations in lost effort (from resources). More data is available at www.hp.com/go/HPEnterpriseResearch2010.

Together the promise of cloud, the constraints of the recession, and the quick-paced requirements of modern business agility have conspired to expose the weaknesses of plain old IT ... stack upon stack, brittle apps astride brittle apps, and rack by rack of under-utilized workloads alienated from their fit-for-purpose potential.

HP says the cost of doing nothing to transform IT is too great to ignore. IBM is transforming the very definition of business services and applications with plant-wide efficiencies in mind. TIBCO is refining software delivery that steps up to the cloud challenge. Oracle is enclosing its software in an optimized "iron" support infrastructure to improve performance to cost ratios dramatically.

All these vendors will still sell you the good old IT systems the good old ways. But they are also coming up with some big new tricks. Who will take them up on their hedge against a truly transformative IT future?

You may also be interested in:

• The Open Group's Cloud Work Group advocates understanding of cloud-use benefits for enterprises
  
  
• Mutual embrace of SOA and cloud computing builds into productivity waltz across the IT landscape
  
  
• ArchiMate gives business leaders and architects a common language to describe how the enterprise works

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 8th April 2010 Copyright Interarbor Solutions © 2010

There's a huge drive now for improved enterprise data center performance. Nearly all enterprises are involved nowadays with some level of data-center transformation, either in the planning stages or in outright build-out.

We're seeing many instances where numerous data centers are being consolidated into a powerful core few, as well as completely new, so-called green-field, data centers with modern design and facilities coming online. The heightened activity runs the gamut from retrofitting and designing new data centers to the building and occupying of them.

The latest definition of data center is focused on being what's called fit-for-purpose, of using best practices and assessments of existing assets and correctly projecting future requirements to get that data center just right -- productive, flexible, efficient and well-understood and managed.

Yet these are, by no means, trivial projects. They often involve a tremendous amount of planning and affect IT, facilities, and energy planners. The payoffs are potentially huge, as we'll see, from doing data center design properly -- but the risks are also quite high, if things don't come out as planned.

This podcast examines the lifecycle of data-center design and fulfillment by exploring a successful project at Valero Energy Corp. We're here with two executives from HP and an IT leader at Valero Energy to look at proper planning, data center design and project management.

Please join me in welcoming Cliff Moore, America’s PMO Lead for Critical Facilities Consulting at HP; John Bennett, Worldwide Director of Data Center Transformation Solutions at HP, and John Vann, Vice President of Technical Infrastructure and Operations at Valero Energy Corp. The discussion is moderated by BriefingsDirect's Dana Gardner, principal analyst at Interarbor Solutions.

Here are some excerpts:

Bennett: If you had spoken four years ago and dared to suggest that energy, power, cooling, facilities, and buildings were going to be a dominant topic with CIOs, you would have been laughed at. Yet, that's definitely the case today, and it goes back to the point about IT being modern and efficient.

Data-center transformation, as we've spoken about before, really is about not only significantly reducing cost to an organization -- not only helping them shift their spending away from management and maintenance and into business projects and priorities -- but also helping them address the rising cost of energy, the rising consumption of energy and the mandate to be green or sustainable.

Data-center transformation tries to take a step back, assess the data center strategy and the infrastructure strategy that's appropriate for a business, and then figure how to get from here to there. How do you go from where you are today to where you need to be?

You have organizations that discover that the data centers they have aren't capable of meeting their future needs. ... All of a sudden, you discover that you're bursting at the themes. ... [You] have to support business growth by addressing both infrastructure strategies, but probably also by addressing facilities. That's where facilities really come into the equation and have become a top-of-mind issue for CIOs and IT executives around the world.

You'll need a strong business case, because you're going to have to justify it financially. You're going to have to justify it as an opportunity cost. You're going to have to justify in terms of the returns on investment (ROIs) expected in the business, if they make choices about how to manage and source funds as well.

Growth modeling

One of the things that's different today than even just 10 years ago is that the power and networking infrastructure available around the world is so phenomenal, there is no need to locate data centers close to corporate headquarters.

You may choose to do it, but you now have the option to locate data centers in places like Iceland, because you might be attracted to the natural heating of their environment. It's a good time [for data center transformation] from the viewpoint of land being cheap, but it might be a good time in terms of business capital.

Moore: The majority of the existing data centers out there today were built 10 to 15 years ago, when power requirements and densities were a lot lower.

People are simply running out of power in their data centers. The facilities today that were built 5, 10, or 15 years ago, just do not support the levels of density in power and cooling that clients are asking for going to the future, specifically for blades and higher levels of virtualization.

Some data centers we see out there use the equivalent of half of a nuclear power plant to run. It's very expensive.

It's also estimated that, at today's energy cost, the cost of running a server from an energy perspective is going to exceed the cost of actually buying the server. We're also finding that many customers have done no growth modeling whatsoever regarding their space, power, and cooling requirements for the next 5, 10, or 15 years -- and that's critical.

When a customer is looking to spend $20 million, $50 million, or sometimes well over a $100 million, on a new facility, you’ve got to make sure that it fits within the strategic plan for the business. That's exactly what boards of directors are looking for, before they will commit to spending that kind of money.

We’ve got to find out first off what they need -- what space, power, and cooling requirements. Then, based on the criticality of their systems and applications, we quickly determine what level of availability is required, as well.

This determines the Uptime Institute Tier Level for the facility. Then, we go about helping the client strategize on exactly what kinds of facilities will meet those needs, while also meeting the needs of the business that come down from the board. ... We help them collaboratively develop that strategy in the next 10 to 15 years for the data center future.

One of the things we do, as part of the strategic plan, is help the client determine the best locations for their data centers based on the efficiency in gathering free cooling, for instance, from the environment.

One of the things that the Valero is accomplishing is the lower energy costs, as a result of building their own data centers with a strategic view.

Vann: Valero is a Fortune 500 company in San Antonio, Texas and we're the largest independent refiner in the North America. We produce fuel and other products from 15 refineries and we have 10 ethanol plants.

We market products in 44 states with large distribution network. We're also into alternative fuel with renewables and one of the largest ethanol producers. We have a wind farm up in northern Texas, around Amarillo, that generates enough power to fuel our McKee refinery.

So what drove us to build? We started looking at building in 2005. Valero grew through acquisitions. Our data center, as Cliff and John have mentioned, was no different than others. We began to run into power,space, and cooling issues.

Even though we were doing a lot of virtualization, we still couldn't keep up with the growth. We looked at remodeling and also expanding, but the disruption and risk to the business was just too great. So, we decided it was best to begin to look for another location.

Our existing data center is on headquarters’ campus which is not the best place for the data center, because it's inside one of our office complexes. Therefore, we have water and other potentially disruptive issues close to the data center -- and it was just concerning considering where the data center is located.

[The existing facility] is about seven years old and had been remodeled once. You have to realize Valero was in a growth mode and acquiring refineries. We now have 15 refineries. We were consolidating quite a bit of equipment and applications back into San Antonio, and we just outgrew it.

We were having hard time keeping it redundant and keeping it cool. It was built with one foot of raised floor and, with all the mechanical inside the data center, we lost square footage.

We began to look for alternative places. We also were really fortunate in the timing of our data center review. HP was just beginning their build of the six big facilities that they ended up building or remodeling, and so we were able to get good HP internal expertise to help us as we were beginning our decision of design and building our data center.

The problem with collocation back in those days of 2006, 2007, and 2008, was that there was a premium for space.

So, we really were fortunate to have experts give us some advice and counsel. We did look at collocation. We also looked at other buildings, and we even looked at building another data center on our campus.

As we did our economics, it was just better for us to be able to build our own facility. We were able to find land northwest of San Antonio, where several data centers have been built. We began our own process of design and build for 20,000 square feet of raised floor and began our consolidation process.

Power and cooling are just becoming an enormous problem and most of this because virtualization blades and other technologies that you put in a data center just run a little hotter and they take up the extra power. It's pretty complex to be able to balance your data center with cooling and power, also UPS, generators, and things like that. It just becomes really complex. So, building a new data center really put us in the forefront.

We had a joint team of HP and the Valero Program Management Office. It went really well the way that was managed. We had design teams. We had people from networking architecture, networking strategy and server and storage, from both HP and Valero, and that went really well. Our construction went well. Fortunately, we didn’t have any bad weather or anything to slow us down; we were right on time and on budget.

Probably the most complex was the migration, and we had special migration plans. We got help from the migration team at HP. That was successful, but it took a lot of extra work.

Probably we'd put more project managers on managing the project, rather than using technical people to manage the project. Technical folks are really good at putting the technology in place, but they really struggle at putting good solid plans in place. But overall, I'd just say that migration is probably the most complex.

Bennett: Modernizing your infrastructure brings energy benefits in its own right, and it enhances the benefits of your virtualization and consolidation activities.

We certainly recommend that people take a look at doing these things. If you do some of these things, while you're doing the data center design and build, it can actually make your migration experience easier. You can host your new systems in the new data center and be moving software and processes, as opposed to having to stage and move servers and storage. It's a great opportunity.

It's a great chance to start off with a clean networking architecture, which also helps both with continuity and availability of services, as well as cost.

It can be a big step forward in terms of standardizing your IT environment, which is recommended by many industry analysts now in terms of preparing for automation or to reduce management and maintenance cost. You can go further and bring in application modernization and rationalization to take a hard look at your apps portfolio. So, you can really get these combined benefits and advantages that come from doing this.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Read a full transcript or download a copy. Sponsor: HP.

By: Rob Bamforth, Principal Analyst, Quocirca Posted: 12th February 2010 Copyright Quocirca © 2010

Terms like ‘unified communications’ (UC) look great on the marketing slides of product vendors, but what do they really mean to those who are, or ‘may be if it can be shown to be worthwhile’, prospective customers? Frankly, not a lot.

The soft and intangible vendor promises that accompany UC don’t always translate into the real benefits that most customers are actually looking for. After all, in many job roles ‘productivity’ is down to employee attitude and time management rather than the clever use of the latest communications tools. Such tools are not always what they seem once the shiny marketing veneer has been rubbed off. Whilst it is true that many communications technologies are converging through the sometimes grudging acceptance of common underlying standards, most vendors are still trying to add that extra bit of differentiation or ‘value add’ that makes their products unique, or, as some might term it, ‘proprietary’ and in some cases ‘incompatible’.

Is this a problem? Well, not for customers who believe a particular vendor’s products will fill all their current and near term needs, or that communications technology will not advance too quickly, or that they will not get overtaken by other changes to the business. That may be the case for a select few, but it’s pretty likely that whatever is implemented will have to fit in with other products, be upgraded or replaced from time to time; to do this there must be a fair amount of flexibility.

So, the first question that should be asked by potential customers of the amalgam of products that will be required to deliver unified communications is ‘what will it look like for us?’.

This is often a tricky question when tabled directly at a specific product vendor, as it is always difficult to demonstrate the fit of its products with others. For example some vendors focus on the desktop, others on IP phones and others in hosted services. It doesn’t matter whether these are all competitive or complementary, but a suitably equipped reseller or integration partner ought to be able to showcase multiple vendors’ products and offer an integrated UC solution.

This is all very well—if all that the customer needed to do was look at the technology—but to really understand the impact, they need to feel it and see it applied to the needs of their specific, and probably complex, environment.

This demands more from the channel partner than the ability to showcase, sell and support various vendors’ technology. They have to demonstrate the ability to integrate them, not only with a customer’s legacy communications tools, but also with that customer’s existing processes, people and working practices. In an ideal world part of the sales process would be to run a pilot where the customer makes a significant commitment with its own systems and people. But this is tough on resources and times are hard so more upfront justification is necessary.

Budding unified communications specialists could take a leaf out of the book of systems integrator and managed services company, Logicalis, which has taken a more direct approach. Logicalis has built a proof of concept staging environment that brings together technology from the major unified communications vendors and allows them to be connected in a variety of ways. The setup is distributed, making use of several locations and has the capacity for building a simplified model of a prospective client’s current communications and then demonstrate how different technologies could be applied to support UC. Diversity of product and technical knowledge helps, but by far the most important success factor will be how well Logicalis understands and models the communications processes of its customers—i.e. its “value add”.

