IT in Transition

Last week SignaCert was named one of the “7 Virtual Management Companies to Watch” by Network World. Wow, that came a bit out of left field…

Yes, we have been doing a lot of work in this space (configuration and image management for virtualization) but we were surprised, and a bit humbled by the recognition.

We are also coming off of a big week in New York City where we spent some quality time with the tier one and two financial firms exploring where they are in their thinking about systems management and information security in the enterprise. It was very interesting really….there were several independently validated trends that emerged out of these great customer meetings.

1) Virtualization remains a bit of a curiosity today in most large enterprises. It was a bit uncanny to hear from several of them that they were “10% or less (much less) deployed in their current enterprise IT environments” and that they “expected to be” 40-60% deployed in the 2-4 year time frame.

2) Deployment of MS-Vista on the user endpoints (desktops, workstations, laptops) is going to be “delayed” by at least a year—maybe two. This is somewhat a function of the current financial environment in the Financial Services sector—but likely more a function of not having a compelling reason to switch, coupled with a resounding “we’re not ready.”

The other thing that came thru was common thread of “how do we take this time out and get our stuff together as we prepare for the next wave?”

What was clear is that standardized configuration and image management is a *precursor* to what our customers need to achieve NOW. That is – do more with less by:

1) Delivering more productive IT Business Process cycles with their existing infrastructure WHILE lowering costs and improving compliances.

2) Doing that while optimizing CapEx and lowering OpEx.

Sounds like IT measurement and automation to me. No choice. No more excuses.

Another very interesting normalized data point is that the traditional (read: already in house and validated as suppliers) need to do more to address these needs AND the only – underscore ONLY new vendors that will make the cut to supply in these times are ones that can address the More with Less demand. Period.

So connecting all of these dots……

Our prospects and customers must acquire tools and knowhow to make sure that what they build and deploy in their IT environments STAY deployed as intended through out the IT business process lifecycle.

And if we can’t understand and maintain our S/W builds NOW in our mostly monolithic (1 computer – 1 Operating System and Application Stack)—then how are we possibly going to do this in the Virtualized IT World that we all know is coming?

Thank you Network World for “getting it”… Software measurement and IT controls methods built on high resolution software stack management is not a luxury today… and increasingly crucial to manage the current and future enterprise IT.

IT in Transition turns the page…..

Wyatt.

Over the last few weeks Microsoft (MSFT) announced more details of their long awaited virtualization strategy (drum roll please) and their expanded partnership with Citrix/Xen (with an emphasis on servers) and simultaneously announced the acquisition of Calista.

When Citrix originally announced the acquisition of XenSource a few months ago we thought that is was apparent that MSFT had to be “in the know” as Citrix and MSFT have been in a love/hate relationship in within the enterprise markets for nearly 18 years.

The prior relationship was much to do with terminal services and “backracking” and streaming of applications to the end-point.  In many ways these uses are a pre-cursor to virtualization – an enterprise “Petri dish” to see what and how customers find value around alternate enterprise usage of platforms and software delivery. Now the next shoe is dropping.

With the success of VMware―both in terms of early enterprise acceptance and deployment AND the IPO (giving VMW a huge warchest)―Microsoft has been forced to move.  Some would see it as “late”, but the virtualization market is really very nascent.  The bulk of VMW revenue is made up of deal sizes $100k or less….(likely ASP’ing at <=$70k right now)….so the bulk of the $1B+ in revenue by VMW is still “pilot” and for development usage.  So we are very early stage.

But the shift is happening quickly and the full transition is inevitable in short order (Less than 5 years for leading sectors to cross over to more than 50% virtualized infrastructure.)

While it is clear that the Virtual Memory Manager (VMM) and Hypervisors (HV) are ultimately commodity delivery mechanisms for the stack and software in the Virtual Machine (VM) enablers, control of VMM and HV is important to the big guys until the other layers of the value-add opportunities develop and evolve.

The longer term question for the “little guys” (every one with less than $100b market cap) is “where are the defensible 3rd party value-add areas” as the paradigm shift fully reveals itself?  What “goes away” as the shift from the one-to-one (hardware to OS) monolithic platform yields to the one-to-many virtual platform.

