Friday, October 31, 2008

BriefingsDirect Analysts Take Microsoft's Pulse: Will the Software Giant Peak in Next Few Years?

Edited transcript of BriefingsDirect Analyst Insights Edition podcast, Vol. 32, on the outlook for Microsoft in the face of the economic downturn and new directions in the IT market, recorded October 24, 2008.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: Active Endpoints.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Dana Gardner: Hello, and welcome to the latest BriefingsDirect Analyst Insights Edition Podcast, Volume 32.

This periodic discussion and dissection of IT infrastructure-related news and events with a panel of industry analysts and guests comes to you with the help of our charter sponsor, Active Endpoints, maker of the ActiveVOS visual orchestration system.

I am your host and moderator Dana Gardner, principal analyst at Interarbor Solutions. Our topic this week, the week of October 20, 2008, is the IT elephant in the room ... Microsoft. The software titan held its Professional Developers Conference (PDC) on October 27 in Los Angeles. We’re expecting quite a bit of news from the event, and this also gives us a chance to examine the state of Microsoft and its place and role in the enterprise IT dominion.

We’re going to dig into Microsoft, its mission, how well it’s doing, and how well we’re expecting it do over the next couple of years. We’re joined by this week's panel to help us dig through this.

I’d like to welcome first Jim Kobielus, senior analyst at Forrester Research. Hi, Jim.

Jim Kobielus: Hi, Dana. Hi, everybody.

Gardner: Tony Baer, senior analyst at Ovum. Hi, Tony.

Tony Bear: Hey, Dana, good to be here again.

Gardner: Dave Linthicum, independent consultant with the Linthicum Group. Dave, will be joining in a little bit.

Next, Brad Shimmin, principal analyst at Current Analysis. Howdy, Brad.

Brad Shimmin: Hi, Dana, how are you?

Gardner: Great, thank you. Making his debut on our show, Mike Meehan, a senior analyst at Current Analysis as well, and former editor-in-ehief at SearchSOA.com. Welcome, Mike.

Mike Meehan: Great to be here, Dana.

Gardner: And, last, Joe McKendrick, independent analyst and prolific blogger on SOA and business intelligence topics. Howdy, Joe?

Joe McKendrick: Pleasure to be here, Dana, thank you.

Gardner: Alright, let’s dig into the freshest news this week. Microsoft just yesterday announced its financial results for the quarter ending September 30. We saw 9 percent revenue growth, which includes 20 percent revenue growth for their business software, and overall 2 percent net income growth.

It’s not quite as robust as similar recent reports from IBM, Oracle, and HP. Indeed, the Business Unit at Microsoft did better than the Windows Operating System Unit, which has of course been its long-time cash cow.

I guess we’ll take this over to Tony. Tony, is there anything that we can read into Microsoft’s financial results that give us some indication of how well the company is doing?

Baer: Actually, I’ve been giving this some thought in terms of the results from some of the others lately -- for example, IBM and Oracle, mostly up, and SAP down.

My sense with Microsoft is that the Windows unit has been very much slowed down by the very slow uptake of Vista, and especially by the tendency of corporate customers, if and when they get new machines, to downgrade to Windows XP. So, that certainly has created something of a drag there.

The other part of this -- and this is actually one part which does surprise me a little bit -- is that Microsoft has been putting a lot more emphasis especially around business software, and specifically Oslo. You’ll see a lot of this in the sessions and announcements next week at PDC. It’s too early to impact the results, the financial results, but its indicative of a general direction on Microsoft's part. It has become more of an enterprise computing player.

What does surprise me a little bit is that in a company of Microsoft’s size it would have that much material impact.

Gardner: What's a little surprising to me is that even with 9 percent revenue growth and 20 percent revenue in the Business Software Unit, which includes Office, that only translated into 2 percent income or earnings.

Is Microsoft at a disadvantage, compared to other enterprise vendors, because of its exposure to the consumer market, Web advertising market, and the cyclical nature of an operating system upgrade like Windows?

Baer: I’m not sure if it’s at a disadvantage with regard to the consumer market per se. I hate to use an extreme example like this, but take a look at some of the very toughest economic times that we’ve had. Let’s go back to the Depression, which of course we all remember from our childhood, or at least that we are all reincarnated now. During the ‘30s, when nobody had any money, people went out for cheap, real thrills. In that case, it was a trip down to the movie theater.

My sense is that, if you already have an Xbox 360, what's the big deal about getting another game? That’s a much cheaper thrill than going out and buying some more expensive piece of consumer electronics hardware.

I don't think that the exposure to the consumer side is such an issue. I think it's more a matter that certain parts of Microsoft’s business have matured and that some of the newer areas, which would be the enterprise side, and would also be say the Web-designer side, where they are going head-to-head with Adobe, are still much too early on the maturity curve to have a material impact.

Gardner: Alright, Mike Meehan, what do you think? Is Microsoft in a good, medium, or a bad position going into an economic downturn, given what we’re seeing and given their exposure across such a wide variety of different products and services?

Meehan: You’re generally never in a bad position when you’re diversified. That’s the one thing Microsoft has going for it. It has its hooks in a lot of different ponds.

I tend to think that they are better off in the consumer market than they are in the enterprise market. My view is that .NET has lost to Java, just as an enterprise technology. It’s a niche. It’s an avenue where Microsoft is going to have a presence.

People are going to use Visual Studio. They can build out Oslo and they can try to keep people in with as much service orientation as Microsoft can give you in their package, but they are not going to be on the same par as IBM, Oracle, or even SAP long term, in terms of being able to give you enterprise applications and application development tools.

They are a sidelight to that. Their business is more in the operating system and in the Xbox. Kids like playing games, and social computing, those game-oriented things, are going to be the areas where Microsoft is going to see its greatest profits down the road.

Gardner: So, you’re saying that Microsoft’s future is waning when it comes to its share of market, profits, and growth on the business side, and that’s its virtuous growth machine between the tension of their tools and its platform is not going to continue? It’s fighting against organizations like Google and Apple in the consumer space that is going to be Microsoft’s growth future?

Meehan: I think they are capped on the business side. There's only so much of that pie they are ever going to get right at this point.

Gardner: Anybody out there have a concurring view to that? It seems that the vast majority of Microsoft’s revenues and profits still come from the business sector.

Kobielus: I think that there’s some validity to the viewpoint that Microsoft's growth potential has capped on the business side, when you consider packaged applications, and software- and application-development tools, in the sense that the entire product niche of the service-oriented architecture (SOA) universe is rapidly maturing.

The vendors in this space -- the SOA vendors, the business-intelligence (BI) vendors, the master data management (MDM) vendors -- are going to realize revenue growth and profitability. Those who survive this economic downturn and thrive in the next uptick, will be those who very much focus on providing verticalized and customized applications on a consulting or professional services basis.

In that regard, Microsoft is a bit behind the eight ball. They don’t really have the strength on the consulting, professional services, and verticalization side, that an SAP, Oracle, or an IBM can bring to the table.

Microsoft, if they want to continue to grow in the whole platform and application space and in the whole SOA universe, needs to put a greater focus on consulting services.

Gardner: That's interesting. Now, here we have Microsoft, as I say the elephant in the room, the largest software company in the world, in many respects one of the most successful companies in the history of business, behind the eight ball. How could it be behind the eight ball, when it has $40 billion in cash in the bank, and an army of global developers and engineers? Yet, I think there's something to this.

Let’s drill down for a second. Gartner, the largest analyst and research firm came out with a Top 10 Strategic Technology Areas list for 2009. These are the 10 areas I think are going to be the most strategic for IT people.

Number 1, virtualization. I think it's safe to say that Microsoft is catching up on virtualization.

Number 2, cloud computing. We’ll soon get detail on Microsoft’s cloud computing, but they’re clearly behind the eight ball if you compare them to say Amazon or Google or Salesforce.com.

Number 3, servers beyond blades. Well, that’s a hardware story, and Microsoft isn’t in the hardware business.

Number 4, Web-oriented architecture, mashups, or the use of Web development, primarily for new applications. Microsoft’s in that, but that’s a problem, because there isn't always a tie-in to their platform. It’s really a Web- and browser-based business, which has been somewhat troublesome for Microsoft, given its software plus services focus.

Number 5, mashups. Same story there. Microsoft does have tools and approaches, but it doesn’t necessarily feed their cash cow of selling more operating systems or upgrades to operating systems.

Number 6, specialized systems. I’m not exactly sure what that means, but I don’t think Microsoft is so verticalized that this is going to be a growth area for them.

Number 7, social software and social networking. We haven’t seen Microsoft dominate here. In fact, they tried to buy their way into this with Yahoo and failed.

Number 8, unified communications. Microsoft has been big there. That’s a potential growth area for them.

Number 9, business intelligence, another big growth arena.

Then, Number 10 from Gartner’s list, Green IT. Green IT, of course, means consolidation, more highly utilized servers, not hundreds of Microsoft Exchange Servers running at 20 percent utilization. So, I would posit that Microsoft is behind the eight ball on Green IT as well.