Positive approaches have been adopted by others. Managed communications company Azzurri has recognised that customers look for PBXs and telephony from established telephony vendors and IT products from traditional IT vendors to get a best of breed fit, but Azzurri starts by asking ‘what type of users do you have?’ not ‘how many?’. Systems integrator 2e2 thinks beyond UC in isolation and looks at how communication enables and optimises business processes—2e2 would be disappointed if its customers saw UC as simply a phone system replacement.

Communication, ultimately, is between people, not devices. Joining up the gaps between media and modes of communication in the way that unified communications proponents promote is therefore only worthwhile if it makes a positive change to employee behaviour, streamlining processes, boosting productivity and reducing costs. But without a demonstration of specific impact, these are vague marketing statements.

Any company looking to invest in unified communications should seek out those channel partners—value added resellers, integrators or service providers—who can help with the details of integration—not between technologies, but between people.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 2nd September 2009 Copyright Interarbor Solutions © 2009

Welcome to a podcast discussion on the importance of business process management (BPM), especially for use across a variety of existing systems, in complex IT landscapes, and for building flexible business processes in dynamic environments.

The current economic climate has certainly highlighted how drastically businesses need to quickly adapt. Many organizations have had to adjust internally to new requirements and new budgets. They have also watched as their markets and supplier networks have shifted and become harder to predict.

To better understand how business processes can be developed and managed nimbly to help deal with such change, I recently moderated a panel of users, BPM providers, and analysts. Please join me in welcoming David A. Kelly, senior analyst at Upside Research; Joby O'Brien, vice president of development at BP Logix, and Jason Woodruff, project manager at TLT-Babcock.

Here are some excerpts:

Kelly: What's important is to be able to drive efficiency throughout an organization, and across all these business processes. With the economic challenges that organizations are facing, they've had to juggle suppliers, products, customers, ways to market, and ways to sell.

As they're doing that, they're looking at their existing business processes, trying to increase efficiencies, and they are trying to really make things more streamlined. ... Some organizations are even getting into cloud solutions and outside services that they need to integrate into their business processes. We've seen a real change in terms of how organizations are looking to manage these types of processes across applications, across data sources, across user populations.

... BPM solutions have been around for quite some time now, and a lot of organizations have really put them to good use. But, over the past three or four years, we've seen this progression of organizations that are using BPM from a task-oriented solution to one that they have migrated into this infrastructure solution. ... [But] now with the changes and pressures that organizations are facing in the economy and their business cycles, we see organizations look for much more direct, shorter-term payback and ways to optimize business processes.

O'Brien: It's difficult for an organization, especially right now, to look at something on a one-, two-, or three-year plan. A lot of the BPM infrastructure products and a lot of the larger, more traditional ways that BPM vendors approach this reflect that type of plan. What we're seeing is that companies are looking for a quicker way to see a return on their BPM investment. What that means really is getting an implementation done and into production faster.

When there are particular business needs that are critical to an organization or business, those are the ones they tend try to address first. They are looking for ways to provide a solution that can be deployed rapidly. ... They take the processes that are most critical, and that are being driven by the business users and their needs, and address those with a one-at-a-time approach as they go through the organization.

It's very different than a more traditional approach, where you put all of the different requirements out there and spend six months going through discovery, design, and the different approaches. So, it's very different, but provides a rapid deployment of highly customized implementations.

Woodruff: TLT-Babcock is a supplier of air handling and material handling equipment, primarily in the utility and industrial markets. So, we have our hands in a lot of markets and lot of places.

As a project manager, ... I realized a need for streamlining our process. Right now, we don't want to ride the wave, but we want to drive the wave. We want to be proactive and we want to be the best out there. In order to do that, we need to improve our processes and continuously monitor and change them as needed.

After quite a bit of investigation and looking at different products, we developed and used a matrix that, first and foremost, looked at functionality. We need to do what we need to do. That requires flexibility and ultimately usability, not only from the implementation stage, but the end user stage, and to do so in the most cost-effective manner. That's where we are today.

We looked at why document control was an issue and what we could do to improve it. Then, we started looking at our processes and internal functions and realized that we needed a way to not just streamline them. One, we needed a way to define them better. Two, we needed to make sure that they are consistent and repetitive, which is basically automation.

O'Brien: There's one thing that Jason said that we think is particularly important. He used one phrase that's key to Nimble BPM. He used the term "monitor and change," and that is really critical. That means that I have deployed and am moving forward, but have the ability, with BP Logix Workflow Director, to monitor how things are going—and then the ability to make changes based on the business requirements. This is really key to a Nimble BPM approach.

The approach of trying to get everybody to have a consensus, a six-month discovery, to go through all the different modeling, to put it down in stone, and then implement it works well in a lot of cases. But organizations that are trying to adapt very quickly and move into a more automated phase for the business processes need the ability to start quickly.

... The idea or the approach with the Nimble BPM is to allow folks like Jason—and those within IT—to be able to start quickly. They can put one together based on what the business users are indicating they need. They can then give them the tools and the ability to monitor things and make those changes, as they learn more.

In that approach, you can significantly compress that initial discovery phase. In a lot of the cases, you can actually turn that discovery phase into an automation phase, where, as part of that, you're going through the monitoring and the change, but you have already started at that point.

Woodruff: We saw this as an opportunity not just to implement a new product like Workflow Director, but to really reevaluate our processes and, in many cases, redefine them, sometimes gradually, other times quite drastically.

Our project cycle, from when we get an order to when our equipment is up and operating, can be two, three, sometimes four years. During that time there are many different processes from many different departments happening in parallel and serially as well. You name it -- it's all over the place. So, we started with that six-month discovery process, where we are trying to really get our hands around what do we do, why do we do it that way and what we should be doing.

As a result, we've defined some pretty complex business models and have begun developing. It’s been interesting that during that development of these longer-term, far-reaching implementations, the sort of spur-of-the-moment things have come up, been addressed, and been released, almost without realizing it.

A user will come and say they have a problem with this particular process. We can help. We'll sit down, find out what they need, create a form, model the workflow, and, within a couple of days, they're off and running. The feedback has been overwhelmingly positive.

Read a full transcript of the discussion. The full podcast is also available on iTunes.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 5th June 2009 Copyright Interarbor Solutions © 2009

Enterprises are seeking cloud computing efficiency benefits, subsequent lower total costs, and a highly valued ability to better deliver flexible services that support agile business processes.

Turns out so-called private clouds, or those cloud computing models that enterprises deploy and/or control on-premises, have a lot in common with longstanding mainframe computing models and techniques. Back to the future, you might say.

New developments in mainframe automation and other technologies increasingly support the use of mainframes for delivering cloud-computing advantages—and help accelerate the ability to solve recession-era computing challenges around cost, power, energy use and reliability.

More evidence of the alignment between mainframes, mainframe automation and management, and cloud computing comes with the announcement that CA has purchased key assets of Cassatt Corp., maker of service level automation and service level agreement (SLA) management software.

I had the pleasure to recently learn more about how the mainframe is in many respects the cloud in a sponsored podcast interview with Chris O'Malley, executive vice president and general manager for CA's Mainframe Business Unit.

Here are some excerpts:

Gardner: What makes cloud so appealing and feasible right now?

O'Malley: Cloud as a concept is, in its most basic sense, virtualizing resources within the data center to gain that scale of efficiency and optimization. ... Physically there are many, many servers that support the ongoing operations of a business. CFOs and CEOs are starting to ask simple, but insightful, questions about why we need all these servers and to what degree these servers are being utilized.

When they get answers back and it's something like 15, 10, or 5 percent utilization, it begs for a solution to the problem to start bringing a scale of virtualization to optimize the overall data center to what has been done on the mainframe for years and years.

... It's about both the need from a business standpoint of trying to respond to reduced cost of computing and increased efficiency at a time when the technologies are becoming increasingly available to customers to manage distributed environments or open systems in a way similar to the mainframe.

Larger customers are using their mainframe in a highly virtualized way. They've been doing it for 30 years. It was the genesis of the platform. ... They try to get as much out of it as they possibly can. So, from its beginning, it was virtualized.

The viability of things like salesforce.com, CRM, and the need to coordinate that data with what for most customers is 80 percent of their mission-critical information residing on the mainframe is making people figure out how to fix those problems. It's making this cloud slowly, but pragmatically, come true and become a reality in helping to better support their businesses.

The distributed environment and the open-system environment, in terms of its genesis, was the reverse of what I described in the mainframe. The mainframe, at some point, I think in the early '90s, was considered to be too slow to evolve to meet the needs of business. You heard things like mounting backlog and that innovation wasn't coming to play.

In that frustration, departments wanted their server with their application to serve their needs. It created a significant base of islands, if you will, within the enterprise that led to these scenarios where people are running servers at 15, 10, or 5 percent utilization. That genesis has been the basic fiber of the way people think in most of these organizations.

This 15 or 10 percent utilization is what we consistently see, customer after customer after customer. ... You're seeing the pendulum come back. This is just getting too expensive, too complex, and too hard to keep up with business demands, which sounds a lot like what people's objections were about the mainframe 20 years ago. We're now seeing that maybe a centralized model is a better way to serve our needs.

Gardner: How does that relate to where the modern mainframe is?

O'Malley: The modern mainframe is effectively an on-demand engine. IBM has created now an infrastructure that, as your needs grow, turns on additional engines that are already housed in the box. With the z10, IBM has a platform that is effectively an in-house utility ... With the z10 and the ability to expand capacity on demand, it's very attractive for customers to handle these peaks, but not pay for it all year long.

... The mainframe has always been very good at resilience from a security standpoint. The attributes that make up that which is required for a mission-critical application are basically what make your brand. So, the mainframe has always been the home for those kinds of things. It will continue to be.

We're just making the economics better over time. The attributes that are professed or promised for the cloud on the distributed side are being realized today by many mainframe customers and are doing great work. It's not just a hope or a promise.

Gardner: There is some disconnect, though, cultural and even generational. A lot of the younger folks, brought up with the Web, think of cloud applications as being Web applications.

O'Malley: Despite all these good things that I've said about the mainframe, there are still some nagging issues. The people who tend to work on them tend to be the same ones who worked on them 30 years ago. The technology that wraps it hasn't been updated to the more intuitive interfaces that you're talking about.

CA is taking a lead in re-engineering our toolset to look more like a Mac than it does like a green screen. We have a brand new strategy called Mainframe 2.0, which we introduced at CA World last year. We're showing initial deliverables of that technology here in May.

... Our first technology within Mainframe 2.0, is called the Mainframe Software Manager. It's effectively InstallShield for the mainframe. We developed that with 20-somethings. In our Prague data center, we recruited 120 students out of school and they developed that in Java on a mainframe. ... We have 25-year-old people in Prague that have written lines of code that, within the next 12 months, we'll be running at the top 1,000 companies on the face of the earth. There aren't a lot of jobs in life that present you that kind of opportunity.

... The mainframe technologically can do a lot, if not everything you can do on the distributed side, especially with what z/Linux offers. But, we've got to take what is a trillion dollars of investment that runs in the legacy virtual operating system environment and bring that up to 2009 and beyond.

... An open system has its virtues and has its limits. We're raising the abstract to the point where, in a collective cloud, you're just going to use what's best and right for the nature of work you're doing without really even knowing whether this is a mainframe application -- either in z/OS, or z/Linux -- or it's Linux on the open system side or HP-UX. That's where things are going. At that point, the cloud becomes true in the promise where it's being touted at the moment.

To be very honest, it's very important that we bring a cool factor to the mainframe to make it a platform that's equally compelling to any other. When you do that, you create some interesting dynamics to getting the next generation excited about it.

Read a full transcript of the discussion. The full podcast is also available for download here.

