Another IT in Transition Indicator: Software as a Service (SaaS)

October 29, 2007

Have you been following the morphing of ( Fascinating really. They were one of the first to really drive a mainstream and highly profitable Application as a Service (ASP) …why is this not AaaS…oh, never mind…I digress.

Well now is spreading their wings, including full page ads in WSJ talking about See more at

We are now seeing all kinds of things being (potentially) delivered “as a service.” Google is also heading this way, and even the traditional “install-based” ISV’s are beginning to get SaaS-y. 🙂

Apple is way on board (perhaps in the lead for a platform vendor) with the very cool .Mac services.

And let’s not forget the very creative use of skills and capacity by Amazon with the Simple Storage Solutions (S3), Elastic Computing Cloud (EC2) and other Amazon Web Services (AWS).

All of these innovations are on the path to further “virtualize” our computing experience. The “grid” is quietly emerging…and it works well. Plus, it’s pretty darned reasonable from a pricing point of view.

It makes sense if you think about it. It’s well aligned to the shift to more powerful hardware platforms (dual, quad and the coming octal core machines). And very well suited to supporting OS agnosticity as virtual memory (VM) moves into mainstream.

So as to not miss the SaaS party, this week SignaCert announced SignaCert Verify. It’s a service designed to support IT controls on an ASP basis to “verify” (clever, ay?) that elements of our customers critical infrastructure can be independently validated, starting with the DMZ.

Wonder if we should label this Trust as a Service (TaaS)?

Software Services “on call” and “on demand” are here… they are coming fast and here to stay and clearly represent another element of IT in transition.

Check ‘em out….and let me know what you think.



Apple and Transitional IT (i.e better user experience…)

October 24, 2007

Have you been following Apple’s technical roadmap these days? I know most of us track the new whiz-bang features and amazing marketing that comes out of that company.

You know I was counseled by some Apple folks recently and told “If we get you an audience with Steve Jobs, don’t say a word about Apple being in the “IT business”…and further that “Apple is a consumer products and content company and that technology is all about helping to deliver consumer experience…”  (We will get kicked out if I start talking about “IT”…)

Hmmmmm. Makes good sense. IT, technology and the services built upon them are the means to the end…not the end. The end is sexy and easy to use. The technology is largely transparent to the user experience.

Sort of like a well made German sports car…

As the subject of this blog is really observations of IT in transition, and because I am a closet geek anyway – I must dive a level down and make some technology observations.

I’ll start with a note from Steve Jobs last week. See a copy here:

Note his comment on code security and “integrity”:

“It will take until February to release an SDK because we’re trying to do two diametrically opposed things at once—provide an advanced and open platform to developers while at the same time protect iPhone users from viruses, malware, privacy attacks, etc. This is no easy task. Some claim that viruses and malware are not a problem on mobile phones—this is simply not true. There have been serious viruses on other mobile phones already, including some that silently spread from phone to phone over the cell network. As our phones become more powerful, these malicious programs will become more dangerous. And since the iPhone is the most advanced phone ever, it will be a highly visible target.”

Also last week Apple made the highly touted announcement of “Leopard” and the mind boggling list of new capabilities and features. See:

Well, one very capable analyst, Carl Howe, wrote an interesting article zeroing in on some common technological similarities between the challenges with these offerings. See:

The two items that Carl picked out and correlated (iPhone to Leopard) are really interesting and relevant to these blog pages. From the article:

Tagging Downloaded Applications
Protect yourself from potential threats. Any application downloaded to your Mac is tagged. Before it runs for the first time, the system asks for your consent — telling you when it was downloaded, what application was used to download it, and, if applicable, what URL it came from.

Signed Applications
Feel safe with your applications. A digital signature on an application verifies its identity and ensures its integrity. All applications shipped with Leopard are signed by Apple, and third-party software developers can also sign their applications.

And Carl goes on to say:

“Those features jumped out at me because the very first Forrester report I wrote in 1996 was about desktop security and the threat of active content. In that report, I wrote that if you want a truly secure platform, you need both app signing and run-time validation to guarantee that you only run trusted code. I further noted that Windows would never become a truly secure platform without these features. The fact that these features are built into Leopard says that even as Macs gain in popularity, Apple has no intent of letting its OS or its iPhone become an easy security target. And these two features are worth the entire cost of upgrade and more to anyone worried about desktop and server security.”