Does anybody out there want to react to this issue of Microsoft in catch-up mode?

McKendrick: When did Bill Gates start Microsoft? What year was that?

Gardner: 1977.

McKendrick: It was actually 1975. That was the worst downturn in our generation, as far as the economy goes. He, and eventually Steve Ballmer, started the company going. What year was MS-DOS launched to licensing? When did that began to catch on?

Baer: 1980, 1981.

McKendrick: Yeah, the other downturn, the other worst economic downturn in our generation. So in other words, in Microsoft’s history it seems they’ve had their crucial turning points, at times when the rest of the economy was in a funk.

Windows was in the early 1990s, another recessionary period.

I was speaking with Brian Loesgen from Neudesic a couple of weeks ago. It was in the midst of the first wave of financial panic in the economy. He put it this way. Microsoft has its own economy. No matter what happens to the economy at large, Microsoft has its own economy going, and just seems to get through all this.

What’s driven Microsoft from day one, and continues to do so, is that Microsoft is the software company for Joe the Plumber. That’s their constituency, not necessarily Joe the Developer. They cater to Joe the Developer, Joe the CIO, and Joe the Analyst certainly likes to check in on what they are doing. It's this whole idea of disruptive technology. They have always targeted the under-served and un-served parts of the marketplace and move up from there.

Gardner: So we have two narratives. We have Microsoft is too big to fail, has done well regardless of economics in the past, and is independent of larger economic trends because of its "Joe the Plumber" appeal. We also have this narrative of they are playing catch-up.

McKendrick: The base of Microsoft, these companies that are using Microsoft technology, don’t necessarily get virtualization or cloud computing.They just want a solution installed on their premises and want it to work.

Gardner: Dave Linthicum, are you out there now?

Dave Linthicum: Yeah, I am out there now. How are you doing Dana? I was actually crying over my 401(k) portfolio, so I got in late on the call.

Gardner: Well, I can see why that would choke you up. Now, what's your position on these dual narratives: Microsoft, too big to fail, has done always well in the past -- or Microsoft behind the eight ball on virtualization, cloud computing, and some of the other major growth areas of the next couple of years?

Linthicum: I think they are behind the eight ball. A lot of the strategy I’ve seen coming out of Microsoft over the last few years, especially as it relates to cloud computing, SOA, and virtualization, has been inherently flawed. They get into very proprietary things very quickly. It really comes down to how are they going to sell an additional million desktop operating systems.

Ultimately, they just don’t get where this whole area is going. If you think about Joe’s point, going back in history, not as far, but to the whole Internet trend, it turned out to be an explosion back in the middle ‘90s.

They missed the boat on that completely. They were off doing their own MSN network and working on that kind of stuff, and they really were catching up in the end. They had a pretty good offering and they took a large part of the market because they own the desktop and all those things going on.

Now, we’re heading into an area where they may not be as influential as they think they should be. They may be not only behind the eight ball, but lots of other organizations that are better at doing cloud computing, virtualization, and things like that, and have a good track record there, are going to end up owning a lot of the space.

Microsoft isn’t going to go away, but I think they’re going to find that their market has changed around them. The desktop isn't as significant as it once was. People aren’t going to want to upgrade Office every year. They’re not going to want to upgrade their desktop operating systems every year. Apple Macs are making big inroads into their market space, and it’s going to be a very tough fight for them. I think they’re going to be a lot smaller company in five years than they are today.

Gardner: Let’s take that notion to Mike Meehan. Is Microsoft going to be the same, smaller, or bigger in five years?

Meehan: I wouldn’t say smaller, only because they got maybe as large as they were going to get in the earlier part of this decade. Dave is absolutely right in that the one area that Microsoft never really conquered that it needed to conquer, given its strength in the desktop, is the handheld. If they are not going to be there with the handheld long-term, that’s a major growth area that they are going to miss out on. That’s where a lot of the business is going to shift to.

I don’t spend all my day on a handheld, but I live in Boston. I can ride the T and I can see a lot of people who do use handhelds. If you want to be there, if you want to be in the cloud services, that’s where a lot of people are going to be getting consumer cloud services from. It’s going to be right off those handhelds, and Microsoft is just not there.

On the SOA side, as I said before, Microsoft is just trying to be as service-oriented as they can for users who are trying to be not SOA-driven, but "As Service-Oriented As Possible."

In fact, make that an acronym, ASOAP. There are going to be a number of users who are not going to go fully into SOA, because they have an enterprise architecture. It’s too hard to do, too hard to maintain. They’re never going to quite figure that out. They are just going to try to be tactical and as service-oriented as possible. Microsoft will try to service them and hold that part of their business.

What’s the next big thing they’re going to do? Joe referred to Microsoft having come up with that in previous downturns. I don’t see where they have got that right yet, and so I think that leads to them being smaller long-term.

Baer: I think the biggest deficiency in this go-around, compared to the Internet about a dozen years ago, is that they don’t have a figure like Bill Gates to crystallize turning the company around.

That was an amazing case study back around 1995, where Microsoft was caught by surprise by the Internet. Gates basically convened a weekend-long retreat, or something like that. I’m not sure how long it was, but it was pretty short.

At that time, the company was small enough -- and I use the term “small” in a relative sense -- that the company could turn around. More importantly, in someone like Gates, they had someone with the type of vision that could crystallize everyone to start thinking on the same page. I don’t think they have that same kind of figure now.

Gardner: That's right. It was the first week of December, 1995 that Microsoft came out and announced that the Internet was a big deal, and within two years they were the top browser company in the world, and have remained there ever since. So they have demonstrated an ability to move quickly.

Let’s go to Brad Shimmin. Brad, you are going to go to PDC. If there’s any venue where Microsoft can talk to Joe the Plumber and Joe the Developer, and convince the world that its vision of the future is the right way to go, it’s at the PDC.

Do you think that Microsoft is going to have an opportunity to change this perception of it being behind the eight ball in any appreciable way at the PDC?

Shimmin: I do, and simply because they don’t have to. I think back to a number of points that’s been made here that to be successful Microsoft doesn’t need to convince the world. It just needs to convince the people that attend the PDC. They have such an expansive and well-established channel, with all the little plumber-developers running around building software with their code, that just as 40 is the new 30, Microsoft is really kind of the new Apple, in a way.

They don’t need to be Oracle to succeed, they really need to have control over their environment and provide the best sort of tooling, management, deployment, and execution software that they can for those people who have signed on to the Microsoft bandwagon and are taking the ride with them.

That’s what it’s all about for them at these shows. In general, it’s the same way. They don’t need to be the next Oracle to remain successful on the business space.

As Mike said, they’re kind of capped out in many ways relative to the consumer market, but, gosh, they have shown that with things like SharePoint, for example, Microsoft is able to virally infest an organization successfully with their software without having to even lift a finger.

They’ll continue to do that, because they have this Visual Basic mentality. I hate to say it, but they have that mentality of “Let’s make it as simple as possible” for the people that are doing ASOAP, as Mike said, that don’t need to go all the way, but really just need to get the job done. I think they’ll be successful at that.

Kobielus: I just want to elaborate on what Brad said and then bring it back to the question of will Microsoft be larger, smaller, or the same size in five years time. I think they will be larger, and they will be larger for the simple reason that they do own the desktop, but the desktop is becoming less relevant.

But now, what’s new is that they do own the browser, in terms of predominant market share or installed base. They do own the spreadsheet. They do own the portal. As Brad indicated, SharePoint is everywhere.

One of the issues that many of our customers at Forrester have hit on -- CIO, CTO, that level -- is that SharePoint is everywhere. How do they manage SharePoint? Its a fait accompli, and they have to somehow deal with it. It’s the de-facto standard portal for a large swath of the corporate world.

Microsoft, to a great degree, owns the mid-market database with SQL Server. So owning so many important components of the SOA stack, in terms of predominant market share, means that Microsoft has great clout to go in any number of directions.

One direction in which they’re clearly going in a very forceful way that brings all this together is in BI and online analytical processing (OLAP).

The announcements they made a few weeks ago at the BI conference show where Microsoft clearly is heading. They very much want to become and remain a predominant BI vendor in the long run.

What that means is a number of things. First and foremost, innovating at the desktop within SharePoint and in Excel to enable, in memory, deeply dimensional user-driven modeling to begin to dissolve the OLAP cube and enable users to begin to develop their own advanced analytics, build it out, and grow that knowledge base in a collaborative environment that’s very much hinged on SharePoint -- the collaborative features, version management, library check-in and check-out, and so forth.

In five years time, Microsoft will be one of the predominant BI players. It already is, but it will become more important as one of the main BI platforms out there.

I don’t imagine Microsoft would become as verticalized a BI player as say a SAS Institute, but Microsoft, as several other analysts on this call have mentioned, has a phenomenal partner ecosystem, and they are providing an evermore powerful platform for those vendors and professional sources and customers to build out those analytics. So, they will be bigger.

Gardner: Okay. So, Microsoft has its installed base. It has its devotees, people who are making their living based on its products. It’s a huge channel. You see in a number of key IT areas a deep advantage in terms of their installed base, but that begs the question of whether things remain fundamentally the same or whether we’re going through a period of transformation.