What happens to traditional IT security in this brave new world?  Where can we hang our respective 3rd party hats as the elephants trample the old ground in search of new and fertile new areas?

It is in these questions that the “positive” security and systems management model really begins to stand out.  Knowing that VM instantiations are ASSEMBLED FROM trusted code by validating them against a platform and vendor agnostic, high-quality “white list” resource becomes critical.

Also knowing WHAT CODE IS LOADED WHERE AND FOR HOW LONG becomes an enabling capability, regardless of which VMM and HV is used to create the VM software stacks.

Also, compliance and software licensing become even more important, but can be easily handled with trusted code and stack measure/validate methods.  Being able to “attest” the stack to an external “white list” reference built from a rich supply of high-quality software reference measurements becomes a highly-defensible and long-term way of adding value to the new virtual compute paradigm.

Interestingly for those that get the jump on this, this represents a huge, content-based, recurring revenue model that the first-party players will have a difficult time displacing (because they don’t have ready access to software measurements from other vendors and due to the “trusted third party” implications).

Will we really trust Microsoft to validate Microsoft?

So let’s just view this as another card in an unfolding game of mammoth proportions and implications.

Stay tuned.  This is going a lot of fun to watch, and to participate in.

I have blogged in the past on the increasing momentum of virtualization as a major IT in Transition indicator. Over the past couple of weeks there have been some additional indicators.

First Oracle laid out more details of their virtualization strategy. See: http://www.oracle.com/technologies/virtualization/index.html?SC=NA05070217C0.GCM.8710.100.Oracle+virtualization.br

And Sun CEO Jonathan Schwartz talked about Sun’s work in the VM space:
http://www.sun.com/datacenter/consolidation/virtualization/

For details, I would check out the videos set that Sun EVP John Fowler had produced. While of course it’s “Sun skewed,” it is a very good overview of the technical details of Sun’s strategy. See the videos linked from here.

So as not to get lost in the shuffle, Dell announced their partnership with Sun at the same event, as well as having their own individual set of announcements. The Sun/Dell announcement is really directed at Dell’s adoption of Solaris as yet another supported operating system.

Likely a good move for both companies, although time and execution will reveal the true value. For Sun, extending the “ubiquity” of Solaris is an important tenant. And for Dell I would guess this falls under the “Simplify IT” banner as Sun has done some really good work to create an enterprise OS, especially in the area of virtualization options up, down and across the stack. Here is an article about the “Love Fest…”:

http://www.internetnews.com/ent-news/article.php/3711201

I will finish today with this thought…

How in the heck is all of this virtualization stuff going to shake out?

We KNOW it is a key technology for the future of IT. We KNOW every platform supplier and large ISV is wrestling with the strategic issues of how, when, and can I make money with it (or at least not kill my current cash cow). And we KNOW customers want and need the benefits.

Just to give you a sense of the emerging confusion (which only increased over the last few weeks). See:

http://www.eweek.com/article2/0,1895,2216435,00.asp?kc=EWKNLNAVFEA1

So I have to admit to being “virtually” confused. This IT transition will be one of the most interesting of all. A real page turner. Stay tuned for more.

Wyatt.

An anniversary of sorts has come and gone recently…did you catch it? Google turned 10 years old. Just think, in less than three years the company will be a teenager. More remarkably perhaps it surpassed one billion dollars in annual revenue…and with more than 13,000 employees – at this stage. Wow.

The big news over the weekend was the upcoming Google phone, which was announced on Monday as “Android platform.” And so as to not create a slow news day, they also announced some of their initial strategy in Social Networking, called OpenSocial.

Did you notice the timing and common messaging around these seemingly unrelated (at first glance) events? Let’s scratch a bit deeper.

> Both announcements talked about an “open platform”
> Both discussed the power to “connect and collaborate”
> Both are seeking “disruption” of a business model

No news in that except extending the model, right?

Likely the Google phone will mark (perhaps) the imminent shift from proprietary wireless networks to IP-based public networks. Apple did a fine job of straddling this with the iPhone (yes, I got one ;-)). As you know the voice traffic on an iPhone goes out over the AT&T network, while the data uses a “most convenient available” method of EDGE data networks and WiFi.