Wow, did you note the “positive platform attestation” comments in his observations? He is saying (I believe) that the device itself is responsible for maintaining the boundaries of what code should be allowed to run on the platform. And that we can “secure a platform” by making sure the trusted code stays trusted, and deal with mobile code asserted to the platform by having some sense of “provenance” – i.e. “where did the code come from, who (which app) requested it, and is it safe to run.”

He finishes the article with “Nice work Apple…”

I concur – great stuff. Not sexy in its own right necessarily. But by building these features into both the architecture AND the third party infrastructure, intrinsic positive platform protection can be more effectively assured.

With this, the stuff just works better. It is more reliable. It is safer…and all leads to a better user experience, and (likely) lower support costs for Apple.

Happier customer, more security transparency based on positive code measurement (signing) and attestation (verification).

Wow. Smart.

Nice work Apple.

And nice work Carl for helping to sort this out.

(Have to run, heading to the Apple store)


HP and Business Information Optimization

October 10, 2007

Or is that Business Technology Optimization? Or perhaps Adaptive Infrastructure?

I found a recent HP press release worthy of a few comments.

There is a “Pony in this Pile” somewhere (so the old joke goes)…Take a read. Then read again. Then drop me a note and tell me what they said, would ya?

Seriously HP is struggling to move from techno-speak (where we talk about our technology and how cool it is) and move to an expression of understanding REAL CUSTOMER ISSUES and then mapping their technology to that.

We (techies) all struggle with this. But have you noticed how much more effort we are all putting into it?

I applaud HP actually. Here is a really big company trying to invert their view from technology coolness to customer awareness and alignment.

A cornerstone of this strategy turn in the enterprise is the assimilation of newly acquired Opsware. This is a clear and unambiguous indicator of “IT in Transition.” I have noted in other writings and presentations that the $1.6B cash price tag for Opsware was a big play for HP. And with the release referenced above, you can see them begin to play this new asset into their broader portfolio.

I like the guys at Opsware. I like what they are doing. They have dug below the surface over the past few years to get really focused on solving real customer issues. Find the pain, articulate a clean solution, and you’ll find the budget.

But here is the issue: Much like the difficulty that the capable HP PR team had in articulating the message in a few clean crisp phrases, “Business Information Optimization” (BIO?) involves a “heavy deployment lift.” Much like SAP is a heavy implementation lift for manufacturing companies.

Implementing these methods, if you can afford the time and investment, can pay big dividends – in time. We may have the budget, but do we really have the time?

We are finding something different in this transitional IT market. Customers are really driven by the notion of quick gratification by implanting “light lift” methods, with “step function” and highly demonstrable benefits. To the extent we don’t have to “rip and replace” existing business methods, we make it easier for our customer to assimilate our value.

Parallel-implemented IT controls that enforce standard image builds are one method to provide high-value quickly without major disruption of our customers’ business process.

Our customers would likely just call this “a keen sense for the obvious…”


Credit Card Regulations and IT Controls

October 3, 2007

The Wall Street Journal ran an article yesterday, “Security-Software Industry’s Miniboom,” talking about data privacy and security spending. See:

View article here.

The focus of the article is around the Payment Card Industry (PCI) and the so called Data Security Standards (DSS). The credit card industry (primarily driven by Visa) has been steadily and systematically shifting more of the responsibilities and liabilities for credit card losses to merchants.

Now this actually makes good sense. Insiders have known for a long time that the losses due to fraud, privacy issues and increasing identity theft have been huge, in absolute terms for many years. (“Huge” means single digit percentage losses multiplied by trillions of dollars moving through the system).

The tension around this is simple really, and we should all care. On the one hand the credit card “brands” are encouraging us to continue to use our cards, and actively promote “don’t worry Mr. Consumer – if you have losses, we have your back.” That is the public position. Slowing down the flow of transactions due to consumer fear is not really a good option for them J

But the brands have been quietly working hard to reduce losses in the system, as they have been picking up (from their perspective) more than their fair share of the consumer loss charges and blame.

So the focus goes to the transaction chain. The PCI regs, which are being ratcheted up and broadened, are really seeking to enforce better practices for all participants in the system. In December 2006, Visa announced the “compliance acceleration program” which potentially fines the largest banks and merchants for non-compliance with fines beginning at $25,000 a month. The deadline for compliance came into force on September 30, 2007. The next tier of bank and merchants face a similar situation effective December 31, 2007.