Let’s go back to Brad. Based on what you know about PDC announcements, how is Microsoft going to pull off both retaining its installed base strengths, and also ushering people into higher productivity and lower cost, which are going to become essential?

Many Microsoft products are not the lower cost alternatives in the market, particularly from an architectural standpoint. Does anything come out in your understanding of the PDC announcements that will help solidify its base, but also substantially reduce total cost?

Shimmin: I do. It’s kind of funny, because a lot of the stuff they are going to be announcing, or demoing I should say, at PDC, lean toward some of the things we have been dinging them on.

For example, they are making Windows Communication Foundation (WCF) and Windows Workflow Foundation (WWF) form the heart of their ASOAP model, if you will, but they have been very much geared toward the bitheads that are working in Visual Studio to develop them.

What they’re trying to do is move those more toward an Oslo perspective of compilation and composition, so they’re making them such that they have a much better workflow capability. You had to code it by hand, but they are just coding it in, which goes back to their entire approach with tooling in general. They try to take you as far as they can, so that you don’t have to make as many decisions or intellectual efforts to make your software work.

They’re doing the same thing not just with .NET but also with their Windows Server, which I found to be the most curious part of what they are doing at PDC.

They have had Window Server sort of unofficially as their application container, but really it’s not. BizTalk has been their application container for everything SOA. They’re moving toward Oslo, with the Dublin release. They’re making it more of a first-rate citizen for hosting composite applications as a container.

Gardner: Oslo is their next generation development and deployment framework, which is highly focused on services and business-process level integration.

Shimmin: It is. It’s nice, because they are actually going to have a registry- repository. You literally just have to partner and use standards for anything like that with them now, but they are going to build their own on top of SQL Server, which I think is a smart move, by the way.

But they will have that, and the development tooling that’s going to be hooked indirectly to .NET and the Windows Server. They’re going to make BizTalk more of a B2B integration, yet making it more of an enterprise service bus (ESB), which is the last thing they would have ever told you they want a BizTalk to be. But, they’re going to make it more of that in the future and make Windows Server more of your traditional Java development, Java Shop, which would be your app server.

Gardner: So we have an ESB function set. We have a registry-repository function set. Microsoft is coming not on the leading edge of these technologies. They’re clearly five or seven years behind some other entrants in the marketplace. But, on the total cost perspective, I think what I am hearing from you is that if you go all Microsoft all the time, there are going to be efficiencies, productivity, and cost savings. Is that the mantra? Is that the vision?

Shimmin: That‘s exactly right, Dana. That’s what they’re banking on, and that’s why I think they are the next Apple, in a way, because they are downtrodden, compared to some of the other big guns we’re talking about with Oracle, SAP, and IBM inside the middleware space. But that doesn’t matter, because they have a loyal following, which, if you guys have ever attended these shows of theirs, you’d see that they are just as rabid as Mac fans in many ways.

They’re going to do their best job to make their lives as easy as possible, so that they remain loyal subjects. That’s a key to success. That’s how you succeed in keeping your customers.

Gardner: Dave Linthicum, Microsoft is continuing to make offers that their installed loyal base can’t refuse. But the total cost of ownership (TCO) equation comes in a little bit later. That is to say, if you have bought into the Microsoft-oriented architecture vision, and you’ve spent a lot of money with Microsoft in doing so, you will be able to do all of these things better in the future. What’s wrong with that vision?

Linthicum: Ultimately, people are looking for open solutions that are a lot more scalable than this stuff that Microsoft has to offer. The point that was just made, there are a bunch of huge Microsoft fans that will buy anything that they sell, that’s the way the shops are. But the number of companies that are doing that right now are shrinking.

People are looking for open, scalable, enterprise-ready solutions, they understand that Microsoft is going to own the desktop, at least for the time being, and they are going to keep them there. But, as far as their back office things and some of the things that Microsoft has put up as these huge enterprise class solutions, people are going to opt for other things right now.

It's just a buying pattern. It may be a perception issue or a technological issue. I think it’s a matter of openness or their insistence that everything be proprietary and come back to them.

I heard the previous comment that looking at all Microsoft all the time will provide the best bang for the buck. I think people are very suspicious of that.

If you look back in history, Microsoft Transaction Server (MTS) and all of these other things that Microsoft has built over time to get into enterprise-scale computing, haven’t worked very well. Either it was perceptions or openness. I reviewed MTS when I was at PC Magazine and I found it to be a pretty good product, but it just had no uptake into the market space.

I think their current efforts are going to run into the same issues. You’re not always going to have people who are going to buy it. It’s part of the bundles that they’re offering to the enterprise, the enterprise license agreements that they are selling in, but it's going to be a very hard path for them I think.

Gardner: Mike Meehan, virtualization is obviously a big topic these days. VMware came out with results that showed these things are selling like hot cakes. VMware itself is going to be under pressure in competitive offerings in the marketplace.

Is virtualization at the hardware level, infrastructure level, applications level, and then ultimately at the desktop level -- where we have virtual desktop infrastructure (VDI) -- a game changer in terms of Microsoft being able to pull this off? ... “If you do it all with us you have a better economic story.” How does virtualization change Microsoft’s strategy, if at all?

Meehan: I don't know that it does, in that you have to be so integrated with the company to take advantage of that, that I am not really sure that Microsoft is in the right position to do that.

For example, four years ago, Sun Microsystems started beating that drum that they were going to take these virtual environments, put it together with their software environments, and have this soup-to-nuts computing that was going to be five times more powerful and so much more efficient.

It just never happened on their end. It's hard to execute. It’s hard for Microsoft to align itself with what anybody else is doing. Whatever VMware is doing, I find it a little difficult to believe that Microsoft is willing to be the tail that’s wagged by any other dog.

To a certain extent, Microsoft will try to plug-in to that in its own way. What its own way is, and where exactly it plugs in though, are unknowns to Microsoft itself, and its going to want to own something in there. I don’t even know what it wants to own in terms of virtualization.

Gardner: It seems it wants to own the hypervisor. It’s going to make the Hyper-V hypervisor part and parcel with other infrastructure, and, I would imagine, at a price that people can’t refuse. They’ll also continue to sell Windows licenses for all those virtualized instances of an operating system. That’s still Windows. That’s still good revenue.

Does anyone else have a sense of whether virtualization, as a general trend, knocks down Microsoft’s ability to do it all and well?

McKendrick: VMware announced that operating system, what’s it called, the VMware VDOS, do I have that correct?

Gardner: KVS. Is it their Hypervisor?

McKendrick: No, they are actually calling it an operating system.

Dana Gardner: That's right, their cloud-based infrastructure operating system.

McKendrick: Exactly. That’s the direction organizations are going. Cloud computing, SOA, virtualization, all those things are going to be internal clouds, private clouds, maintained within enterprises.

When you think about an operating system, what is an operating system? That’s virtualization, right? An operating system virtualizes resources underneath, in the server, the hardware, and storage. Virtualized operating system, like VMware is talking about, is probably the next evolution of operating systems in general.

Gardner: That’s right. A disk operating system virtualizes the disk.

McKendrick: Right. That’s what an operating system is, virtualization. People don’t think about it that way.

Gardner: So, your point is that Microsoft is in the position to take its advantages and strengths and move that up yet another abstraction to this private-cloud infrastructure level.

McKendrick: I think so. Steve Ballmer kind of responded to the VMware announcement by saying that Microsoft has something cooking in that regard too, some kind of virtualized operating system. I don’t know if it will be separate from what Windows will be in the future. An operating system is a cloud management system, when you really get down to it, and it’s the next natural evolution for operating systems. That’s what Microsoft is good at.

Gardner: We’ve heard quite a bit on this cloud operating system from Red Hat, Citrix, VMware, IBM, and HP talked it up a little bit. No one’s really come out with a lot of detail, but clearly this seems to be of interest to some of the major vendors.

Let’s go back to Dave Linthicum. What is the nature of this operating system for the cloud, and does it have the same winner-take-all advantage for a vendor that the operating system on the desktop and departmental server had?

Linthicum: I think it does in virtualization. Once one vendor gets that right, people understand it, there are good standards around it, there are good use cases around it, and there’s a good business case around it, that particular vendor is going to own that space.

I’m not sure it’s going to be Microsoft. They’re very good about building operating systems, but in understanding my Vista crashes that are happening once a day, they are not that good.

Also, there are lots of guys out there who understand the virtualization space and the patterns for use there. The technology they’re going to use, the enabling standards, are going to be very different than what you are going to use on a desktop or even a small enterprise departmental kind of problem domain.

Ultimately, a large player is going to step into this game and get a large share of this marketplace pretty quickly, because the cost and ease of moving to that particular vendor is very low.

I can decide this morning that I want to use a particular virtualization vendor, sign up with them, and start putting my assets out in that world in a very short time, versus buying hardware and software I am installing in my own systems and other things that are going to be leveraged.