So let’s connect the dots shall we? Apple has their rev 0.9 iPhone out with the 1.0 (or even 2.0) in the labs and scheduled for release in less than a year (general market belief). Google is revving up their marketing machine, complete with the following quote:

“Today’s announcement is more ambitious than any single ‘Google Phone’ that the press has been speculating about over the past few weeks. Our vision is that the powerful platform we’re unveiling will power thousands of different phone models.” —Eric Schmidt, Google Chairman/CEO, Android Press Release 11/5/07

WiMax is also increasing its global footprint by the minute. And more and more connectivity is free, or really “loss leader” might be the fair way to look at it. But loss leader to what? The model that Google has been (not so quietly) working on for the last 10 years: The ubiquity of INFORMATION – not just the movement of data…hmmmm.

After all, connecting people and providing a service is really the goal at the end of the day isn’t it. Making our lives more “productive, fun, and efficient” (that’s what the marketing fine print says anyway). Something about Web 2.0, right?

So why not loss leader Social Networking as a part of this as well? (No, Steve Ballmer, you can’t cancel payment on that big check MSFT wrote to Facebook). Since we have no real model (outside of the fringe “viral market for commercial purposes” aspect) for Social Networking, we may as well make it “free,” right?

So if you are trying to figure out which stocks to short, and which ones hold….don’t ask me.

And if are wondering about what this has to do with IT in Transition….everything.

Mostly it just affirms what we already know….we are just a transport layer for things to come. Back to work now to translate that notion into long-term differentiated market value.

Think about it — this company didn’t even exist 10 years ago! Now many of us – including some of the tech giants I’m sure – have our Google Alerts set to Google, and watch every bit of news from the “plex.” Talk about disruptive!

Here are a couple of other blogs on this issue:

David Berlind at ZDNet
Ben Worthen of WSJ
Rob Beschizza of Wired

Wyatt.

Have you been following the morphing of Salesforce.com (SF.com)? Fascinating really. They were one of the first to really drive a mainstream and highly profitable Application as a Service (ASP) …why is this not AaaS…oh, never mind…I digress.

Well now SF.com is spreading their wings, including full page ads in WSJ talking about Force.com. See more at http://www.salesforce.com/platform.

We are now seeing all kinds of things being (potentially) delivered “as a service.” Google is also heading this way, and even the traditional “install-based” ISV’s are beginning to get SaaS-y.

Apple is way on board (perhaps in the lead for a platform vendor) with the very cool .Mac services.

And let’s not forget the very creative use of skills and capacity by Amazon with the Simple Storage Solutions (S3), Elastic Computing Cloud (EC2) and other Amazon Web Services (AWS).

All of these innovations are on the path to further “virtualize” our computing experience. The “grid” is quietly emerging…and it works well. Plus, it’s pretty darned reasonable from a pricing point of view.

It makes sense if you think about it. It’s well aligned to the shift to more powerful hardware platforms (dual, quad and the coming octal core machines). And very well suited to supporting OS agnosticity as virtual memory (VM) moves into mainstream.

So as to not miss the SaaS party, this week SignaCert announced SignaCert Verify. It’s a service designed to support IT controls on an ASP basis to “verify” (clever, ay?) that elements of our customers critical infrastructure can be independently validated, starting with the DMZ.

Wonder if we should label this Trust as a Service (TaaS)?

Software Services “on call” and “on demand” are here… they are coming fast and here to stay and clearly represent another element of IT in transition.

Check ‘em out….and let me know what you think.

Wyatt.

Have you been following Apple’s technical roadmap these days? I know most of us track the new whiz-bang features and amazing marketing that comes out of that company.

You know I was counseled by some Apple folks recently and told “If we get you an audience with Steve Jobs, don’t say a word about Apple being in the “IT business”…and further that “Apple is a consumer products and content company and that technology is all about helping to deliver consumer experience…”  (We will get kicked out if I start talking about “IT”…)

Hmmmmm. Makes good sense. IT, technology and the services built upon them are the means to the end…not the end. The end is sexy and easy to use. The technology is largely transparent to the user experience.

Sort of like a well made German sports car…

As the subject of this blog is really observations of IT in transition, and because I am a closet geek anyway – I must dive a level down and make some technology observations.