Simply put, Visa (and other brands) are simply not willing to pick up the tab for sloppy transactions controls by the credit supply chain. And we should ALL care because at the end of the day WE pay for the losses with higher fees and interest rates.

These are real data management best practices and security issues. We should make sure all of our “negative controls” are working. The firewalls should be in place, intrusion and anti-virus stuff should be set up correctly, etc.

For the most part, the “physical risk” of losses in the system is yesterday’s news. The bulk of the transactions are handled by the “big banks” and they are pretty darn good at all of this security stuff. And I don’t believe for a minute that we lose as many laptops and servers as the media reports.

The problem with all of this CISP/PCI DSS stuff is that it focuses largely on reactive and negative controls and has traditionally been based on “honor system” compliance with draconian implications if they “catch you.”

There is a better way for all parties. Wouldn’t it be better to deploy “positive” IT controls? (i.e. “I know that all of the software on my IT-based transaction systems are in compliance — and I can prove it over their usage lifetime.”

All sides win with affirmative and positive IT controls based on software and standard image measurement/management.

With IT controls the brands can move away from the honor system and the web services used to connect and pass transactions can exchange positive platform “trust tokens,” assuring a new level of transparent compliance. The banks and merchants can produce higher levels of demonstrated compliance, with a lower cost to implement.

And maybe then consumers will get some break on costs and interest rates. That, or the brands, banks and merchants will see their profits increase nicely….Okay, so I lapsed into cynical….I digress.

Parallel-process, check and balance IT controls to demonstrate affirmative system compliance is just common sense. And the IT world needs a bit more common sense from time to time.


Could this be a Techno-Tsunami?

October 1, 2007

Where does the time go? Here we are at October 1, 2007 and just look at where we are so far… The economy is all over the map (one article says “go long” and the next one says “short the market”). The credit ripples are still building, and we are going to test our economic resilience yet again. I continue to believe that we are mid-stride in one of the most disruptive periods of change that we have seen for many years.

Yes, the dot-com bust was “disruptive” in a negative sense – we saw the pendulum swing full out and bang the edges. We just plain got ahead of ourselves (which is a repeating pattern for those of us with enough gray hair).

But this cycle seems different. The new technologies and products really seem to be more fundamental and useful. The disruptive nature of change seems much more deeply rooted. And when viewed from the right “altitude” the innovation seems more holistic.

But with all of that, high-technology remains a fascinating study in innovation and change. Look at some of the big stories:

* Virtualization continues to roll on

* Apple continues its slow but steady progress

* Intel recovers its footing

* Google continues its relentless march

* Web “2.0” seems to have real teeth

* There is more cheap bandwidth everywhere

* AT&T is back (now at&t ;-))

Examining some of the above in depth . . .

Virtualization. Not only more discrete compute machines per physical platform, but even the “bigger” virtualization – the complete abstraction of the platform to the user. Where does my word processer actually live anymore? Maybe on this box…maybe streamed to me on demand as a service? And where do I keep my file storage and backup these days? May as well use that Amazon storage backend…it is cheaper and more versatile than buying it.

And wow, talk about consumer wizzies. Check out the new Apple product line across the board. Great graphics, cool form factors, transparent cross-compatibility, and basically Operating System agnostic for all practical purposes.

We have Dual Core (x2) Microprocessors quickly moving to Octal Core (x8) with multiple sockets per motherboard and tons of memory – continuing to drive compute density up and lowering cost.

Zoom up and look at the really big picture for a second. Technology is really beginning to achieve the promise we’ve all had for it. To make our lives easier, more productive – and face it – more fun.

But I continue to watch with interest as the transitory waves, and the inescapable realities roll through our industry. These are not just the lapping waves on the beach. The water is retreating from the shore at an increasing pace… It is likely to return soon with force.

Are we witnessing a technology tsunami before our eyes?

What does Microsoft look like as a company 10 years from now? Where is Google? Does Motorola even exist?

Nature has an intractable and cruel reality. Evolve and adapt or become extinct. Watch carefully for signs of adaption with your favorite companies and sectors. If you don’t see the spark of innovation, get out.

Now on to Q4…..