By: Rob Bamforth, Principal Analyst, Quocirca Posted: 22nd April 2009 Copyright Quocirca © 2009

It is all too easy when faced with bad news about economies in recession to get depressed. Doom and gloom spreads like an oil slick, so it is no wonder that many advocate a positive attitude. This is fine, but has to go beyond the resurrection of the 30s war slogan "Keep calm and carry on" that has become a recent popular addition to T-shirts, mugs and the like. Times may be tough, but business and commerce will still need to go on, and those companies that survive and thrive tend to have a positive attitude that tries to exploit all assets at their disposal, and that includes technology.

IT can be seen as a drain on budgets, but a close relationship between IT and the rest of the business should lead to a better understanding of the business value contributed by IT and therefore its true worth. Recent Quocirca research has identified some habits and attributes that seem to be prevalent in organisations that consider themselves to be outpacing their competitors. Quocirca's research highlighted several ideas that any organisation could implement, leading to more effective IT function whether in lean times or otherwise:

• Develop cross business understanding with IT as a strategic focus. This means linking IT to the business, not as a one-off exercise just to pacify a boardroom directive or to produce a strategy document, but as a vibrant relationship. This relationship between the IT function and line of business needs constant attention to ensure all parties fully understand each other, with open flows of communication. Companies with a growth perspective have a more mature attitude to IT, viewing IT as strategic to the business and therefore a valuable investment, rather than a cost. As a result IT management is acutely aware of what other parts of the business think about their organisation's IT capabilities. Where there are problems with the internal perception of the IT function, growing companies are far more likely to have IT managers that try to address that perception.
• Adopt a measured, but open and enquiring, attitude to new technology. Innovation should be viewed optimistically, but not with rose-tinted glasses. Those taking a strategic approach to IT investment look for new technologies that will have a positive impact on the business and add value. Many in long standing organisations have become more cynical; some view adopting new technology as just extra work, and these might benefit from bringing in external specialists to take some of the load and explain how new ideas might fit. Those in young and maturing businesses still have a healthy interest in the technology, although this enthusiasm must be tempered to prevent them from investing in things simply because they are new and innovative without keeping an eye on business value.
• Exploit the skills of others. It is rarely efficient to try to have all necessary skills in-house, so identify 3rd parties you can trust, and use their expertise. The term ‘trusted advisor' is an overused cliché for someone trying to sell their own products, so identify those with specialist knowledge, good reputations and a business, rather than technology, oriented attitude. Working with 3rd parties who provide industry knowledge and understanding helps businesses grow faster and improve efficiency which should reduce overall costs. Budgets might be tight, but the best business-focused approach is to build relationships, rather than just finding cheap suppliers to dump everything on, and finding problems later.
• Focus on and fix the details in a well planned manner. When scope, timescales and budgets are set, it is for good reasons. Constant fire fighting and patching afterwards always costs more and is a sign of a failure to adequately plan ahead and manage the execution. Too many IT projects run over time and budget or fail to meet their intended scope. While budgets and time are precious resources, missing project scope will be noticed by business users, and does nothing to enhance the IT function's reputation. In difficult economic times the expectations for return on investment timescales shorten. Those companies with a positive growth mentality take a tight grip on the reins, mostly expecting a return on IT investment in six months.
• Measure IT against the bigger picture. Linking business performance to IT capability not only keeps everyone on their toes, but also ensures that well-run IT departments get the respect they really deserve. The value of this linkage does have to be measured. While there appears to be an internal belief that IT is having a positive impact in many areas of the business, fewer than half of all companies have any process at all for measuring the success of IT projects. Despite this, many are keen on looking at the linkage between IT capability and business performance, so it is important to identify project success criteria from the perspective of the business, rather than an internal IT view.

Overall these represent a shift in emphasis that goes hand in hand with a more positive attitude and a more balanced understanding of the challenges and value of IT. One way to start the process is to deepen the understanding by walking a mile or two in someone else's shoes. This could be done internally by rotating staff, in particular senior managers, between IT and line of business functions, over several months, to promote closer ties and an appreciation of the wider opportunities and challenges faced by the organisation. Also, external advisors can be brought in to provide a fresh perspective on jaded internal issues, and specialist help where specific expertise is required. Rather than outsourcing the solution as well as the problem, this could be used to coach and develop internal staff and not simply offloading the work to a third party.

Organisations need to be prudent and realistic about their objectives, but simply sitting still or just blindly cutting costs is not realistic. Those that outpace their competitors have a positive approach and use all available tools to improve their overall business effectiveness. IT is an integral business function and has a direct bearing on the eventual business outcomes—both good and bad. A well structured IT function, backed with robust project management and exhibiting a positive business-savvy attitude will deliver not only an effective return on IT investment, but also improved performance for the business.

By: Rob Bamforth, Principal Analyst, Quocirca Posted: 1st April 2009 Copyright Quocirca © 2009

One of the biggest problems for those mobile technology users who are no longer in the first flush of youth, is trying to read small lines of text or distinguish tiny graphical items on the screen. This wasn't too much of a problem when all that mobile phones displayed were monochrome phone numbers, and laptops weren't so widely used, but now the increasing use of mobile devices by users of all ages, and an increasingly rich set of media on display is making life tricky. It doesn't help that mobile phone screens are pretty limited in size to ensure the device fits in a pocket or handbag, and that smaller screen laptops—often with lower power consumption—are more in fashion.

Although an issue for the use of laptops, it is mobile phones, especially smartphones and networked PDAs, that cause the biggest problem. Even with suitable accessibility toolkits, and the ability to scale up text to larger font sizes, the problem persists, especially for those who don't wear glasses full time but still want to get maximum information and value from a quick glance at their mobile device. Pocket-able spectacles do not cut it, not for reasons to do with personal vanity, but because of the temporary and transient nature of glancing at a mobile screen. Taking glasses on and off in all the settings in which a mobile phone screen needs to be read is neither straightforward nor desirable.

However a solution is at hand from a mobile software company called BlurT. This innovative Californian-based start-up has worked out suitable visual acuity or sharpness algorithms to make details on the small mobile screen visible to those who would otherwise need some magnification. In essence, they use the individual's ophthalmic prescription and reverse it to fuzz the screen image in the opposite direction to the weakness in the viewer's eye. So the eye then sees it just fine. The technology has several patents pending around the globe and is being marketed under license using the trademark, "ReFuzz"™.

So far the technology is some way off large scale deployment, but there are a couple of significant 90 day trials which started at the end of January 2009 and are due to finish this week on the first of April. The trials have involved only two types of mobile devices, but a broad age range of mobile phone users, with differing eyesight correction needs. In addition to testing how well ReFuzz improves the legibility of the screen, the users are being surveyed about their mobile phone usage habits to see if the increase in ease of use is prompting them to use some facilities they haven't used before, or use some things more than they did previously.

In conversation with Loo Flirpa, BlurT's chief information officer, it became clear that ReFuzz can go further than simple magnification correction for reading glasses, and also perform minor astigmatism and other corrections, based on the viewer's prescription. Ultimately this may mean that many more mobile phone users of all ages will be able to participate in text based communications, such as SMS and mobile email, or access the internet on a small screen mobile phone without having to search for a pair of glasses.

At present, the prescription information has to be fed in on a per user, per device basis, but BlurT are working on a number of initiatives to make the technology easier to use and applicable on all the devices owned by any individual viewer. This they term SCaaS or Sight Correction as a Service, where the prescription information for each viewer is stored on a managed server in the cloud. This can then be securely downloaded to the mobile phone on demand and then the correction applied. This opens up the possibility of new revenue streams for mobile operators who are also sometimes straining to see how they will generate a higher ARPU (Average Revenue Per User).

Some have even suggested more bizarre uses for the technology, including for otherwise generally well sighted individuals, who are in some way suffering temporary visual impairment. One group in particular are those under the influence of drink, suffering blurred vision, and yet need to search for a taxi number to phone, or check bus or rail timetables. A simple application with one click per pint, spirit or glass of wine drunk could apply increasing levels of ReFuzz until the drunken user can see. Mobile operators could offer this as a one off pay-as-you-booze download, or perhaps more adventurous manufacturers could add it in hardware, with a breathalyser reader as a further option.

This technology is only at the start of its practical use, and there are many more ideas in sight. BlurT are considering how to get any device to recognise who has picked it up, automatically download their SCaaS prescription and then apply the correction on the fly. At the moment the ideas on the table include asking mobile device manufacturers to build-in fingerprint readers, or iris scanners, to ensure that almost as soon as the user looks at the mobile screen, it snaps into focus.

If they crack that, mobile phones really will become a sight for sore eyes. In the meantime, those building these devices and developing applications for them should remember that not everyone has perfect sight, the ability to jab at tiny buttons or clearly hear from tiny speakers, and should try to bear these factors in mind at the design stages.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 18th March 2009 Copyright Interarbor Solutions © 2009

In this BriefingsDirect episode, recorded Feb. 13, 2009, our guests examine the essential topic of bringing human activity into alignment with standards-based IT supported business processes. We revisit the topic of BPEL4People, an OASIS specification.

The need to automate and extend complex processes is obvious. What's less obvious, is the need to join the physical world of people, their habits, needs, and perceptions with the artificial world of service-oriented architecture (SOA) and business process management (BPM).

This interaction or junction will become all the more important as cloud-based services become more common.

Our discussion, moderated by me, includes noted IT industry analysts and experts Michael Rowley, director of technology and strategy at Active Endpoints; Jim Kobielus, senior analyst at Forrester Research; and JP Morgenthal, independent analyst and IT consultant.

Here are some excerpts:

Rowley: [With BPEL4People] you can automate the way people work with their computers and interact with other people by pulling tasks off of a worklist and then having a central system, the BPM engine, keep track of who should do the next thing, look at the results of what they have done, and based on the data, send things for approval.

It basically captures the business process, the actual functioning of a business, in software in a way that you can change over time. It's flexible, but you can also track things, and that kind of thing is basic.

... One of the hardest questions is what you standardize and how you divvy up the standards. One thing that has slowed down this whole vision of automating business process is the adoption of standards. ... The reason [BPM] isn't at that level of adoption yet is because the standards are new and just being developed. People have to be quite comfortable that, if they're going to invest in a technology that's running their organization, this is not just some proprietary technology.

The big insight behind BPEL4People is that there's a different standard for WS-Human Task. It's basically keeping track of the worklist aspect of a business process versus the control flow that you get in the BPEL4People side of the standard. So, there's BPEL4People as one standard and the WS-Human Task as another closely related standard.

By having this dichotomy you can have your worklist system completely standards based, but not necessarily tied to your workflow system or BPM engine. We've had customers actually use that. We've had at least one customer that's decided to implement their own human task worklist system, rather than using the one that comes out of the box, and know that what they have created is standards compliant.

All of the companies involved—Oracle, IBM, SAP, Microsoft, and TIBCO, as well as Active Endpoints—seem to be very interested in this. One interesting one is Microsoft. They are also putting in some special effort here.

One value of a BPM engine is that you should be able to have a software system, where the overall control flow, what's happening, how the business is being run can be at the very least read by a nontechnical user. They can see that and say, "You know, we're going through too many steps here. We really can skip this step. When the amount of money being dealt with is less than $500, we should take this shortcut."

That's something that at least can be described by a lay person, and it should be conveyed with very little effort to a technical person who will get it or who will make the change to get it so that the shortcut happens.

Koblielus: It's critically important that the leading BPM and workflow vendors get on board with this standard. ... This is critically important for SOA, where SOA applications for human workflows are at the very core of the application.

... BPEL4People, by providing an interoperability framework for worklisting capabilities of human workflow systems, offers the promise of allowing organizations to help users have a single view of all of their tasks and all the workflows in which they are participating. That will be a huge productivity gain for the average information worker, if that ever comes to pass.

... One thing that users are challenged with all the time in business is the fact that they are participating in so many workflows, so many business processes. They have to multi-task, and they have to have multiple worklists and to-do lists that they are checking all the time. It's just a bear to keep up with.