I’ll start with a note from Steve Jobs last week. See a copy here: http://blog.zingwat.com/?p=164

Note his comment on code security and “integrity”:

“It will take until February to release an SDK because we’re trying to do two diametrically opposed things at once—provide an advanced and open platform to developers while at the same time protect iPhone users from viruses, malware, privacy attacks, etc. This is no easy task. Some claim that viruses and malware are not a problem on mobile phones—this is simply not true. There have been serious viruses on other mobile phones already, including some that silently spread from phone to phone over the cell network. As our phones become more powerful, these malicious programs will become more dangerous. And since the iPhone is the most advanced phone ever, it will be a highly visible target.”

Also last week Apple made the highly touted announcement of “Leopard” and the mind boggling list of new capabilities and features. See: http://www.apple.com/macosx/features/300.html

Well, one very capable analyst, Carl Howe, wrote an interesting article zeroing in on some common technological similarities between the challenges with these offerings. See:

http://seekingalpha.com/article/50315-apple-s-impressive-platform-security-for-iphone-leopard-development

The two items that Carl picked out and correlated (iPhone to Leopard) are really interesting and relevant to these blog pages. From the article:

Tagging Downloaded Applications
Protect yourself from potential threats. Any application downloaded to your Mac is tagged. Before it runs for the first time, the system asks for your consent — telling you when it was downloaded, what application was used to download it, and, if applicable, what URL it came from.

Signed Applications
Feel safe with your applications. A digital signature on an application verifies its identity and ensures its integrity. All applications shipped with Leopard are signed by Apple, and third-party software developers can also sign their applications.

And Carl goes on to say:

“Those features jumped out at me because the very first Forrester report I wrote in 1996 was about desktop security and the threat of active content. In that report, I wrote that if you want a truly secure platform, you need both app signing and run-time validation to guarantee that you only run trusted code. I further noted that Windows would never become a truly secure platform without these features. The fact that these features are built into Leopard says that even as Macs gain in popularity, Apple has no intent of letting its OS or its iPhone become an easy security target. And these two features are worth the entire cost of upgrade and more to anyone worried about desktop and server security.”

Wow, did you note the “positive platform attestation” comments in his observations? He is saying (I believe) that the device itself is responsible for maintaining the boundaries of what code should be allowed to run on the platform. And that we can “secure a platform” by making sure the trusted code stays trusted, and deal with mobile code asserted to the platform by having some sense of “provenance” – i.e. “where did the code come from, who (which app) requested it, and is it safe to run.”

He finishes the article with “Nice work Apple…”

I concur – great stuff. Not sexy in its own right necessarily. But by building these features into both the architecture AND the third party infrastructure, intrinsic positive platform protection can be more effectively assured.

With this, the stuff just works better. It is more reliable. It is safer…and all leads to a better user experience, and (likely) lower support costs for Apple.

Happier customer, more security transparency based on positive code measurement (signing) and attestation (verification).

Wow. Smart.

Nice work Apple.

And nice work Carl for helping to sort this out.

(Have to run, heading to the Apple store)

Wyatt.

Or is that Business Technology Optimization? Or perhaps Adaptive Infrastructure?

I found a recent HP press release worthy of a few comments.
http://www.hp.com/hpinfo/newsroom/press/2007/070926xa.html

There is a “Pony in this Pile” somewhere (so the old joke goes)…Take a read. Then read again. Then drop me a note and tell me what they said, would ya?

Seriously HP is struggling to move from techno-speak (where we talk about our technology and how cool it is) and move to an expression of understanding REAL CUSTOMER ISSUES and then mapping their technology to that.

We (techies) all struggle with this. But have you noticed how much more effort we are all putting into it?

I applaud HP actually. Here is a really big company trying to invert their view from technology coolness to customer awareness and alignment.

A cornerstone of this strategy turn in the enterprise is the assimilation of newly acquired Opsware. This is a clear and unambiguous indicator of “IT in Transition.” I have noted in other writings and presentations that the $1.6B cash price tag for Opsware was a big play for HP. And with the release referenced above, you can see them begin to play this new asset into their broader portfolio.

I like the guys at Opsware. I like what they are doing. They have dug below the surface over the past few years to get really focused on solving real customer issues. Find the pain, articulate a clean solution, and you’ll find the budget.