These virtualization operating systems that are enterprise bound or even in a gray area with the cloud are going to come from somebody else besides Microsoft. That’s just my own personal opinion, based on what they are doing.

Kobielus: I think that Microsoft stands a chance of becoming the predominant cloud OS vendor. Let me just define the level set of what I mean by that. At the heart of any cloud or virtualized cloud operating system is a virtualized database environment. Database virtualization is a real hot topic, and it means many things to many vendors and to many analysts.

Fundamentally, like any other virtualization approach, it simply involves abstracting the internal implementation from the external calling interface, using a variety of approaches.

It’s not all together yet, but Microsoft is coming along with a fairly interesting database virtualization story that will play out in releases over the next several years.

For one thing, of course, they bought DATAllegro a few months back, and now Microsoft is building a shared-nothing, massively parallel database, a data warehousing environment that can scale up to thousands of nodes potentially and many petabytes of data. It’s grid at its very heart. So, a grid environment is virtualization, a database virtualization on one level.

Also, Microsoft has a very interesting project going on that will probably see the light of day in terms of roll-out in the whole SQL Server vNext timeframe in 2011. It’s called Project Velocity, which is very much virtualizing data persistence across both disk-based and spindle-based storage, as well as in-memory cache across a distributed virtualized fabric.

There's also a bit of virtualization going on in the front end of their BI stack, in terms of using in-memory approaches more deeply in all the app, and so on.

Of course, Microsoft has got the whole SQL Server Data Services, software-as-a-service (SaaS) initiative ongoing, and they will continue to ramp that up in coming years. I see all this coming together as the heart of a database virtualization environment.

Then, one other thing you need to have for a fuller virtualized OS in this environment is something called in-database analytics, where you can run the compute intents of algorithms right inside the database. You can take advantage of all the parallelization.

Microsoft doesn’t have a strong story there yet, but I think that in the next year or so, they will roll out a much more interesting story that tracks with what's going on elsewhere, like vendors in the data warehousing arena that have aligned themselves around this framework called MapReduce. A lot of that will come together in the Microsoft side over the next few years, and I think they will be a power in cloud OSs.

Gardner: So, I think what I am hearing from you is that virtualization, grid, and cloud can help Microsoft in its database and data services story, particularly up against someone like Oracle and IBM.

Kobielus: Yes, yes, yes.

Gardner: Okay. There's another difference here though with cloud and private cloud and that is that Joe the Plumber and Joe the Developer aren't going to be deciding the architecture for this cloud.

Also, moving toward the cloud infrastructure is a significant multimillion dollar decision process, involves creating new data centers, tens of millions of dollars in facilities, infrastructure, and manpower, and energy types of investments, things that will impact the company for five, 10, 15 years.

It seems to me that there's only going to be a handful, perhaps fewer than 25 true third-party cloud providers, and that the type of organization where a private cloud makes sense are going to be the Global 2000, maybe down to the Global 500, who would be interested in investing and have the cost savings in scale that would make cloud computing make sense.

So, in a sense, this move toward private-cloud and public-cloud infrastructure really does not benefit Microsoft’s traditional market and channel distribution and penetration. We’re really talking about perhaps as few as 2,500 total customers across the world who would be buying this. Given that that’s the economic landscape, does this not impact Microsoft in terms of its ability, or even interest, in approaching this market?

Baer: A couple of things. I agree with you in terms of the private cloud. I don't think that's really a real winner of a market for Microsoft, because it will require the customer to put in significant capital investments from the top-down. The thing is, those types of customers have not traditionally been Microsoft’s strengths.

I had a couple of thoughts as this session has drifted. One, how does the cloud really impact Microsoft and its prospects, and will Microsoft be able to compete in a more open world?

I have a couple of answers to that. You still have a certain, very stubborn level of mid-size businesses that are Microsoft shops. You go to these PDC conferences, which unfortunately I won’t be at next week, and you see these armies of people, who have been loyal ever since Visual Basic 0.5. They have built a huge developer base, which is translated to an incredible base among small businesses.

So, on one hand, I don’t think that Microsoft is going to lose its grip on its Joe the Plumber small and mid-size business (SMB), enterprise business. On the other hand, in terms of the emergence of clouds, and forgetting about private clouds at the moment, on public clouds I’m not sure. Microsoft has a software-plus-services strategy, the idea of which is to make it as invisible as possible. That has a nice value proposition to its traditional market base.

On the other hand, when you start seeing the proliferation of these third-party clouds, which are coming very much commodity prices -- the Amazons of the world, and so on -- I’m getting the sense that these public clouds are going to become so commoditized that there’s not going to be any single player that’s going to dominate.

I think that Microsoft will be able to retain a very loyal niche at SMB, but I don’t think when it gets to cloud that its going to dominate.

Shimmin: I just want to add to what Tony was saying. Yesterday, Amazon announced that EC2 is now running on Windows Server and Microsoft SQL Server.

Obviously, this is a public cloud, but in my mind, the fact that Microsoft has virtualization is a necessity for them to move forward, I don’t think it’s something they are going to be building a direct business on, like VMware. For them, it’s simply a necessity so that they can run on places like EC2.

The most important thing is, as Tony was just saying with Visual Basic, it all comes back to where you develop your application. Whatever you code in, the tool you’re using is going to dictate where you push that final application out. If it’s to your local server or to a cloud is irrelevant to you.

Whether you’re saving money going to a public cloud, for example, or you have your own investment internally doesn’t matter. The point is that Microsoft, to succeed, needs to have its application container. What I was saying is the Windows Server is a WebSphere Application Server in the cloud, and it seems like they are heading in that direction. So, I think they’re going to be able to ride this virtualization wave.

Gardner: Perhaps it will allow Joe the Developer to have it his way. That is to say, develop in what you like and what you know, target the Microsoft middleware functional set, as well as the containers that the tools are integrated to and aligned with, but perhaps host that up at a cloud.

Now, if Amazon is going to do it, and then Microsoft is going to probably want to do it too -- and they more than likely will -- it’s almost certain that Microsoft will have its own cloud. You use their tools, perhaps their tools are in the cloud as well. So platform is a service value for Microsoft.

That’s all well and good, and it certainly would cut total cost and demonstrate the value of doing it on Microsoft. However, their ability to charge for those services is going to be up against other commodity-level platform-as-a-service and cloud-services sets. Microsoft’s ability to take money from each of these accounts, each of these developers, each of these departments would be severely crippled under that circumstance.

It raises the question: In five years will Microsoft, on a revenue basis, be bigger, the same, or smaller?

Let's wrap up our discussion today by going around and asking that very question to each of our participants. Let's start with you Brad. Brad Shimmin, Microsoft five years from now, bigger, the same, smaller, revenue wise?

Shimmin: I think they will be smaller revenue wise, but they will be making more money from their infrastructure and their business applications than they were in the past.

Gardner: Good. Dave Linthicum, same question.

Linthicum: I already said they are going to be smaller. I think it's going to be turned kind of more into a cash-cow company. They’re going to have hooks into some of these new trends. Where they’re going to find their business model and the culture within the company is going to be the single most preventive factor for them expanding their revenue.

Gardner: So, you see it as a smaller revenue and a smaller profit.

Linthicum: Smaller revenue, smaller profit, and smaller impact on the marketplace.

Gardner: Michael Meehan?

Meehan: Just because I think the economy will grow over the next five years -- almost because it has to -- I’m going to say they are going to be bigger in revenue but they will have smaller impact on the marketplace.

Gardner: Tony Baer?

Baer: I agree with Mike. The economy will grow and, more importantly, world markets will grow, and they just will not be the single biggest frog in the pond.

Gardner: Jim Kobielus?

Kobielus: I think they will be bigger, and their growth will be in packaged applications, analytics, BI, and performance management.

Gardner: Joe McKendrick.

McKendrick: I agree with what Mike originally said. They will be bigger, because the whole pie will be a lot larger in the next few years. Let’s face it, many competitors have taken on Microsoft have had their head handed to them on a plate over the years. Don’t underestimate the folks in Redmond.

Gardner: Very good. I’ll throw my two cents in. I think their revenues will be smaller, but not appreciably so, but that their margins will continue to erode, and that’s going to force them to pick and choose businesses more carefully, and have to decide what they want to be when they grow up rather than try to be everything to everybody.

Well, thanks everyone. This has been a good and fun discussion about Microsoft and their PDC. I want to thank all of our guests for joining.

I also want to thank our charter sponsor for the BriefingsDirect Analyst Insights Edition Podcast Series, Active Endpoints, maker of the ActiveVOS Visual Orchestration System. I am your host and moderator Dana Gardner, principal analyst at Interarbor Solutions. You’ve been listening to Volume 32 of our series. Thanks and come back next time.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: Active Endpoints.

Transcript of BriefingsDirect podcast on the outlook for Microsoft. Copyright Interarbor Solutions, LLC, 2005-2008. All rights reserved.