Morgenthal: Humans interact with humans, humans interact with machines, and data is changing everywhere. How do we keep everything on track, how do we keep everything coordinated, when you have a whole bunch of ad-hoc processes hitting this standardized process? That requires some unique features. It requires the ability to aggregate different content types together into a single place.

One key term that has been applied here industry wide I found only in the government. They call this "suspense tracking." That's a way of saying that something leaves the process and goes into "ad hoc land." We don't know what happens in there, but we control when it leaves and we control when it comes back.

I've actually extended this concept quite a bit and I am working on getting some papers and reports written around something I am terming "business activity coordination," which is a way to control what's in the black hole.

So, you have these ongoing ad hoc processes that occur in business everyday and are difficult to automate. I've been analyzing solutions to this, and business activity coordination is that overlap, the Venn diagram, if you will, of process-centric and collaborative actions. For a human to contribute back and for a machine to recognize that the dataset has changed, move forward, and take the appropriate actions from a process-centric standpoint, after a collaborative activity is taking place is possible today, but is very difficult.

One thing I'm looking at is how SharePoint, more specifically Windows SharePoint Services, acts as a solid foundation that allows humans and machines to interact nicely. It comes with a core portal that allows humans to visualize and change the data, but the behavioral connections to actually notify workflows that it's time to go to the next step, based on those human activities, are really critical functions. I don't see them widely available through today's workflow and BPM tools. In fact, those tools fall short, because of their inability to recognize these datasets.

... I don't necessarily agree with the statement earlier that we need to have tight control of this. A lot of this can be managed by the users themselves, using common tools. ... Neither WS-Human Task nor BPEL4People addresses how I control what's happening inside the black hole.

Rowley: Actually it does. The WS-Human Task does talk about how do you control what's in the black hole—what happens to a task and what kind of things can happen to a task while its being handled by a user. One of the things about Microsoft involvement in the standards committee is that they have been sharing a lot with us about SharePoint and we have been discussing it. This is all public. The nice thing about OASIS is that everything we do is in public, along with the meeting notes.

The Microsoft people are giving us demonstration of SharePoint, and we can envision as an industry, as a bunch of vendors, a possibility of interoperability with a BPEL4People business process engine like the ActiveVOS server. Maybe somebody doesn't want to use our worklist system and wants to use SharePoint, and some future version of SharePoint will have an implementation of WS-Human Task, or possibly somebody else will do an implementation of WS-Human Task.

Until you get the standard, that vision that JP mentioned about having somebody use SharePoint and having some BPM engine be able to coordinate it, isn't possible. We need these standards to accomplish that.

A workflow system or a business process is essentially an event-based system. Complex Event Processing (CEP) is real-time business intelligence. You put those two together and you discover that the events that are in your business process are inherently valuable events.

You need to be able to discover over a wide variety of business processes, a wide variety of documents, or wide variety of sources, and be able to look for averages, aggregations and sums, and the joining over these various things to discover a situation where you need to automatically kickoff new work. New work is a task or a business process.

What you don't want to have is for somebody to have to go in and monitor or discover by hand that something needs to be reacted to. If you have something like what we have with ActiveVOS, which is a CEP engine embedded with your BPM, then the events that are naturally business relevant, that are in your BPM, can be fed into your CEP, and then you can have intelligent reaction to everyday business.

... Tying event processing to social networks makes sense, because what you need to have when you're in a social network is visibility, visibility into what's going on in the business and what's going on with other people. BPM is all about providing visibility. ... If humans are involved in discovering something, looking something up, or watching something, I think of it more as either monitoring or reporting, but that's just a terminology. Either way, events and visibility are really critical.

Read a full transcript of the discussion. The full podcast is also available for download here.

By: Simon Holloway, Practice Leader - Process Management & RFID, Bloor Research Posted: 5th August 2008 Copyright Bloor Research © 2008

At the beginning of July 2008, I met with Neil Thomson, CTO, Martin Redington, Director of Product Marketing and Ian Crombie, Principal Consultant of Microgen to be briefed on the company's BPMS product Aptitude.

Who are Microgen? Microgen was originally founded in 1974 and has been publically listed on the London stock exchange since 1983. During the last few years they have made a number of acquisitions, one of which was the company that originally developed Aptitude. The company currently has some 300 employees with its headquarters in Fleet, Hampshire, UK. The group has four major operating divisions: Asset and Wealth Management; Banking; Commercial, Public and Utilities; and Billing and Database Management, with offices in the following global locations:

• In the UK: London and Welwyn Garden City
• In Europe: Wroclaw (Poland) and Guernsey
• In America: New York and Grand Cayman
• In Africa: Cape Town.

There are over 120 employees within Microgen's development team, with approximately 45 developers that focus on the Microgen Aptitude product. The development team amounts to one-third of total company employees. Microgen has development teams based both in Microgen's development centre in Wroclaw, Poland, in the Fleet Headquarters office in the UK and their Channel Island operation.

Technology partners include SAP, Microsoft and Reuters. Strategy partners include Bearing Point, LogicaCMG and SAP.

Bloor was informed that the turnover for the last financial year was £33m and they had some 1500 customers. Aptitude is the key product of the company, and their own solutions are built upon this. Thomson explained that the company's value proposition was to sell to the business with IT their software and consultancy with some domain knowledge.

So what about Aptitude? Aptitude was developed as a horizontal BPMS product that would provide a common environment in which both business and IT users could collaborate to build and manage applications. This is achieved through a single integrated environment that is used for Business Process Management, Business Rules, Integration, Web Forms and Services Orchestration, using one common language, interface and data model. Microgen use Aptitude to develop their vertical solutions for Asset and Wealth management, Energy and Utilities, Gaming, Transportation and mainstream Financial Services.

Redington explained that Microgen see their USP in the BPMS market that they are offering BPM with rules. Their sales targets were organisations with mission critical applications where millions of transactions per day where the norm, with the requirements where transaction failure back out is key and all the parts in the process are tightly coupled. Aptitude works on an event driven approach; this allows components to respond to changes in status of the events.

Another unique capability is that Aptitude includes Transaction Process Management (TPM) with transaction control, flow management and a throughput capability of over 5,000 transactions/second for extreme transaction processing (XTP). This means that Aptitude provides support both for Straight Through Processing as well Batch Processing.

The other interesting factors Bloor were told include:

• There is no mandatory persistent storage required to run Aptitude. It operates in memory.
• Aptitude supports the collaboration support between business users and IT. Microgen envisages that business users will set the rules, whilst IT will tune the rules and configure the environment for run time efficiency.
• There is no intermediate stage between graphically modelling the business process and the executable version of the process. Movement from the development project folder to execution folder generates pcode from the diagram and the configuration file.
• Aptitude supports 3 stages for deployment—development, UAC for testing and production.
• Any Business Process or Rule can be published as a web service.
• Currently the forms designer supports ASP.Net forms, but Bloor were informed that in the next release Aptitude would support Java as well.

The development environment—Aptitude Studio—has a Microsoft Visual Studio look and feel. It provides support for remote server access. The check-out capability works as for Visual Studio in that follow-on users of a booked out object have read-only access.

Aptitude client is written in C# and is agnostic in terms of application server. Aptitude Server is written in C++ and can run on either Windows or Unix. The internal DBMS is Berkley DB, which now owned by Oracle.

The current version is 2.5 and this release went on general release recently. The new features include better support for simulation and maintenance, ability to do what-if scenarios for the data design process, and support for test data generation.

Microgen Aptitude is an interesting BPMS product. It does conform to all the norms, but has a very successful track record in the financial sector and Energy trading. Redington explained to Bloor that they were in the process of developing a solution for a European Rail Infrastructure company to provide a better way to price rail journeys.

Bloor views Microgen Aptitude as a product that has some real benefits for the support of high transaction throughput processes. The approach to generate pcode from a graphic model is of particular note.

By: Lawrence Dietz, Research Director, Sageza Group, Inc. Posted: 12th December 2007 Copyright Sageza Group, Inc. © 2007

Trend Micro Incorporated has announced a definitive agreement to acquire Provilla, Inc., a provider of fingerprint-based intelligent endpoint solutions for data leak prevention (DLP) in organizations. Under the agreement, Provilla will operate as a subsidiary of Trend Micro's U.S. affiliate. Provilla's data leak prevention personnel and technology and products will enhance the Trend Micro portfolio of easily deployed and managed multi-layered content-security solutions for business customers. Provilla's LeakProof product suite combines patented DataDNA fingerprinting technology with intelligent agents to help enterprises protect their intellectual property and confidential information and maintain regulatory compliance. The technology lets organizations know the exact locations of sensitive data for active and effective control. Provilla products also educate and sensitize end users to corporate policies and regulatory requirements. Trend Micro will continue to offer Provilla's stand-alone products for the near term as well as gradually integrate Provilla's capabilities into its own enterprise, small, and mid-size business solutions. Provilla products are deployed in North America, China, Taiwan, Europe, and Japan.

This is the second recent acquisition in the DLP space, coming on the heels of RSA's acquisition of Tablus. As antivirus technology continues to spiral into the world of commodities and attacks become more targeted, sophisticated users are likely to look for more comprehensive solutions from the same vendor. End-user organizations are really concerned about the results, not necessarily the methods. Perhaps in time these same users will demand software as a service with service level agreements in place to incent vendors to perform.

Now that RSA and Trend have made their move, what can be expected from McAfee and Symantec? While it would be convenient to jump on the industry rumor-mill bandwagon and posit that Symantec will buy Vontu, we actually believe otherwise. Symantec is at a serious inflection point. Too much time has passed for the company to plead SYMC/VRTS integration issues, and the recent financial report combined with what appears to be a serious problem in bookings means to us that Symantec perhaps ought to be more concerned with correcting the product and support issues that have likely negatively impacted bookings in the enterprise space. Indeed, we believe that the term "content protection" should include safeguarding one's own content as well protecting the IT infrastructure from malware, phishing, spam, etc. Absorbing new companies and their products has never been Big Yellow's strong suit, although it's our understanding that much of the Altiris marketing management has succeeded in supplanting survivors of the Veritas acquisition. It remains to be seen whether McAfee will follow a me-too approach and buy one of the remaining DLP vendors.

What does this all mean to the end-user community? In March we profiled Provilla's agreement with BigFix and concluded by stating our belief that "combining detection, prevention, and remediation is a best practice for end-user organizations. However, this recommendation implies that end users have already gone through the exercises of classifying their information and establishing policies to safeguard each level of classification. This approach is necessary for good governance which reduces operational risk and demonstrates compliance as a by product of planning ahead and employing technology to enforce policies." We stick by our guns and reiterate that technology is only one leg of the security triangle. Data loss prevention can only occur after organizations go through the data classification exercise and synergize their People and processes along with appropriate technology. Addressing only technology would be like passing out ice tongs on the Titanic.

By: Lawrence Dietz, Research Director, Sageza Group, Inc. Posted: 3rd December 2007 Copyright Sageza Group, Inc. © 2007

Citrix Systems has announced SmartAuditor, a new feature of Citrix Presentation Server that helps enterprise customers monitor, record and play back specific application sessions as part of their ongoing risk management and regulatory compliance measures. By incorporating user activity auditing as a core property of a company's existing application delivery infrastructure, SmartAuditor allows customers to demonstrate that employees are meeting established guidelines for information access, transaction integrity and intellectual property protection. Using SmartAuditor, customers can set policies to record specific application sessions based on a user's role, the application being accessed, or the sensitivity of the application transaction. SmartAuditor captures screen activity from a user's computer and stores it in a small, digitally-signed, time-stamped video file that can later be analyzed and logged. SmartAuditor records only relevant user sessions, as differentiated from add-on auditing solutions, which often have large storage requirements and can be unwieldy to analyze during an audit.

Many organizations are employing Citrix Presentation Server because it centralizes Windows applications and runs them from the datacenter rather than on outlying PCs. This model inherently provides better control, and can reduce overall IT expenses employing the thin client architecture. The tighter control engendered in centralization offers many advantages in highly regulated environments and where there is a need to protect sensitive information. Organizations that store personal information about their customers, especially credit card information, are learning the hard way that it is incumbent on them to maintain very high levels of security around this data or risk data breaches and running afoul of disclosure laws found in many states.