But here is the issue: Much like the difficulty that the capable HP PR team had in articulating the message in a few clean crisp phrases, “Business Information Optimization” (BIO?) involves a “heavy deployment lift.” Much like SAP is a heavy implementation lift for manufacturing companies.

Implementing these methods, if you can afford the time and investment, can pay big dividends – in time. We may have the budget, but do we really have the time?

We are finding something different in this transitional IT market. Customers are really driven by the notion of quick gratification by implanting “light lift” methods, with “step function” and highly demonstrable benefits. To the extent we don’t have to “rip and replace” existing business methods, we make it easier for our customer to assimilate our value.

Parallel-implemented IT controls that enforce standard image builds are one method to provide high-value quickly without major disruption of our customers’ business process.

Our customers would likely just call this “a keen sense for the obvious…”

Wyatt.

The Wall Street Journal ran an article yesterday, “Security-Software Industry’s Miniboom,” talking about data privacy and security spending. See:

View article here.

The focus of the article is around the Payment Card Industry (PCI) and the so called Data Security Standards (DSS). The credit card industry (primarily driven by Visa) has been steadily and systematically shifting more of the responsibilities and liabilities for credit card losses to merchants.

Now this actually makes good sense. Insiders have known for a long time that the losses due to fraud, privacy issues and increasing identity theft have been huge, in absolute terms for many years. (“Huge” means single digit percentage losses multiplied by trillions of dollars moving through the system).

The tension around this is simple really, and we should all care. On the one hand the credit card “brands” are encouraging us to continue to use our cards, and actively promote “don’t worry Mr. Consumer – if you have losses, we have your back.” That is the public position. Slowing down the flow of transactions due to consumer fear is not really a good option for them J

But the brands have been quietly working hard to reduce losses in the system, as they have been picking up (from their perspective) more than their fair share of the consumer loss charges and blame.

So the focus goes to the transaction chain. The PCI regs, which are being ratcheted up and broadened, are really seeking to enforce better practices for all participants in the system. In December 2006, Visa announced the “compliance acceleration program” which potentially fines the largest banks and merchants for non-compliance with fines beginning at $25,000 a month. The deadline for compliance came into force on September 30, 2007. The next tier of bank and merchants face a similar situation effective December 31, 2007.

Simply put, Visa (and other brands) are simply not willing to pick up the tab for sloppy transactions controls by the credit supply chain. And we should ALL care because at the end of the day WE pay for the losses with higher fees and interest rates.

These are real data management best practices and security issues. We should make sure all of our “negative controls” are working. The firewalls should be in place, intrusion and anti-virus stuff should be set up correctly, etc.

For the most part, the “physical risk” of losses in the system is yesterday’s news. The bulk of the transactions are handled by the “big banks” and they are pretty darn good at all of this security stuff. And I don’t believe for a minute that we lose as many laptops and servers as the media reports.

The problem with all of this CISP/PCI DSS stuff is that it focuses largely on reactive and negative controls and has traditionally been based on “honor system” compliance with draconian implications if they “catch you.”

There is a better way for all parties. Wouldn’t it be better to deploy “positive” IT controls? (i.e. “I know that all of the software on my IT-based transaction systems are in compliance — and I can prove it over their usage lifetime.”

All sides win with affirmative and positive IT controls based on software and standard image measurement/management.

With IT controls the brands can move away from the honor system and the web services used to connect and pass transactions can exchange positive platform “trust tokens,” assuring a new level of transparent compliance. The banks and merchants can produce higher levels of demonstrated compliance, with a lower cost to implement.

And maybe then consumers will get some break on costs and interest rates. That, or the brands, banks and merchants will see their profits increase nicely….Okay, so I lapsed into cynical….I digress.

Parallel-process, check and balance IT controls to demonstrate affirmative system compliance is just common sense. And the IT world needs a bit more common sense from time to time.

Wyatt.

Where does the time go? Here we are at October 1, 2007 and just look at where we are so far… The economy is all over the map (one article says “go long” and the next one says “short the market”). The credit ripples are still building, and we are going to test our economic resilience yet again. I continue to believe that we are mid-stride in one of the most disruptive periods of change that we have seen for many years.