Monday, October 27, 2008

Identity Governance Becomes Must-Do Item on Personnel Management and Security Checklist

Transcript of BriefingsDirect podcast on the identity governance and best practices for IT systems access provisioning.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: SailPoint Technologies.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Today, a sponsored podcast discussion about a serious and potentially catastrophic set of issues for many companies. I’m going to be talking about security and risk aversion around personnel, applications, and IT systems. We’re looking how companies can more properly manage identity information and access rules for the users of applications and systems. We will also develop an understanding of a new class of solutions to this growing problem.

The goal is to work more toward identity governance, a step above simply giving access and privileges, and of getting pro-active in managing access across multiple dimensions in a business.

We use the word “governance” because it helps to develop an appreciation for the large-picture solution of properly provisioning users, giving them the right level of access privilege, and then being able to exercise lowering risk from the people, process, and systems perspective -- a comprehensive control and monitoring capability.

These issues and risks are reinforced these days by the sudden and unexpected financial pressure affecting many banks. There are dislocations, mergers, acquisitions, and most likely significant downsizing. There are a lot of bright people who have access to a lot of very sensitive systems. These are very powerful applications. If there were ever a need for identity governance, this would be it.

To help this better understand these issues and some of the newest solutions around identity governance, we are now joined by two executives from SailPoint Technologies. We’re talking with Mark McClain, the CEO and founder, and also Jackie Gilbert, the vice president of marketing and also a founder at SailPoint Technologies. Welcome to you both.

Mark McClain: Thank you, Dana.

Jackie Gilbert: Thanks, Dana.

Gardner: There was a time, and it doesn't seem that long ago, when folks would get themselves a directory and provision people on and off of IT systems through that. It was fairly straightforward. A limited number of people in IT managed this. But it seems that times have changed fairly rapidly. Mark, help me understand what's different now. Why do we need this more holistic governance approach to identity issues?

McClain: Sure, Dana. That's an accurate representation of where the market has evolved to, or it's continuing to evolve to. Some of this has been around for quite some time. It was probably initially referred to in many peoples' minds as a concept of user management, when we first went to distributed computing, and we had all these challenges of managing a whole bunch of identities on systems that were distributed around the enterprise, as opposed to a single well-maintained mainframe or something like that.

The advent of distributed systems, and, to some degree, the Internet drove us to seek how to secure the open enterprise. That was a challenge, as you said, of a lot of provisioning and de-provisioning of accounts, focused on operational efficiency, because it became a very costly solution in many organizations.

They understood that they had some security risk, but many times, their biggest concern was how much it was costing to manage, and also the very poor quality of service that, in many cases, was being offered to their users and partners. Someone would start with the company and not get everything they need to do their job for a few weeks, which is highly unproductive and quite costly.

But then I think if you look back over most of this decade, back to the turn of the century – it’s still funny to say that phrase – you see a series of issues with breaches. There’s been a series of issues with fraud or potential fraud, everything from Enron to things that happened with other companies where there are questionable practices, and then various clear issues of fraud or criminal activity.

And all of that together has brought about a new focus on privacy, financial oversight, and good governance, which is, in many cases, all related to the management of risk.

It comes down to how we get a good handle on who has access to what in our enterprises -- which critical data and applications are exposed to which people? The better we understand that, the better we can understand the actual potential risks we have in sharing that information or allowing it go sometimes outside of our four walls.

In many ways, this focus on governance has been driven by those kinds of things. Now, in the current situation, as you just said, there is lots of churn in the financial markets and in the companies that make up those markets, where people are potentially moving inside of companies, changing jobs, lots of potential lay-offs happening.

That's when these issues of good governance, good controls over who has access to which critical information become very, very acute. That's because people are very sensitized to, "Hmm, if I get a disgruntled employee who may reach back and do something negative, do I have people who have been moved around quickly in a state of churn and now they have access to multiple things that they shouldn't?

It's this segregation of duties challenges. There are lots of issues that we can continue to talk about, but I think it's a well-understood pain-point that's getting more intense all the time as we see kind of more churn and concerns in the markets.

Gilbert: To add to and build on what Mark just said, the other thing that is unique in the current phase we are in, which is all about oversight, audit, risk-management, is that it has created a need for more and more people from the business side of organizations to become involved with identity management – and that has real implications.

When you are just focused on automation and making processes more efficient, that stays within the realm of IT and can be very much a focus for IT tools and technical users. Now, you have executives, boards, and business managers, who are being asked to be accountable and to gauge the risk and the effectiveness of controls around identity.

Those people are being asked to use tools and approve, certify, and deem whether access privileges and the accounts the users hold are correct, and do not place businesses at risk. So, if you think about it, it has actually forced the marriage of business and IT all around this issue of identity governance.

Gardner: I suppose it's not that people are any better or worse than they used to be, but that these systems are extremely powerful. One person with access to some trading applications, for example, can suddenly lose $5 billion. Right?

McClain: Absolutely. As to your comment there about the nature of people, you'd hope that the fundamental moral fiber of the country hasn't declined. But having said that, there are a couple of interesting things that have changed.

One is that, the world of hackers has evolved from seeing what they can get away with to prove their technical prowess, and has now really migrated to a fairly significant level of organized-crime involvement.

We've heard stories from companies of their employees being solicited by criminal elements to give up information. There were people getting phone calls saying, "Hey, would you be willing to sell access to your systems for some amount of money? Are you in credit trouble? Are you having financial difficulties?" People are soliciting employees to perform criminal behavior for money, which is a completely new element in the last 5 to 10 years, for sure.

Gilbert: A recent example of that was at Countrywide Financial. There was just some recent news this week about the arrest of a former employee who was actually selling Social Security numbers and mortgage information over a two-year period to the black market. This person admitted, I think, to receiving more than $70,000, by just selling this proprietary information. I think over 45,000 people were compromised that were Countrywide customers, and this isn't an isolated example.

There have been many cases of bank employees selling costumer information to collection agencies. So I think what Mark was referring to is that there is actually more temptation and more opportunities to commit fraud now because there is a market for it.

Gardner: So, that means that we need to plug these holes and almost develop the ability to forecast vulnerabilities in advance – and that cuts across a chief security officer (CSO), the IT people, line-of-business people, and for the human resources department. So who owns identity governance, if it, in fact, cuts across so many different aspects of a large enterprise?

McClain: It's a good question. I think that's one of the challenges that businesses are wrestling with today. As Jackie pointed out earlier, we saw, when we were focused on the identity provisioning challenges a number of years ago, then it was kind of the help desk and the security group, all within IT, that were wrestling with the problem. Now, you have those constituencies as well as two or three key others.

We now have the auditors, both internal and external, and/or the compliance people who want to have a say, or a seat at the table, to talk about how well we are managing these kinds of access privileges and what risks are involved, when they are not managed well.

You certainly have the business people paying attention now because you have senior management who are highly motivated to avoid being the next headline. They don't want their company showing up out there with Cox Communications, the IRS, Wachovia, and any number of companies like Dupont, which have hit the headlines in the last two or three years with some sort of significant breach related to access.

Business people are very tuned-in to the risk and the potential for fraud, or the potential for abuse – and they are motivated. Your ownership questions are good ones, Dana. This is such a rapidly evolving challenge, but all those people are certainly at the table.

There is a little a bit of a hot potato now going on where IT and security groups are saying, "Hey, I am not going sign-up and own this problem entirely, because I don't have the business context to know exactly what does or doesn't represent risk. You business people have to define that for us."

Gardner: It's tough to be responsible for something that you don't have authority over.

McClain: Absolutely.

Gilbert: One of our customers at a financial institution, the vice president of IT, told me that he has become more savvy and is actually pushing back on the lines of business. He said that when the IT auditor comes in and shows a bunch of red ink, he says that his counterpart in the line of business needs to help own and resolve this issue because IT alone really doesn't have the knowledge that it takes to figure out where is the risk and how to mitigate the risk.

Gardner: As we've seen in other aspects of maturing business processes and IT, solutions often involve bringing enough information up to the right people, through management consoles, analysis, and good data. How do we give whoever becomes the owner of this problem, or perhaps those managing a federated approach to the problem, the tools, the visibility, and the comprehensive access that they need to the right information? What is our first step toward the solution here?

McClain: You partially answered your own question, because you used the word "visibility," which we think is one of the three core pillars of this emerging segment of identity governance. It starts first and foremost with visibility. As a business person or even as an IT or control audit person, I can't define and manage the risk in my organization, unless I understand the current state of the union.

So it really does start with answering the fundamental question that most companies wrestle with, which is "Who has access to what?" One of my customers has joked about the fact that on the day you start with the company, you have access to nothing, and on the day you leave, you have access to everything. Quite often, the only person who actually knows all of the access privileges I may have after 15 years at a company is me.

There have been multiple groups I have moved through, multiple help desks, and IT organizations that have been part of granting me access over the years. So, it's quite probable that, literally, only I understand all of the privileges I have as an employee -- and that's a problem.

This problem starts by helping customers understand the criticality of gaining visibility across critical applications and data for who has access to what. We have to be able to correlate and aggregate a lot of technical information. We have to figure out that "D Gardner" and "Dana G" and "Dana_Gardner" are, in fact, the same person, and then correlate all the privileges that you have into a single view, so I can at least start with visibility.