A, perhaps unintended, benefit of the monitor, record, and play back capability may be its use in electronic discovery and subsequent presentation to judges and juries who determine the facts in a litigation. Electronically stored information is at the heart of most complex civil litigations. The "trier of fact" (either judge or jury) is often subjected to a barrage of complex evidence, and an exhibit that demonstrates exactly what happened in a particular transaction is more likely to hold the attention of the judge or jury and therefore get the information across more effectively than mere reports. The blurring of work and personal times combined with rising energy costs and debilitating commutes will, in our view, also contribute to accelerated adoption of thin client architecture over the next several years and it appears likely that Citrix will reap many of these benefits.

By: Lawrence Dietz, Research Director, Sageza Group, Inc. Posted: 8th November 2007 Copyright Sageza Group, Inc. © 2007

SAP AG has announced the immediate availability of new GRC web services that enable the seamless integration of identity management software solutions with SAP GRC Access Control. Based on open standards and built on the SAP NetWeaver platform, these new web services open up the full capabilities of SAP GRC Access Control, allowing identity management software vendors to tightly integrate their respective solutions, providing customers with a single set of tools to manage user identities, enforce corporate security policies and ensure compliance with regulatory mandates.

SAP, together with leading identity management software providers including IBM and Sun Microsystems, is responding to the challenges faced by CFOs and CIOs in proving to auditors that they are effectively controlling their financial and IT-related risks by combining automated, end-to-end compliance controls with the full range of identity management functionality. Integration efforts by IBM and Sun are already well underway to link IBM Tivoli Identity Manager and Sun Java System Identity Manager with SAP GRC Access Control, bringing together critical compliance capabilities—including segregation of duties enforcement, risk analysis and remediation, compliant user provisioning, role management, audit and reporting—with key identity management functionality, such as user provisioning, authorization and authentication, password management and directory services.

SAP is also using its new web services to integrate its SAP NetWeaver Identity Management component, created following SAP's acquisition of identity management software provider MaXware earlier this year, with SAP GRC Access Control to provide an end-to-end solution for compliant provisioning across heterogeneous IT environments. The provision of open interfaces to link SAP products with those of third-party software providers continues SAP's open partner strategy and preserves its customers' freedom to build and deploy solutions that best fit their needs, using both SAP and non-SAP components. The new Web services from SAP are available immediately as part of SAP GRC Access Control.

This announcement appears to signal an agreement for "peaceful coexistence" among several large and powerful software vendors. We applaud the notion of tight integration of identity management with applications as a logical and progressive step in transparency of identity validation prior to application execution. It is also interesting to note that Governance, Risk and Compliance can be thought of as a hub connecting the various outlying applications. As such, the GRC application itself becomes highly sensitive for its information content and as a potential target of electronic discovery in litigation.

Customers already employing GRC products from SAP and who have, or are considering, IDM products from IBM and Sun should benefit from this announcement. The "détente" effect of these alliances is also significant and we believe it is indicative of the competition and segmentation that end-user organizations can expect from large vendors in the future.

By: Lawrence Dietz, Research Director, Sageza Group, Inc. Posted: 29th October 2007 Copyright Sageza Group, Inc. © 2007

FireEye, Inc. has announced an integrated anti-botnet solution that couples the global FireEye Botwall Network with its FireEye Botwall appliances. The FireEye anti-botnet solution is built from the ground up to combat the stealthy, targeted malware unleashed via remotely controlled and compromised PCs, also known as bots.

The FireEye Botwall Network, which provides unprecedented intelligence on botnet command and control (C&C) as well as detection and analysis of propagation activities, gives organizations a complete view of the botnet threat landscape. FireEye provides anti-botnet protection with the FireEye Botwall 4000 appliance and the FireEye Botwall Network service, a globally deployed botnet discovery and analysis service offering which provides subscribers with the most current botnet intelligence to complement on-premise anti-botnet security appliances. It catalogs and disseminates botnet characteristics derived from malware analyses that are conducted by interconnected networks of FireEye Botwall appliances selectively deployed at service providers around the world.

Enterprise customers using FireEye Botwall appliances can subscribe to the FireEye Botwall Network to gain visibility into botnet C&C structures and locations, propagation tactics and malicious activities. The service delivers pre-emptive protection with global awareness and local network analysis to precisely identify, understand and stop emerging botnet and malware threats. The FireEye Botwall 4000 Series is a next-generation, locally deployed security appliance that protects customers by derailing a bot infiltration attack from preventing the initial breach and downloading the first bot command payload as well as blocking active communications to known malicious botnet servers.

The FireEye Botwall appliances employ three classes of anti-botnet technologies: discovery, on-premise botnet propagation analysis coupled with global botnet C&C data; control, whereby customers can extinguish botnet propagation activities and unauthorized communications; and audit, by which botwall appliance analyses, reports, and alerts ensure IT management stays ahead of botnet infiltration attacks. The patent-pending FireEye Analysis and Control Technology (FACT) engine analyzes network traffic for botnet malware and botnet C&C server communications within virtual victim machines. This technique surpasses the limitations and inaccuracies of traditional signatures or network behavioral heuristics to protect customers from botnet penetration and exploitation.

Bots have proven themselves to be a major threat in today's environment, and will continue to be a significant threat in the next several years because perpetrators have had an easy time of setting up botnets and, more importantly, have been able to devise a well orchestrated way of monetizing their crimes by renting out these networks to others with nefarious intentions. The trends of financially motivated attacks and more focused targeting by cyber criminals are also sure to continue.

We are pleased by the FireEye combination of intelligence as an accompaniment to the appliance because of the evolving and dynamic nature of the bot threat. By offering alternative means to control and mitigate the botnet threat, FireEye is targeting what we believe is a key threat vector and may be able to help high-profile target organizations such as financial institutions, government entities, energy companies and pharmaceutical organizations to reduce their vulnerability to this threat.

By: Lawrence Dietz, Research Director, Sageza Group, Inc. Posted: 5th October 2007 Copyright Sageza Group, Inc. © 2007

Sun Microsystems has announced new software to provide a more secure and manageable virtual desktop environment. Sun Virtual Desktop Infrastructure Software 1.0, installed on the Solaris OS, helps enable organizations to move applications and operating systems off personal computers, consolidate them in the datacenter, and present them to end users on a wide array of devices through high-performance display protocols.

Sun VDI Software offers a highly-secure platform for accessing virtualized Microsoft Windows desktop environments from a wide variety of client devices. When Sun VDI Software is coupled with VMware Infrastructure software, desktops can be consolidated onto servers in the datacenter, with each user enjoying a dedicated virtual machine that is isolated from other users and customized to individual needs.

Utilizing Sun Fire x64 systems and VMware ESX Server, multiple desktop environments can be hosted on a single server, to allow users to access their desktop environments from traditional clients such as Windows and Mac OS X computers, as well as thin clients. Each virtual desktop functions as though it were running directly on the user's computer, but critical data is kept in the datacenter where it can be more easily managed by IT and is less susceptible to loss or theft. Sun VDI software helps enable IT managers to set up new users, workgroups, or departments in minutes, controlling and managing desktops and updates centrally, reducing costs normally associated with a traditional distributed desktop model. Through this approach, users can seamlessly shift a desktop session between any supported device.

Planned for availability in early 2008 as a component of Sun Virtual Desktop Solutions, the initial release of this VDI connector will support VMware Infrastructure deployments, with future versions planned to support other popular virtualization solutions. Sun VDI Software will be available in October 2007, priced at $149 per user, and will support Solaris and Linux.

The virtual desktop is bound to accelerate in popularity as more organizations move to a point where they have to make a decision about migration to the Windows Vista environment. While this decision may be in the offing, the window for making significant technology decisions has a way of accelerating. There also appears to be a subtle, yet clear, movement of leading edge technology users to Mac laptops and over time the population of Macs at high-tech and security-sensitive companies in particular is likely to increase.

Globalization trends and concerns about proprietary applications are additional factors inducing organizations to centralize their applications off local PCs. We believe that Sun is correctly reading the technology work pattern tealeaves and that fortune for this class of infrastructure is bright.

By: Dr Peter Dzwig, Partner, Concertant Posted: 30th August 2007 Copyright Concertant © 2007

Late August is generally the doldrums of the annual news cycle. Unusual then to find a newcomer to the market making new announcements that may turn out to be of great importance to the micro-processor industry. Whatever the reasoning, Tilera chose the tail end of this month to announce its TILE64 family of sixty-four element multi-core processors.

If it was a market splash that they wanted to make then it has worked well for them – the current Google count is 1,040,000 entries. For the TILE64 alone it is well over half a million.

Derived from work done at MIT by Founder and CTO Anant Agarwal and others at MIT, the TILE64 is very firmly targeted at the embedded systems market. It makes some interesting strides forward in terms of the management and manipulation of data on a complex chip. The architecture owes debts to systolic arrays, switched and MIMD architectures going back at least to the 1970s. The executive team, too, has a long pedigree in processor technology which shows in many of the design decisions, as we shall see.

The basic element of the TILE64 is the tile, of which there are 64 interconnected copies, arranged in a 2-D grid. A tile consists of a three-way VLIW (Very Long Instruction Word) processor with associated two-level hierarchical cache and a switch (i.e. processor + memory + switch = tile). The five-way switch is the centrepiece of the chip’s structure. Each tile is connected to five networks. Two are under hardware management for data movement to and from tiles and to memory. The other three networks are for applications use to enable cores to communicate among themselves and with I/O devices.

Data movement within multi-core chips increases at least as fast as the number of cores and in many applications grows more rapidly. Management of the flow(s) of data around the chip becomes critical in realising – or not – the potential performance of the multiple cores. Inter-device communication is sufficiently important that several companies are focussing their attention on the delivery of optical interconnects on-chip for the high-density processors including Luxtera, Primarion and Intel.

On the TILE64, each processor can see the all the other processors’ caches, so that opportunities for data movement abound. Multi-way switches represent one of several strategies for marshalling data in such complex systems and the five networks (as they are referred to by Tilera) of the TILE64 are configured so as to separate requirements for data movement. Tilera don’t present independent data as to the efficacy of their strategy in practice, although the company’s publicity makes reference to “a number of patented innovations that enhance the performance and flexibility of the [network]”.

The chip also integrates a number of interfaces including XAUI, gigabit Ethernet, UARTs, Flexible I/O and four DDR2 Controllers.

The complexity of the management of data influences the choice of processor design philosophy, which is the same choice as Intel made with their experimental 80-core processor – that has still to see commercial light of day. VLIW processors execute operations in parallel based on a schedule determined by the compiler. Since the order of execution (including which operations can execute simultaneously) is handled by the compiler, the processor can save on scheduling hardware. VLIW-based CPUs offer increased computational power over superscalar CPUs at the cost of greater compiler complexity and can be built using larger feature sizes (90nm for the TILE64), lower power consumption (170–300 mW/core) and lower clock speeds (600MHz–1Ghz in the present case).

Only a relatively few years ago VLIW was deemed inefficient, but increases in device density has meant that many of its “perceived” inefficiencies have been reduced and VLIW has consequently grown in popularity. The use of VLIW simplifies the physical architecture at the expense of a more complex, and sophisticated compiler. This has the advantage of greater ease in fabrication and the ability to save device count.

Interestingly, each tile can support a kernel, or run under control of a supervisor system and as a result (using their “Hardwall” technology) can provide kernel-level protection. This technology enables the array to be partitioned to support different operating systems and/or different/or multiple instances of the same applications.

VLIW has obtained a very substantial following in the embedded market with a number of companies offering embedded VLIW products. These include Fujitsu, STMicroelectronics and NXP (formerly Philips). None however are anywhere near as sophisticated as Tilera’s offerings.