Yes, the dot-com bust was “disruptive” in a negative sense – we saw the pendulum swing full out and bang the edges. We just plain got ahead of ourselves (which is a repeating pattern for those of us with enough gray hair).

But this cycle seems different. The new technologies and products really seem to be more fundamental and useful. The disruptive nature of change seems much more deeply rooted. And when viewed from the right “altitude” the innovation seems more holistic.

But with all of that, high-technology remains a fascinating study in innovation and change. Look at some of the big stories:

* Virtualization continues to roll on

* Apple continues its slow but steady progress

* Intel recovers its footing

* Google continues its relentless march

* Web “2.0” seems to have real teeth

* There is more cheap bandwidth everywhere

* AT&T is back (now at&t ;-))

Examining some of the above in depth . . .

Virtualization. Not only more discrete compute machines per physical platform, but even the “bigger” virtualization – the complete abstraction of the platform to the user. Where does my word processer actually live anymore? Maybe on this box…maybe streamed to me on demand as a service? And where do I keep my file storage and backup these days? May as well use that Amazon storage backend…it is cheaper and more versatile than buying it.

And wow, talk about consumer wizzies. Check out the new Apple product line across the board. Great graphics, cool form factors, transparent cross-compatibility, and basically Operating System agnostic for all practical purposes.

We have Dual Core (x2) Microprocessors quickly moving to Octal Core (x with multiple sockets per motherboard and tons of memory – continuing to drive compute density up and lowering cost.

Zoom up and look at the really big picture for a second. Technology is really beginning to achieve the promise we’ve all had for it. To make our lives easier, more productive – and face it – more fun.

But I continue to watch with interest as the transitory waves, and the inescapable realities roll through our industry. These are not just the lapping waves on the beach. The water is retreating from the shore at an increasing pace… It is likely to return soon with force.

Are we witnessing a technology tsunami before our eyes?

What does Microsoft look like as a company 10 years from now? Where is Google? Does Motorola even exist?

Nature has an intractable and cruel reality. Evolve and adapt or become extinct. Watch carefully for signs of adaption with your favorite companies and sectors. If you don’t see the spark of innovation, get out.

Now on to Q4…..

Wyatt.

I picked up an interesting link to an article yesterday, so I thought I’d share. It’s about white listing . . .The article is written by Peter Nowak of CBC News and interviews Michael Murphy of Symantec Canada on his observations of a philosophical change in the anti-virus market.

Article: Internet security moving toward “white list”

Nowak says in the article:

“Under the current system, a security firm discovers a new threat, adds it to its black-list database and updates its customers’ anti-virus software to combat the problem. A “white list” would instead compile every known legitimate software program, including applications such as Microsoft Word and Adobe Acrobat, and add new ones as they are developed. Every program not on the list would simply not be allowed to function on a computer.”

“This is the future of security technology,” Murphy said at a presentation of the company’s twice-yearly security report on Friday. The trick is to develop a “global seal of approval.”

Not that this is a really big surprise. There have been several articles and announcements in recent weeks and months that relate to the emergence of the “positive model” – or what some companies refer to as “security by inclusion.”

This is all really common sense stuff when you think about it right? The “black list” challenge continues to be highly elusive; after all, it IS an infinite problem. Not that black list will go away anytime soon. Our customers will continue to pursue the “defense in depth” strategy.

On the other hand, IT controls and measurement systems based on “white list” or manifests of authorized code sets can easily be managed in a highly finite way using SignaCert. Also, positive system affirmation really provides much more customer value at the end of the day. In addition to the “keep the bad stuff out” benefit of black list, we can fold in the “verify the good stuff is still as intended” and “make sure that the originally and intended code is still present on the platform” benefits.

So the value of IT measurement and controls go way beyond pure security. Implemented correctly it is FULL configuration verification (image manifest AND software measurements) and code validation with source of ownership information (software provenance and pedigree)….all grounded to a common trust reference within our customers domain.

It is interesting to consider: This is how most other industries made their “automation” transitions. Think aerospace, telecom, auto and others. More on that later.

So net-net - we agree…this IS the future of security.

And likely the key to more comprehensive and proactive systems management methods.

So, the pendulum continues to swing even faster. Stay tuned.

Wyatt.