Gilbert: If you think about it, for most Fortune 1000 companies that is a very difficult thing to do – just based on the fact that they have tens of thousands of employees, and hundreds -- maybe even thousands -- of applications that span mainframes, UNIX, Windows, and custom and packaged applications. The more complex and varied the IT is – and the bigger the company is – the more frequent churn of people.

Some industries have 30-percent churn, with people coming in and out of the organization. All that makes this an extremely difficult problem, as Mark said, just getting proper visibility.

Gardner: Are we talking about this problem in a way that we are going to just grab all of this information, data and access information, and then put it all in one big, honking repository to manage it centrally?

Or are we talking about, "Let's leave the access privileges and controls where they are, but elevate the metadata and put that into some sort of a management framework that we can act on"?

McClain: We would say it is the latter. In other words, efforts to completely centralize all of the real-time access control, real-time authorization of who can get to what has almost always have failed.

There were a number of projects years ago, where people were going to create one enterprise directory. What you find now is that a lot of the more modern applications do rely on a directory, and that directory has become more standardized and more carefully managed. We would say philosophically that this is really more like a business intelligence (BI) application.

In that sense, I want to leave the operational data in the transactional systems that it belongs to. Yet, I have to be able to pull out of that, aggregate it, and put it into a repository that can be searched and cross-referenced across all the information, so that I can get that visibility.

By the way, a highly related point here is, if I just aggregate and correlate all this information from all the underlying systems – like Jackie said, from the mainframes and directories and Windows and UNIX servers – just getting it in one place is only part of the problem. The other huge part of the problem is giving it the right business context.

That's because one of the dirty, dark secrets today is that governance and compliance have become harder, and auditors have been forcing more frequent and periodic review of the access information. Quarterly or annually, these managers and applications owners need to re-certify who has access to what.

Another dirty secret in the industry right now is that managers and applications owners must sign-off on these reports, but they don't understand them, because those reports are generated out of the IT systems and they are incomprehensible to the business people.

Knowing that Dana has access to "server FQ 93T," doesn't tell me much of anything about what Dana can do. If I can understand that that server actually is the front end to the accounts payable system, then now I know something about whether that's appropriate for Dana to have access to.

A second core pillar that we've spent a lot of time talking to our prospects and customers about is this concept of business context. Not only do they have to aggregate and correlate visibility across everything they do, I, as a customer, need to give it context so I can understand the business risks and the criticality of the information that you can access.

Gilbert: Part of the way that context is accomplished can be as simple as just providing business-friendly descriptors for entitlements. We also use the context of business roles, so that we can take a group of entitlements and assign them to a business role.

For example, a "database administrator in the Austin region" gets these types of privileges. By making that linkage and creating that higher level of abstraction around a role, we can ask people to approve whether "Joe" should be in that particular role. And they are much more likely to understand that than they are just looking at the low-level entitlements, and trying to make an intelligent decision about whether that is appropriate.

Gardner: I’m fairly clear that we have a distinct problem here, and that we are not going to solve it through a central forced march into a single approach or product. And, I understand that the identity governance solution has to be understood in the business context.

I guess what I am not clear about is how we actually go out and get this information, make it visible, get that single view of the employee, and then create the opportunity for execution and action against that information?

Gilbert: As Mark said, it's pretty analogous to BI and even data warehousing or data mining, if you will. Our approach is to take a very lightweight, read-only access to the data. We pull entitlement data and account data from applications and servers throughout the enterprise and we aggregate that into what is basically an entitlement warehouse.

We physically create a common data view of users and their entitlements. What that gives you is not only the visibility in one, single place, but it gives you the business context to better understand it. And it allows us to do some automation of controls and policy enforcement, and some risk assessment. It's amazing the value you can derive, once you get the data all in one place and normalized, so that you can apply all kinds of rules and logic to it.

For example, we can much more easily send and route that information around to the people who need to approve access or review it on a quarterly basis. And, it's all in one place. They’re not getting a single spreadsheet per application. They’re getting it all centralized per employee or per application, however they want to see it.

We can also scan that data, looking for policy violations. A good example of that would be what we call "toxic combinations," such as “you can't have an employee who both has the ability to set up a vendor and pay a vendor.” Those are two different access privileges that together indicate a high potential for fraud. So by combining all the entitlement data into one single database, you can much more easily scan for and detect potential policy violations and also the potential for risk to the business.

Gardner: I suppose carrying on with that analogy about BI, that the same information, those same rules, can be used by a number of different constituencies in the organization, whether it's provisioning, personnel, security, or compliance. It all seems to have a common reach, but a differentiation in terms of how people can then use it.

McClain: Yes, I think that's right. The idea of that once you have defined business roles. Once you have defined access policies, these segregated duties, and "toxic" combinations, that that's useful information, whether you are doing annual or quarterly re-certification processes, but also when you are taking on a new employee or adding a new partner or something.

You want to be able to refer to those kinds of systems that data of who has access to what and which are the appropriate policies, what are the appropriate combinations to avoid. So that if I’m going to provision someone, for instance, to a new system, or give them new entitlements, I can check it against that same repository of information on the users and the policies that I care about. I can make sure I’m not creating any problems at the time that I grant access.

Gardner: You can use this identity governance, of course, for prevention and insight. But, it also sounds like it would be very powerful, if we were doing a merger and acquisition (M&A), or if I were forced, tough as it maybe, to fire everybody and then re-hire them under a different ownership or structure. Trying to do something like that without this sort of comprehensive information set would be really onerous.

Have you had any customers or use-case scenarios where people have used these ID governance systems to that degree, and what sort of paybacks have they seen?

Gilbert: That's a really good point. In fact, M&A activity, is a use-case that we have seen with our customers.

A typical example would be that one bank has just bought another bank, and there is going to be a gradual process of integrating the new bank into the larger bank. During that time, we want to manage the population of users in a very shared way, so that a certain set of people will maintain access to just the old bank and then others will get merged access to the combination of the two banks.

Then, for people who potentially are being laid off or replaced as part of the M&A, we are going to manage them with potential risks in mind. So, we are going to limit their access and we may want to monitor their activity.

We actually provide a tool to segment user populations and then manage them differently in terms of the kind of controls and monitoring that we would allow the company to provide around that M&A acquisition activity.

Gardner: When it comes to implementing something like this, and I believe your product is called SailPoint IdentityIQ 3.0, is this strictly a product approach, or is this professional services and consulting or some level of competency or skill-sets within the organization's combination? I suppose the question is how much of this is actually accomplished by the product, and to what degree is the user company's skill sets required?

McClain: We would love to say you drop it in and it works, but it's not quite that simple. Many times, this is a fairly substantial project, although the ability to get to value quickly is something we've demonstrated with a number of our companies. We work with them to scope an appropriate size project, some limited number of applications or users – to show how the technology can significantly help them with these processes of certification or managing roles or better risk management.

But, quite often there is a very fairly significant consulting part of the conversation, because ultimately this is an opportunity to bring these constituencies to the table, sometimes for the first time. The auditors, the application people, and the IT security people sit down and say, "What do we want to accomplish here? How can we best provide good governance, meet our compliance requirements, and manage our risks appropriately?"

So, there is often a very beneficial set of conversations that come out of that. Then, of course, the challenge of our tool, of our software, is to capture those policies, capture those things in the product.

We have definitely seen very significant payback conversations because of the amount of manual effort and money being spent on these projects, particularly the Sarbanes-Oxley related certification projects, where not only can we save the companies a great deal of money – either in "soft" dollars internally or "hard" dollars being served with consultants.

But frankly, one of the things we hear consistently is that SailPoint IdentityIQ 3.0 is a big frustration reducer for the business.

This is a very significant source of pain and frustration in the business community today. Even if it's not purely a financial justification that we are able to give the customer, sometimes their eyes light up with, "Oh, wow, if I could give this to my users (the line of business or the auditors), they would be so much happier doing what they are doing today." So quite often there is a very significant emotional payback, I'll call it, as well as a financial payback in this kind of a solution.

Gardner: Often, risk reduction and security management is a large undertaking that requires organizational and cultural shifts, and that can involve such things as the Information Technology Infrastructure Library (ITIL), and how to re-engineer your processes within IT department itself. Granted that these are complicated and large undertakings, let's just drill down on the product itself, what does the SailPoint IdentityIQ product do in terms of "picks and shovels" that these other practitioners can put to use?

Gilbert: We've touched on a few of these points before, but a big area we contribute to is in automating some of the types of controls that would be defined by a framework like ITIL, control objectives for information and related technology (COBIT), or some of the frameworks that attempt to say, "Here's a common set of good practices that we've captured, and many of these really involve best practices and business processes for improving security controls."

SailPoint’s automated workflow replaces the manual paper-based quarterly review of access. It provides you with a much more effective set of controls that are predictable, but customizable.

We have one customer who was doing quarterly reviews. They would spend most of the quarter compiling the data, reviewing it, and then manually reconciling it. Then, they would have one or two weeks of a break before they would start the process over again.