Tilera appears to be offering an appropriate and well thought out set of software tools to go with the new architecture, advocating a “Gentle Slope Programming” approach. Using Tilera’s ISO-standard C compiler and Linux to start development, the user can exploit data parallelism by using a set of libraries to enable multiple-tile use. The final stage is the use of debugging tools to optimise, debug and profile code. There is also an Eclipse-based IDE. The compiler itself derives from SGI’s MIPSpro, designed to support parallel programming. Since we have not yet had access to the tools, nor benchmarked them against specific metrics, we are unable to comment further on the tools.

So, Tilera has a sophisticated product with a seemingly appropriate set of tools. Is it just another start-up? As far as can be told from the publicly available information Tilera is targeting its products at a very appropriate and important embedded markets: next generation networking products, spam detection, deep-level intrusion detection and similar applications. Tilera claim that a dozen customers including 3Com, GobackTV, and Codian are taking product. The first commercial products using the TILE64 are expected to appear next year.

Where does this place Tilera? This new family of processors ticks most of the boxes for an efficient embedded true multi-core processor. The TILE64 is an interesting and possibly important piece of hardware. Clearly the company are generating a lot of interest, including important commercial interest, and they have both product and adoption a substantial time before Intel is likely to even demonstrate its eighty-processor beast. Whether this will translate into longer-term market advantage is at this stage difficult to say. Could Tilera be the next big thing? We shall have to watch the market over the next few years.

By: Lawrence Dietz, Research Director, Sageza Group, Inc. Posted: 24th August 2007 Copyright Sageza Group, Inc. © 2007

IBM announced recently it has entered into an agreement to acquire Princeton Softech Inc., a privately held company based in Princeton, New Jersey, that provides data archiving, test data management, data privacy and data classification and discovery software. Financial details were not disclosed.

This acquisition furthers IBM's cross-company Information on Demand business initiative, enabling customers to address their escalating information management challenges and improve database performance by segregating historical data from current data and storing it securely and cost-effectively. Princeton Softech's test data management solutions also help customers protect data privacy and contain costs by creating test databases where sensitive data can be masked and protected. Princeton Softech has approximately 240 employees and more than 2,200 client companies. IBM plans to integrate Princeton Softech's product offerings into IBM's Software Group as part of its Information Management Software division. The addition of Princeton Softech's technology will expand IBM's capabilities in the area of Enterprise Data Governance, in particular boosting IBM's ability to offer clients integrated data classification, archiving, and test data management and data privacy solutions across heterogeneous application and database environments. IBM's strategy is focused on providing customers with the data they need when they need it in order to quickly respond to market needs, rapidly identify new business opportunities, efficiently ensure data governance, and improve business results. The acquisition is subject to regulatory approvals and is anticipated to close later in 2007.

Many organizations are finding that storage management is now, or will soon represent, greater than 50% of their annual IT budget. Companies grappling with government mandates and business demands are striving to capture and integrate information in a more seamless, realtime fashion across their enterprises. IBM's Information on Demand approach combines industry-specific expertise with advanced software, open standards and storage technology—integrated via a services oriented architecture—to manage, secure and deliver information as a service to solve business challenges.

Large organizations are constantly wrestling with the critical issues associated with increased amounts of electronically stored information. On one hand organizations rightly want to minimize their expenses associated with this storage, and on the other they recognize that scrimping on technology in this area may come back to bite them with governance, compliance and litigation exposure and expense. The notion of integrating data classification, archiving and data privacy is particularly sound because the concept recognizes that all of these key elements belong together.

However, the elephant in the living room behind this announcement is Professional Services. Organizations are loathe to attack the issues of data classification on their own, and some fail to realize that this mighty chore is the heart of any data privacy, data protection and governance effort. While we do not track figures on the split of product versus services revenue in large deals, and some pundits have stated that the services piece is often as much as 90% of the total project, we know that the services piece serves as the glue to put the whole thing together. Through this announcement IBM has recognized not only the pieces of the puzzle, but can help their clients put those pieces together by offering the services needed to effectively meld them together along with creating or adjusting the policies and procedures required to keep the organization operating smoothly. The combination of data classification, archiving and data privacy products and services should help IBM's clients to employ effective governance to include protecting personally private data and valuable intellectual property.

By: Lawrence Dietz, Research Director, Sageza Group, Inc. Posted: 20th August 2007 Copyright Sageza Group, Inc. © 2007

RSA, the security division of EMC, announced recently its intent to acquire Tablus Inc., a provider of data loss prevention solutions based in San Mateo, California. Tablus is privately-held; further details of the transaction are not being disclosed.

The Tablus solution will add data discovery and classification, monitoring, and data loss prevention capabilities to RSA's data security portfolio, helping enable the company to better meet the market's need for information-centric security by finding and identifying sensitive data; preventing that data from leaking outside the organization; and simplifying the management of data security through policy-driven controls.

Data discovery and classification is a critical first step toward securing data in most organizations, as IT departments grapple with an explosion of digital information to store, manage, and protect. This challenge is complicated by the fact that sensitive data exists in three different forms (database records; messages, such as email; and loose files) and in three different contexts (at-rest on datacenter storage; in-motion through the network; or in-use on laptops, mobile devices, and portable storage). Comprehensive data discovery and classification must directly address this complexity. To that end, RSA will combine Tablus products with the EMC Infoscape intelligent information management solution to create a common platform that is engineered to enable organizations to discover, classify and take policy-based action on all of their data. Specifically, Tablus's expertise in quickly and accurately locating and protecting valuable intellectual property, sensitive personal information, and security-related content will be combined with Infoscape's solutions for managing data according to specific governance requirements regarding retention and archiving, as well as preparation for litigation support through e-discovery.

An understanding of the information landscape gives organizations the ability to establish and enforce data security policy and prevent data loss. This enforcement can take many forms, from data erasure, bulk encryption and digital rights management to simple movement and quarantine. These various enforcement mechanisms need to be applied at different points in the IT system: at the point of storage, at the point of creation or at other times in the network. In recognition of this reality, RSA plans to integrate the Tablus offering with its existing data control assets in the fields of encryption, key management, and information rights management, and partner openly with industry leaders to enable policy-driven enforcement of data security where it makes the most sense.

The ability to establish, enforce and audit data security policy is central to this vision. Specifically, enabling policy-driven data security controls throughout the infrastructure that are fully and mutually interoperable would address not only the data security problem, but also the associated cost of operation. Together with RSA's data security assets, EMC Infoscape and strategic partners, the core technology and intellectual property of Tablus will allow organizations to build robust policy around sensitive data, and distribute the enforcement of that policy as needed when that data is copied, moved or accessed.

Very few vendors have appreciated the interaction across data classification, document life cycle management, archiving, storage optimization, data loss prevention, privacy, auditing and security. All these entities must work in concert to help the organization accomplish its business goals, safeguard its sensitive information and intellectual property, optimize its governance, and reduce its legal vulnerability and expenses. By combining the information rights management capabilities embodied in the Tablus product line into the security division it's clear to us that EMC recognizes the totality of the electronically stored information universe.

RSA's acquisition signals a new stage in the evolution of the data loss prevention market place. Up to this point the DLP space has been the province of smaller firms each trying to eke out a small piece of a nascent but growing market. IBM's Princeton Software was a signal by IBM of its intentions and now that we have seen EMC make its move, we expect to see others like Symantec follow suit, perhaps stimulating a minor scramble to acquire respectable technology early in the market's development. The key to success in the market, however, is not necessarily technology, but services and linkages to the various service providers in the litigation support market and the SIs who serve the large end users. It remains to be seen if hardware-oriented firms like EMC and its RSA division are able to bridge the gap for their customers.

By: Tony Lock, Programme Director, Freeform Dynamics Posted: 31st July 2007 Copyright Freeform Dynamics © 2007

A couple of weeks ago I attended a roundtable, organised to highlight that the RSA Conference Europe event would this autumn settle in London for the first time. Over the course of ninety minutes the panel, unsurprisingly composed of sponsors of the event, discussed many issues. Even though the bulk of the panellists came from a diversity of vendors (RSA, Oracle, Microsoft and SafeBoot) on many issues there was often near universal agreement. But there were also one or two questions on which differences of opinion were visible, especially the matter of "divulgence".

Matters started off with a fair degree of unanimity as panellists discussed the many pressures now acting on holders of data. Whilst all of the usual suspects are obvious and clearly understood, it was interesting to note that without any hesitation everyone present considered that protecting brand values and ensuring brand integrity in the eyes of customers and the public at large have now risen to become one of the primary drivers behind many security initiatives. Even when not declared to be a primary security motivator it is clear that brand protection in the online world is always a matter of concern, and increasingly a cause of security related investments.

Equally interesting was, when I raised the fact that "security solution" technologies on their own cannot secure anything, no one disagreed at all. This was a good job: we have many sources of research insight that clearly illustrate that education in the secure use of all systems, but especially of mobile solutions, is an essential element of any security strategy. There are (too) many instances of people using systems inappropriately and of unsuitable procedures being adopted around systems leading to information leakage. To resolve this, there is a clear need for education to be formalised even around the simple to use systems that are commonly deployed to support core business functions.

Whilst the above topics generated some interesting discussion, they did not result in noticeably different opinions amongst the panellists. But one conversation did prove that there is still room for disagreement. The contentious question is, when to tell customers, partners and perhaps the world at large that something has gone wrong or that systems have been compromised and information has been exposed?

As ever increasing quantities of information is held on IT systems and as both individuals and organisations find themselves "sharing" progressively more valuable data, legislators in many countries are considering under what circumstances data holders should have to let their customers know of security breaches that may compromise the information they hold. In a few countries or states (notably, in the US) it has already become required to inform customers if information held on them may have been exposed; elsewhere, examples such as the theft of a laptop form a Nationwide Building Society employee indicate how some organisations are choosing to disclose security breaches.

One panellist held the view that the CEO and managers of a business should decide, perhaps after consulting with any appropriate regulatory bodies, when, or even if, they should notify of information leakage or deliberate data theft. I, along with most of the rest of the panel felt that whilst this might be the ideal line to adopt it is plainly not going to work unless the CEO has objective, nay absolutely impecccable, judgement and can act in an entirely disinterested fashion. Given the fantastic pressure on CEOs to not only deliver the financial goods but also, as discussed earlier, to protect the integrity of their brand it would be almost impossible to expect them to disclose practically any breach of systems or inappropriate exposure of data that had not already reached the public domain.

To my mind, disclosure legislation will become inevitable in most areas of business. It then behoves us to react reasonably. After all, in nearly all matters of daily life and business we seldom expect everything to always function perfectly. If every organisation can expect things to go wrong, it is up to the organisation to ensure that they have done everything they can to protect their systems, to recognise when they have been breached or data has leaked and to then react swiftly and fittingly to put things right. Part of this means notifying those affected as to the nature of the potential loss, what they should do to minimise exposure and what is happening to prevent future issues arising. While this may not be a perfect solution, we're living in an imperfect world.

By: Rob Bamforth, Principal Analyst, Quocirca Posted: 27th July 2007 Copyright Quocirca © 2007

A former university lecturer used to say, "any problem can be beaten to death with pound notes". Many network managers looking at the impact of voice over IP on their networks might be thinking along similar lines, but is more bandwidth the answer to the performance and quality issues they are currently, or soon to be, suffering?

It really depends what you're trying to measure. We all often fall into the trap of making important what we've measured, rather than measuring what's important, and networks management tools measure the things that computers, routers and other network components see—packets, loss and throughput. That's great for many ‘bit-shunting’ applications, but not so good for those that have a critical interactive impact on the end user, especially those based around the human senses of sound and sight.

The quality of voice and video is dependent on many more things than the network connection. In particular the final arbiter is the quality when the information hits the eye and ear. We know from recent Quocirca research into collaboration that the quality of visual and audio information is a major factor in the effective use of conferencing systems.