So, as Mark said, one of the things that really helps is that we are coming in and replacing something that is painful, onerous, and not very reliable, where people have low confidence. We are replacing that with a set of controls that is much more in line with the sort of recommendations you would see coming out of an ITIL or a COBIT, in terms of how you align controls to reduce risk and how you perform these kinds of activities in a way that is reliable and predictable.


Gardner: Examples often help, but I don’t suppose there are a lot of people jumping up and down saying, "I'm really a high-risk over here!" So, there are not too many companies that you can trot out and say, "Well, we took them from 90 percent risk to 20 percent risk.” But are there any examples of how this has worked, and perhaps some of the paybacks, both business terms and even IT terms of how people have benefited?

Gilbert: A couple of examples come to mind. One of our customers, again a financial services company, went through the first quarterly certification process across dozens of Sarbanes-Oxley relevant applications. In that very first round of review, they detected that, on average, 20 percent of the entitlements for their users were inappropriate and needed to be revoked.

That’s the kind of benefit of oversight you're getting right out of the gate. Once you have the ability to see the data and see it with the right context, you are much more productive at spotting what needs to be taken away and what is inappropriate.

IT audits uncover many of these problems. Another customer was written up by their auditors because they concluded – just based on a sampling – that the access data for the corporation was, on average, only 70 percent accurate, meaning that 30 percent of it was erroneous or incorrect.

These cases that are easy to quantify, and you're giving this immediate benefit of data clean-up and removing inappropriate access. We call it entitlement creep, that's our expression for it over time. People transfer, they change jobs, they need temporary access to some system for a project – and it never gets removed.

Part of what you are getting right out of the gate is the ability to say, "Hey, Joe doesn't really need this. He's not even in the accounts-payable department anymore," but he still has all the system access.

Gardner: Have there been any unintended positive consequences from using this? That's to say, for people who have put identity governance in place did they get what they were expecting, but also more? Where there other ancillary payoffs that people have enjoyed?

McClain: Tha’s an interesting question. I certainly think this idea of happier users is one. IT is so consistently under-appreciated, under-loved, under-paid. When they can provide a tool to the business user that makes the job simpler, faster, easier, especially for something like these audit processes or certification, re-certification processes, that no one looks forward to, I think that's always a win for the IT staff in particular.

I have made something you have to do easier and quicker and less painful. That's quantifiable, but under the given consequence of an improved relationship between IT, security groups, and the users. Also, the relation between internal audit and many of these groups has become fairly combative. You talk to people that have been around IT for years now, and they say, "Look, it's not like we are buddy-buddy with our auditors, but we all were sort of working together, trying to make sure that the company was being well-governed."

We have a few cases that became very combative, with a lot of anger. One person said, "Oh, you mean the ‘A word’" about the group of auditors that they were talking to. What we are finding is that this helps them get back to, "Look, aren't we all trying to accomplish an objective here of better risk management, better governance?"

One of the things that our customers have told us is that they are so focused on just getting through the audit to check the compliance box, people have lost sight of why we were doing this stuff in the first place. Ultimately we're trying to mitigate and manage risk. We’re trying to provide good repeatable processes and good governance, so the right people have the access they need to do their job correctly, and only the access that they need to do their job correctly.

So often, we've gotten away from that. It's become just, "I have to get through this process to check the box, to meet the audit by this date." It's become a must-do that has lost sight of its original objective, in many cases.

Gilbert: You mentioned the culture issue earlier. To be honest with you, we find a lot of people that may be talking about risk management, but inside most IT departments, it is really hard to understand how to put that into action.

Because we give them the ability to begin aggregating the data, doing certifications and revoking and solving policy violations, they can automatically accumulate risk data, allowing them to profile their users by risk. I think people are looking for ways to put a risk-based approach into action. What does that mean to me as an IT practitioner? I think there is a desire to get to that, but there is really a struggle on how to quantify risk, and put risk management it into practice.

Gardner: As we’re wrapping up, it's interesting to look at the future. This is a fast-moving space. When we look to identity governance, say two or three years from now, is this a case of the role growing? Is there a larger payback or a productivity benefit, or are we just going to make what we've got in terms of the problem set work better? What does the future hold?

McClain: The one that we've debated around here, that I think might be useful, as there is this acronym that's fairly prevalent out there, GRC (governance risk management and compliance). Oracle has a GRC suite, IBM has a GRC suite, SAP has a GRC suite. And we've joked about the fact that if you were to look at that from a chronological standpoint, it should have been CRG instead of GRC. Meaning a lot of the focus for the last few years has been on compliance. How do I either reduce the cost and complexity of it? How do I meet the audits more quickly and effectively, and just this huge focus on getting to the audits and all that stuff.

People would tell you that they have compliance relatively under control now. They are generally passing their audits. They generally are not having big material deficiencies, but they sure would like to take cost out of the process and get away from so much manual work, to more automation.

This risk management, the R of CRG seems to be a emerging now as we've talked a lot today. I think senior management is sitting on their perch in the CxO suite. "So, we've spent all this money on security, we're supposedly compliant, why do we still have these breaches?"

Most big companies are still experiencing breaches, most of which don't hit the press, but some do. So, I think they are starting to ask the fundamental question of, "So we are compliant, but we still have risk. We're not managing well. What are we going to do to get better about that?"

Governance, which is I think the focus of our talk today, is in some ways, an umbrella over all that this incorporates and then hopefully moves to just good sound, repeatable, business management of identity and access. How do I place policies? How do I provide a risk matrix, as Jackie was just talking about, that enables me to understand, measure, manage risk?

I think really we are seeing the shift from the C, kind of through the R of GRC. People are just sort of half a foot in the water, half a tail in the water, on the risk management side of it. And, to your point, what does this look like three years from now? I'd like to think a lot of companies are using some risk matrix to address these issues.

They hopefully have compliance well under control. They can pass their audits. They can generate the reports in a timely automated fashion, and they're moving to more sophisticated governance or clarity around the business policies and how those affect the underlying IT systems. So I think it's kind of that progression from the C to R to G, flipping the acronym upside down.

Gardner: Well, great. I have certainly learned quite a bit, and have much better appreciation for why identity governance needs to happen. I have certainly been in cases in my jobs where I've gone from one department or unit to another and I had accessed all those other applications.

McClain: Fortunately you are high-ethics guy and you didn't view it.

Gardner: Yes, right, I didn’t do anything bad about it but I could see where that's certainly a risk.

McClain: Exactly.

Gardner: Okay, we are talking about identity governance and risk, and how to come to more of a solutions focus around this. We've enjoyed the talk. It’s a sponsored podcast today with Mark McClain, CEO and founder, and Jackie Gilbert, vice president of marketing and founder, at SailPoint Technologies. I want to thank you both.

McClain: Thank You, Dana.

Gilbert: Thank You.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You have been listening to a sponsored BriefingsDirect podcast. Thanks for listening and come back next time for more in-depth discussions about enterprise software and strategies. Thanks, and bye for now.

Listen
to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: SailPoint Technologies.

Transcript of BriefingsDirect podcast on on the identity governance and best practices for IT systems access provisioning. Copyright Interarbor Solutions, LLC, 2005-2008. All rights reserved.

Friday, October 17, 2008

BriefingsDirect Analysts Discuss IT Winners and Losers in Era of Global Economic Recession

Edited transcript of BriefingsDirect Analyst Insights Edition podcast, Vol. 31, on the outlook for IT in the face of the economic downturn, recorded October 10, 2008.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsors: Active Endpoints, Hewlett-Packard.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Dana Gardner: Hello, and welcome to the latest BriefingsDirect Analyst Insights Edition podcast, Volume 31. This periodic discussion and dissection of IT infrastructure related news events with a panel of industry analysts and guests comes to you with the help of our charter sponsor, Active Endpoints, makers of the ActiveVOS visual orchestration system.

I’m your host and moderator Dana Gardner, principal analyst at Interarbor Solutions, and our panel this week consists of Jim Kobielus, senior analyst of Forrester Research. Welcome, Jim.

Jim Kobielus: Hi, Dana. Hi, everybody.

Gardner: Tony Baer, senior analyst at Ovum. Welcome back, Tony.

Tony Baer: Hey, Dana, good to be here again.

Gardner: And, Dave Linthicum, independent consultant with the Linthicum Group. Is that the correct designation these days, Dave?

Dave Linthicum: That's right. Thanks guys, good to be back.

Gardner: Very good. We’re going to talk primarily today about the burning issue of the moment, and hopefully not for the next 10 years, and that's the financial situation of fairly well-defined panic. We‘re not sure why, but there’s certainly a panic at this point in the global markets, and bailouts and other attempts by governments around the world not necessarily helping, so far. We’re coming to you on October 10, 2008.

Hopefully, when you hear this in the next few weeks, things won't seem quite as dire, but we are going to take a pulse of whether this is panic or whether this is a prelude. We’re certainly not going to look at this through the full lens of the economy. We’re not economists, and people will probably think we don't know what we are talking about, but we wouldn't be alone in that category right now.

So, we will focus it on what we do know a little about, and that is the IT sector, the software business, how this will affect IT vendors, users and enterprises.