There are many areas that impact quality, and the old IT expression of GIGO (Garbage In, Garbage Out) can be applied when choosing microphones and cameras. Likewise, at the receiving end, the qualities of screens, speakers and headsets play critical roles in making communication clearer, crisper and easier for the receiver. However these are fixed issues that depend on balancing spend levels with fidelity—choose poor quality and you get what you pay for, choose good quality and it will consistently deliver.

But only if the network does its bit. And this is where the problem lies, and it will become increasingly apparent as more and more applications propel their bits through a myriad of networks and connections. Especially those applications that depend on how they look, sound and feel to the user.

The problem is that those responsible for the network are often measuring the wrong things. It seems to be performing fine, within tolerances and meeting SLAs, but the users aren't happy. The network is being measured, but not the applications that run over it.

With some applications, it's relatively easy to measure response times—round trips for key presses, time to update a screen, time to retrieve search results—and understand their impact on users. Indeed it's also possible to fool user perceptions of speed, for example the web browsers rendering text while waiting for the slower images to download. Or as Apple cleverly did with its earlier windowing system, using classic animation techniques like motion lines and blurring to make it appear that windows were popping up faster than they actually were.

The problem with interactive voice and video is that while some gaps and glitches can be masked, they can quickly become irritating and a drain on concentration, individual efficiency and ultimately overall value of the communication. With more voice and video heading down the converged IP pipe, simply throwing more bandwidth at the quality issue, or trying to dodge it by saying, "well the network's working fine", will not be acceptable.

That would be bad enough, but many organisations are looking for digital media investments to deliver better quality that their original analogue systems. Higher fidelity phone calls from the Pretty Awesome New Stuff (PANS) than delivered by the Plain Old Telephone System (POTS), and higher definition video instead of the decades old analogue TV standards. That's the real progress the digital revolution surely promised?

More and higher fidelity network traffic will need to be measured at the application level. Ask those who use the applications, find a way to understand their expectations, and a way to measure performance and quality in the way they appreciate, rather than in the obscure technicalities of the network. It might not be on the IT network management dashboard today, but the commercial considerations of quality of communication in a business world dependent on global reach, but increasingly environmentally penalised by global travel, will soon put it on there

By: Lawrence Dietz, Research Director, Sageza Group, Inc. Posted: 23rd July 2007 Copyright Sageza Group, Inc. © 2007

Google Inc. announced last week that it has signed a definitive agreement to acquire Postini, a vendor of on-demand communications security and compliance solutions serving more than 35,000 businesses and 10 million users worldwide.

Postini's services, which include message security, archiving, encryption, and policy enforcement, can be used to protect a company's email, instant messaging and other Web-based communications. Under the terms of the agreement, Google will acquire Postini as a wholly-owned subsidiary for $625 million in cash, subject to working capital and other adjustments. The agreement is expected to close by the end of the third quarter 2007.

Hosted services, like Google Apps and Postini solutions, provide organizations with communications tools without the expense and hassle of traditional on-premise solutions. Google Apps, which includes Gmail, Calendar, Talk, Docs & Spreadsheets, and Personal Start Page, has been adopted by more than 100,000 businesses already. Postini solutions include Email Security, IM Security, Web Security, Message Archiving, Message Encryption, and Policy-enforced TLS. Google will continue to support Postini customers and invest in Postini products. The Google Enterprise group makes popular Google technology available to businesses of all sizes, from small, two-person startups to some of the largest companies in the world. Google Enterprise products help businesses find, see, and share information through products such as Google Search Appliance, Google Mini, Google Earth, Google Maps, and the Google Apps suite of hosted applications.

It would be quite tempting to jump to the simplistic conclusion that Google's acquisition of Postini was motivated by its desire to break out of the consumer mold and become a more attractive technology option for businesses. A strong argument could be postulated that Google felt it needed to beef up the security aspects of its mail services and that this move was made to assuage businesses' concerns about security and assurance. It could also be stated that by embedding Postini capabilities into Google applications the company has ensured a higher level of security and compliance for its customers because of the built in nature of the security and the end user's inability to circumvent these security measures. Both of these arguments would be good ones. However, we believe there is much more to the move.

It appears that Google correctly understands the fundamental shifts that are slowly evolving in the enterprise and government markets. Both these sets of large end users of IT want to implement security as a part of their infrastructure, but more importantly they recognize that end users want to be increasingly untethered and less concerned about the "form" of IT and more concerned about its utility.

The wave of software-as-a-service will build until it reaches tsunami proportions. Users are now bouncing between desktops, laptops, and PDAs/Smartphones. They don't have brand loyalty to a particular software or hardware company and want to be able to connect and function when it's convenient regardless of where they are or what end-point device is at hand. Many governments, in particular, are looking for a way to reduce their Microsoft bill. Some, such as Japan, have looked at Open Source as a way to accomplish this, but this solution hasn't gone far enough.

Consequently we congratulate Google on correctly moving to where technology is going rather than where it has been. We believe Google will continue to develop and/or acquire pieces that will help develop the virtual, secure workplace and that the Postini acquisition was only a first step on what promises to be a journey worthy of Harry Potter himself.

By: Lawrence Dietz, Research Director, Sageza Group, Inc. Posted: 9th July 2007 Copyright Sageza Group, Inc. © 2007

Oracle announced recently that it has added eight new members and more than doubled the size of its Identity Management Ecosystem. Joining existing partners such as Authenex, F5 Networks, Giesecke & Devrient, Identity Engines, and Lenel Systems International are strong authentication providers Arcot, Imageware, and TriCipher; converged physical access control provider Quantum Secure; network access control providers Juniper Networks and ForeScout; privileged accounts management partner Cyber-Ark; and a secure, federated identity partner Pay By Touch.

These new participating ISVs are working with Oracle to provide value-added integrations to Oracle Identity Management thereby delivering solutions that extend beyond traditional access and identity management infrastructures. Launched last year, the Oracle Extended Identity Management Ecosystem and Reference Architecture delivers integrations that make it easier for organizations to unify siloed security technologies into a comprehensive, standards-based identity management framework. Unifying these technologies with Oracle Identity Management enables customers to create a common security policy framework that spans heterogeneous systems and applications, lowers costs, and improves overall enterprise security. The expansion of the ecosystem is indicative of a commitment by Oracle to the identity management market and is likely predicated on its view of the continued demand for comprehensive identity and access management systems.

The information security market plays like a team sport. Players in the market tend to group into three classes: large powerful vendors; small new-technology vendors, and a group we call the "Goldilocks" vendors. This last group is the smallest of the three and consists of security vendors that have grown to a critical mass with revenues in excess of $100 million. We believe that the Oracle IDM is designed to attract a bevy of smaller companies who want to "draft" on Oracle much like racing car drivers increase their advantage in a race by drafting vehicles in front of them. With respect to the group named above, we believe that Juniper is the "one thing that doesn't belong" (to quote Sesame Street).

Technologically it makes great sense for Oracle to open its ecosystem to any and all comers. In that way customers can choose between Oracle and something, or Oracle and something else. This arrangement also allows the smaller vendors to leverage Oracle's penetration and to focus some of their precious developmental activity on building the interfaces needed to optimize performance with Oracle software. Where the rubber meets the road, however, is in lead generation and deal control. While we applaud the kumbaya nature of the ecosystem, we're adopting a wait-and-see attitude as to how this relationship affects the top line of players besides Oracle.

By: Lawrence Dietz, Research Director, Sageza Group, Inc. Posted: 2nd July 2007 Copyright Sageza Group, Inc. © 2007

Websense, Inc. has unveiled Websense Content Protection Suite v6, the industry's first security software that integrates information leak prevention capabilities with Web categorization and filtering.

This combination of content and destination awareness allows automated enforcement, allowing organizations to take advantage of emerging online business productivity applications such as Web 2.0 sites, with some assurance that security and usage policies, as well as predetermined business processes, are enforced and sensitive data is protected. Websense Content Protection Suite v6 combines content and context awareness leveraging Web intelligence through integration with Websense's URL database and ThreatSeeker malicious content classification technology, as well as new context-based data recognition capabilities that increase detection accuracy and enable organizations to create and enforce powerful, user-specific data sharing policies.

New capabilities in Websense Content Protection Suite v6 include Context Awareness and Control, which enables organizations to set policies allowing employees or groups of employees to use productivity tools securely. For example, an organization could allow an employee or group of employees to access their personal Web-based email accounts, but restrict them from sending sensitive corporate information through those accounts. Enhanced content awareness with PreciseID Natural Language Processing allows the detection of virtually any type of content while increasing the performance, efficiency, and flexibility of information detection. Advanced security protection through a combination of Websense's ThreatSeeker and information leak prevention technologies adds layers of context, along with advanced risk mitigation capabilities, and is designed to protect information from a growing number of information-stealing, targeted attacks.

Management and deployment enhancements include a unique graphical interface to manage large-scale, multi-site and distributed component implementations. This feature and the industry's first multi-platform "soft appliance" option promise flexibility and ease in deploying and managing enterprise implementations for both customers and the channel partners who support them. An important attribute of the new version is the new higher level of granularity and the ability to delegate incident response to the policy owner, which should facilitate timely response by the proper department.

Data leak protection, or its more politically correct synonym data loss protection (both acronymed as DLP), and their alter ego content filtering, are making the news. Sageza predicted that data privacy issues would outweigh SOX concerns by IT users in 2007 and we are pleased to say "we told you so." Organizations are becoming much more sophisticated in their approach to protecting sensitive data such as non-public personal information and intellectual property such as trade secrets. The very nature of today's business is to embrace communication with key stakeholders such as customers, suppliers, and contractors. This openness can put sensitive data in peril.

We believe that organizations must adopt a holistic approach to DLP. This means securing all avenues of approach and egress whether they are physical or virtual. Products such as this new version by Websense that offer simultaneous protection on multiple avenues appear to offer the most promise for end-user organizations because they make for stronger defenses, and centralized reporting yields better management control. Organizations must recognize, however, that sensitive data protection requires more than the latest technology. Policies and information classification schemes are the foundations for any successful data protection program.

By: Lawrence Dietz, Research Director, Sageza Group, Inc. Posted: 25th June 2007 Copyright Sageza Group, Inc. © 2007

Securent, Inc. has announced that it is first in the industry to deliver an entitlement management solution supporting Microsoft Office SharePoint Server 2007 and Windows SharePoint Services 3.0, enabling organizations to deploy SharePoint while meeting security and compliance requirements.

Securent's newly released standards-based Entitlement Management Solution (EMS) enables organizations to consistently manage, enforce, and audit access control policies to any SharePoint resource, including documents or document libraries, lists, search queries, and Web parts. With Securent's out-of-the-box solution for MOSS 2007, security is logically separated from site content and can be configured and audited by local and remote administrators. Enterprise, department, and individual SharePoint sites and applications now have the delegated fine-grained authorization and centralized visibility that are required to meet enterprises' security, compliance, and risk management mandates.

Companies are challenged today with balancing access to collaboration tools such as SharePoint with the need to safeguard confidential information and ensure compliance with internal policies as well as regulatory requirements. SharePoint's native security model, based on the pre-establishment of static permissions applied to individuals or groups, is optimized for personal sites, not enterprise deployments. When SharePoint is deployed broadly, enterprises suffer from a number of security and compliance shortfalls, which include difficulty in enforcing enterprise-wide policies, especially policies based on dynamic or resource attributes. Costs can be quite high for manually mapping users or groups to permissions and enforcing access control policies consistently between SharePoint and the rest of the enterprise IT and application infrastructure.

Securent offers fine-grained policies that can be centrally administered and appropriately delegated to individual site owners, and applied consistently to distributed SharePoint sites. Securent's EMS agents integrate with SharePoint for minimal impact to new or existing deployments, and audits use on-demand review functionality and realtime SharePoint user and administrator reports. Securent EMS offers organizations the ability to secure sensitive applications and data with an XACML standard-based solution to create, enforce, review, and audit fine-grained access policies across heterogeneous application and IT environments distributed throughout the enterprise, all with centralized management and visibility. The result is a more scalable and cost-effective alternative to custom coding of fine-grained access controls into applications.

Many organizations are looking for ways and means to ensure that applications, especially those dealing with sensitive information. are being used appropriately and that individuals are not exceeding their authority when performing operations within the applications. Organizations are also striving to simplify their policies with regard to the information and document lifecycles and, in some cases, prepare for potential litigation and optimize their responses to the production of electronically stored information. Application security has been a subject of news and research. However, most of the attention is focused on the development of secure applications and not necessarily the potential for abuse of applications and their data by authorized users. Application entitlement management, as controlled by Securent's EMS offering, appears to be a step in the right direction. We believe that for maximum effectiveness any technology must be accompanied by complementary policies and procedures. No technology has shown itself to be a silver bullet in addressing security issues. However, diligently employed, technology such as that offered by Securent may address areas that have not be adequately addressed in the past.

By: Lawrence Dietz, Research Director, Sageza Group, Inc. Posted: 20th June 2007 Copyright Sageza Group, Inc. © 2007

Microsoft Corp. announced recently that Microsoft Office SharePoint Server 2007 has received U.S. Department of Defense 5015.2 certification. Endorsed by the National Archives and Records Administration, the 5015.2 standard, on which the DoD certification is based, serves as the benchmark for government and corporate organizations that manage records and documents. The current version of DoD 5015.2-STD, signed April 25, 2007, defines the basic requirements based on operational, legislative, and legal needs that must be met by records management application products acquired by the Department of Defense (DoD) and its Components. It defines requirements for managing classified records and includes requirements to support the Freedom of Information Act, Privacy Act, and interoperability.

Microsoft utilized the SharePoint platform in meeting the DoD 5015.2 criteria, integrating Exchange Server 2007 and extending SharePoint Server 2007's records management capabilities with an add-on pack that will be available free to customers later this year. With respect to records management and compliance, Office SharePoint Server 2007 offers information management and retention enabling organizations to control the way content is managed to enforce compliance with corporate, legal, or governmental policies. To define information management policies for their sites, organizations can use the predefined policy features such as auditing, bar codes, and expiration individually or in combination, or they can develop custom information management policies. The Records Center site template is designed to help organizations implement their records management and retention programs. This site template extends standard Office SharePoint Server 2007 features with additional records management capabilities including vault abilities that help ensure the integrity of records stored within the Records Center, records routing, information management policy enforcement, and the ability to add records that are subject to litigation or investigations to a hold list. Information Rights Management allows organizations to limit the actions that users can take on files that have been downloaded, and limits the set of users and programs that are allowed to decrypt these files. IRM can also limit the rights of the users who are allowed to read files so they cannot take actions such as printing copies of the files or copying text from them.

We believe that this announcement is noteworthy because it seems to confirm our belief that SharePoint is likely to emerge as a very strategic product for Microsoft in the enterprise market—more strategic than it would seem at the moment—and that Microsoft recognizes the leverage generated by conformance with government standards. We believe that SharePoint is Microsoft's way of attempting to seize the center ground, and not the battlefield occupied by SQL against Oracle, nor the operating system battle, but a way to be at the eye of the storm: the ultimate repository of all information regardless of format.

The U.S. government is among the largest buyers of information technology in the world. It also influences a great deal of other activity directly and indirectly. If Microsoft succeeds at leveraging SharePoint as the standard repository within the DoD, then it is in a commanding position to become the standard for the rest of the Federal government, state governments, and perhaps suppliers/contractors to the public sector overall. In a recent seminar we heard one major high technology company proclaim that SharePoint will become its "official" storage platform. That firm cited compliance and e-discovery issues as one motivation; however, any CIO that can claim his architecture is based on government-approved standards will find themselves a leg up on the competition. Overall, we believe this announcement puts the market on notice that Microsoft has recognized the importance of government certification and that SharePoint will be a keystone in its long term strategy.

By: Lawrence Dietz, Research Director, Sageza Group, Inc. Posted: 31st May 2007 Copyright Sageza Group, Inc. © 2007

RSA, the security division of EMC, this week announced the advancement of its information management platform for compliance and security, the RSA enVision solution. The new capabilities of the RSA enVision platform are built to help provide an information management platform for compliance and security data that can comprehensively and cost-effectively map and transform the raw data into actionable intelligence. Integration with EMC's networked storage systems helps to position the RSA enVision platform to cost-effectively help organizations maximize the value of this type of business information.

RSA's strategy helps provide for the management of security compliance event log data over the complete security information lifecycle. It is designed to encompass integrations with a broad range of leading storage offerings. As engineered, this allows customers to define log retention policies on the RSA enVision platform that are automatically executed through EMC's storage solution portfolio, enabling complete collection-to-retirement management for all security information. RSA enVision offers enhanced availability collection server configurations that operate in hot-standby active/passive mode to effectively eliminate the risk of collection interruption. If a server failure occurs during the collection process, the hot-standby component is designed to detect the problem and automatically takes over.

In addition, RSA enVision is integrated with networked storage systems from EMC, providing customers an additional tiered storage choice. These high-availability network-attached and direct-attached storage models come preconfigured and prepackaged for simpler, faster deployment to help customers lower their overall storage and management costs.

The new release of RSA enVision platform also adds three major features: Vulnerability and Asset Management Integration to add vulnerability and asset intelligence and significantly reduce false positive alerts, enabling efficient focus on real threats; Watchlist Alerting and Reporting to create or import watchlists for enhanced efficiency of security operations and automatic real-time alerts based on watchlists to flag policy violations as they occur, enabling real-time compliance; and Task Triage and Ticketing System Integration to simplify operations by providing a complete incident response system for improved accuracy and faster resolution of investigations. Integration with an organization's enterprise incident management system further enhances operational efficiency.

RSA and its parent EMC recognize that they have to synergize their intellectual property and make life easier for their clients. To their credit, the organizations also recognize that they have to telegraph their plan to customers, investors, and other stakeholders and demonstrate that they are executing to the plan. The fact that log retention policies can be specified in an RSA product and executed on EMC's products is a great step forward. It demonstrates that they are walking the walk, not just talking the talk. We also believe that the addition of vulnerability and asset management intelligence can be a real time-saver for end-user organizations that are attempting to track vulnerabilities manually and a logical extension beyond RSA's core authentication world.

Overall we view this as a very positive development from RSA and EMC. We believe it demonstrates the company's intention to adhere to the Product Security Policy (PSP) outlined in January 2007 in its paper entitled Secure DNA: Enabling Security in EMC Products. The PSP is a company-wide, top-down program designed to imbue a sense of security "DNA" into EMC products. The key principles behind PSP are: information security is a core element of information protection, a foundation for information security is a secure information infrastructure, and information security should be built-in, not bolted-on. These principles are central to PSP and EMC's planned common security program.

Sageza believes that this kind of base architecture combined with integration and interaction between RSA and EMC products is in tune with market demands and that RSA and EMC will likely see increased customer confidence as they continue to execute on their roadmap.

By: Lawrence Dietz, Research Director, Sageza Group, Inc. Posted: 18th May 2007 Copyright Sageza Group, Inc. © 2007

NextLabs Inc., a privately-held developer of policy-based automated information control solutions, together with IBM, have announced the availability of eGRC for Information Export Control through collaboration with SAP AG. The information export control solution from IBM and NextLabs extends the export compliance capability of the SAP GRC Global Trade Services application. In addition, the solution manages the handling and export of technical information that is subject to International Traffic in Arms Regulations (ITAR), Export Administration Regulations (EAR), or other federal regulations.

Aerospace and Defense, high tech, and industrial firms face complex challenges complying with ITAR and EAR export regulations, which impose large fines and penalties for inappropriate disclosure of export-controlled information. Unfortunately, regardless of the dire consequences, there are no clear guidelines or standards. Mobile workforces, the Internet, and the global supply chain further compound the problem because transfer of information can occur in a variety of ways including the hard-to-track verbal transfers.

eGRC for Information Export Control integrates with TivoliIdentity Manager from IBM, SAP GRC Global Trade Services, and Compliant Enterprise from NextLabs. The solution safeguards information within the enterprise, supports compliance with export regulations, and limits access to controlled information to authorized users. The solution combines best-in-class software with best-practice recommendations and implementation accelerators for maximum customer value. IBM Global Business Services will implement the solution and provide the design, architecture, policy, and data discovery services. The eGRC for Information Export Control solution is designed to address export control requirements dealing with the handling and protection of technical data.

The solution consists of three major components: identity management, information access and handling control, and export license management. eGRC for Information Export Control addresses technical data export requirements by enabling project teams to quickly: define authorized users, identify controlled technical data, control technical data use according to defined business policies, control export of technical data corresponding with approved licenses and defined business policies, and provide a full audit trail detailing technical data-flow history to satisfy regulatory compliance requirements.

We find this solution particularly intriguing. It's not often that we see two industry stalwarts such as IBM and SAP mentioned in the same release from a third vendor. Clearly the solution is aimed at providing government regulators with a subtle assurance that its users are employing the highest order of due diligence in tracking and managing the sensitive data which comes under the purview of these regulations. As with many legal dictates, the regulations are generally silent on technical guidance so it's up to users and vendors to determine what constitutes due diligence and ultimately best practices. Relying on highly respected vendors is certainly an ingredient in the due diligence mix. In this case, the solution actively enforces export controls by interpreting environmental variables, business context, and context of use dynamically for appropriate document handling and disclosure. The technology becomes the enforcement mechanism by implementing the processes stated in corporate policies.

Sageza believes that subject-matter expert vendors such as NextLabs stake out a very defensible niche in their enterprise customers, and take advantage of some market protection through the support of larger, more generic providers of hardware, software, and services such as IBM and SAP. As more regulations are enforced via the federal courts, we expect to see more such specialized solutions as cost-effective ways to ensure compliance and proper management as well as reduce the cost of dealing with the Federal Rules of Civil Procedure changes dealing with electronic information.

By: Lawrence Dietz, Research Director, Sageza Group, Inc. Posted: 14th May 2007 Copyright Sageza Group, Inc. © 2007

AT&T Inc. has announced the availability of AT&T Web Security, a network-based security service that provides advanced Web content and instant-messaging filtering. Available to companies in the United States and around the world, AT&T Web Security is the newest addition to AT&T's enterprise security portfolio, which is focused on providing companies with security services "in the cloud" to help remove the dependency on hardware and software while supporting a "defense in depth" architecture with security features built into different network layers and supporting processes. AT&T Web Security provides companies with network-based capabilities to perform Web-content filtering and screening for malware and spyware, and IM filtering for malware, without dedicated hardware or software requirements. AT&T Web Security is designed to monitor all unencrypted Web traffic, including HTTP requests, and replies to HTTP requests and IM traffic. It can operate independently or become fully integrated with AT&T's other managed security solutions.

AT&T Web Security features include monitoring and reporting of Web traffic at the network level where customers may choose to monitor individual end-users, which would require that the customer install software on the user's PC. Other features include a Web-based portal for administration and reporting, including customized browser alert capabilities and automated reports, near-real-time scanning of requested Web sites and files to ensure that even trusted locations and files are monitored, and IM-filtering capabilities with storage. AT&T delivers a suite of Security and Business Continuity Services to help assess vulnerabilities, help protect infrastructure, detect attacks, respond to suspicious activities and events, and design enterprise networking environments for nonstop operations.

While the notion of web security as a managed service may not be new, AT&T has always been a force in the market place. Sageza believes that managed security services have been less popular than they deserve. Organizations that don't regard information security as a core part of their business should be especially attracted to services that will deal with functions that would otherwise distract the company and perhaps employ scarce resources. It's interesting to note that if organizations want to monitor particular end users then software (likely an agent) would have to be installed on those target machines. We regard this as a limitation. However, the Web portal for administration and reporting and the ability to monitor and filter IM are countervailing strong points.

Over time we believe managed security services will evolve from much of today's product-bound security functionality. Detecting malicious code and preventing it from harming the IT infrastructure are especially good functions to be addressed. It appears to us that Managed Security Services will ultimately look like software as a service (SaaS) in other sectors of the IT marketplace.