First, we've heard a couple of different takes on this whole situation. IBM just came out with some fairly encouraging results, 2 percent real top-line growth and 20 percent bottom-line growth. So IBM says, “Not so bad,” HP had similar results and Oracle as well. They’re saying that we’re seeing some bumps in the road, but certainly not a meltdown. On the other hand, companies like SAP and Dell are saying that they’re really feeling it.

For my first question, I want to take this out to Tony Baer. Is this going to be something that drops the tide on all boats in IT? If not, who are the winners and losers likely to be?

Baer: Well, I think the winners are those who are likely to be more diversified into services, services that can help companies harvest more of what they already have. I was actually doing a mental comparison before we got on the call between, for example, IBM and SAP. In other words, why has IBM reported positive results and SAP hasn't. On first blush, they are both global companies, they both have incredible penetration into the Global 2000.

So, part of it is fairly hard to explain, you have to drill down a little bit deeper into the SAP’S acquisition of Business Objects, a two-product company With maybe some exceptions on the Business Objects side, it’s not so much new sales, but essentially maintenance and upgrades to new versions In a tightening economy, putting in a new version of SAP or NetWeaver is probably a discretionary expense.

Just look at IBM, which, besides the fact that it's much more diversified, has services. The fact is that in an economic situation like this, especially where there are a lot of known unknowns, having a services business is a good way of helping clients to discover new economies. And it's also potentially a much more flexible arrangement than having to put in an upgrade of a new version of SAP software.

Gardner: What I think I hear you saying is that companies that are in the services business, and that have primarily revenue through subscription, might fare better than those who are in a product cycle, where licensing and actual product upgrade, in addition to their maintenance, might be in a situation where people will postpone those upgrades.

Baer: Absolutely!

Gardner: Where does that put Microsoft?

Baer: Good question, because they are in a transition. I just had a fairly detailed briefing with them yesterday on their Software Plus Services strategy and that's clearly where they want to go, and they do have some impressive early wins. But it's obviously still not the majority of their business. In the short-term, I think it's going to hurt their business, because clearly take-up of Vista has pretty well-flagged, especially on the corporate side.

Obviously they are trying to cultivate the Software Plus Services side, but that business is still very much in its early in its cycle. In the long run, it will be a good strategy for Microsoft, but they are so early along that it accounts for a pretty slow proportion of their revenue. In the short-term, Microsoft is more vulnerable.

Gardner: I was at a Red Hat conference earlier this week. Their model built very much on subscription and support, not on licensing the software. They give it away essentially. They felt pretty confident too that this wasn't going to be a cliff for them. So, I guess that further substantiates our trend.

Jim Kobielus, how do you see the shaping up for IT vendors? Is there going to be a dichotomy between those who have a recurring revenue model around subscriptions, versus those who have little bit more reliance on software licensing?

Kobielus: By the way, full disclosure, I have a degree in economics from way long ago and I am not going to even try to be dangerous. . . .

Gardner: Well, you might as well, because they don't see that what's going on either, right.

Linthicum: There’s an instant CNN gig out there for you, dude.

Gardner: By the way Jim, you are pretty dangerous, so go right ahead.

Kobielus: Okay, I do see in any economic downturn in the things that get cut from corporate budgets, for example, large capital expenditure (CAPEX) projects. That's going to hurt a number of IT vendors in particular niches, for example the hardware vendors, and where it's a discretionary software upgrade purchase. Those are going to feel the crunch.

Ongoing maintenance of existing systems, existing solutions that will relatively weather the storm. In other words, just to keep on keeping on.

So, the business model that open-source companies like Red Hat have established, and likewise, very mature software vendors like SAP and also Business Objects in the business intelligence (BI) space, they will do relatively okay because a large percentage of their revenue is from maintenance and support.

Those who will get hurt are those vendors who rely on new-product sales, especially new product sales that are very much hardware-centric. And where that comes in now ties in with my core focus areas, BI and data warehousing. We see in the data warehousing arena more of a focus on appliances, the hardware-software bundles that are pre-configured and so forth.

So, all the vendors in the data-warehousing space, pretty much all of them have re-geared their entire go-to-market strategy around hardware optimization of their own with turnkey solutions.

How will this economic crunch shake out the data warehousing appliance industry, really the data warehousing market? In any downturn, users, large corporate IT, look to rationalize and streamline their vendor commitments. In other words, they consolidate to a few very large, very strategic vendors. So, the big guys will get bigger and the small, pure-play data-warehousing appliance vendors will be acquired or will vanish.

Gardner: Is that the flight-to-quality kind of effect, do you think?

Kobielus: “Flight-to-quality,” explain that Dana?

Gardner: Well, you are not sure about where vendors might be and you might want to have one throat to choke, a bit more opportunity to deal with them, and that they can bargain with you because they want you long-term business. They are in a more powerful position and so quality, not unnecessarily the buy side but on the sell side, makes some sense.

Kobielus: Okay, yes, it's very much the phenomenon. They are the dynamic in play here. I think that the larger data-warehousing vendors will do relatively okay, especially those who are well-established and have a substantial amount of maintenance and support revenue themselves. I’m talking about the likes of Teradata and Oracle and IBM and a few others.

But, right now, with the data warehousing and BI vendors, every time I talk to them, I ask them, “Okay, a substantial proportion of your business is in the financial services vertical. How are you feeling? Are you seeing any softness in demand for your solutions?” And pretty much uniformly, they say, “Well, so far so good. We’re not really seeing a huge cut back in orders, or even any substantial delays in placement of orders that were expected,” but everybody is sort of bracing for the worst.

Gardner: Alright, so what I heard from you is that there is certainly a benefit of subscription, but there are also certain niches within IT that are specialized and that are hot right now, like BI and warehousing, that adds such a competitive advantage that they are probably going to continue to invest there.

Let’s look at this not necessarily just through the selling but on the buy side, those people who are in IT shops. Let's go to Dave Linthicum. You have been in the situation of specifying and buying. About 70-80 percent of these budgets are already locked into maintenance, not a lot of discretionary spending. What kind of pressure do you think they are going to feel?

Linthicum: They are going to feel a lot of pressure with anything that can be cut in the short-term. It's really going to be more that there is so much stress in there, instead of just definite cutting, just tactical pulling of expenses. They are looking to morph the way in which they consume IT. I just did a survey yesterday. I basically talked about the economic downturn and their plans to implement strategic technology into their enterprise. And everybody came back with, it's going to increase in interest but decrease in cost.

In other words, people are going to move into more efficient technologies. They are going to look at a little bit more at cloud computing and other ways to save money and start moving aggressively in those directions.

I think IT and some of the IT leadership were just waiting for an excuse to drive in this unfamiliar, risky area. If their budgets are sliced, they still have the responsibility for doing very intense IT business processing, and they are looking for new innovative ways to do that. That's inclusive of cloud computing and services-oriented architecture (SOA).

I don’t know if you looked at the SOA market just in terms of services, but it seems to be exploding right now. I’m not sure about the adoption of technology and the selling of technology. That may be an after effect, after all of these SOAs start taking more strategic positions within these enterprises. It's definitely a game changer right now. I’m not sure if it's positive or negative, but it's changing the game.

Gardner: When we look at how these organizations, these enterprises will move to, as you say risky, unproven, or just innovative new ways. What aspects of IT do you think they are going to be more willing to offload to a cloud first? Clearly, there is going to be too much risk in some areas and acceptable risk in others. Where do you think we are first going to start to see business activities and IT functional sets and applications offloaded -- just because it's so much cheaper to do it that way?

Linthicum: I think it's initially going to be the office-automation technologies, moving to more of the lighter-weight processes, and then moving to more of the heavy-weight processes.

Gardner: Can you be more specific on an application-by-application basis?

Linthicum: Yeah. Instead of having a huge Microsoft infrastructure just for e-mail and calendar-sharing in groupware, and those sorts of things, moving to things that are in the cloud. This is obviously Google, but there is also a ton of other guys that are offering some pretty good technology -- information-sharing using similar infrastructure. They’ll start outsourcing that, versus maintaining all these data centers that are just dealing with e-mail and communication between people within the company.

Gardner: Sure, there are plenty of hosted exchange too. Even if you don’t want to move from Microsoft, you can go off-premises.

Linthicum: You can go off-premises with lots of stuff and the cost is always cheaper, and also it allows you to upgrade and innovate into new technological areas you haven’t driven before.

Next, would be tactical, software-as-a-service (SaaS) applications. Take some of the HR processing, which is driven by some kind of in-house system in the data center, and outsource that to the dozen or so SaaS vendors who are offering HR processing. That's kind of a light-weight business process.

Then, the next generation is even more risky, and I don’t see a ton of guys doing that initially. It involves some of the core business processes, and getting into an SOA kind of an initiative. Re-automating those, but also outsourcing a tremendous number that haven’t been done before for the primary reason of cost saving.

Gardner: I think I’m hearing from Dave here that not only we are now going to make baby steps towards significant innovation, but the economic pressure that's going to come down on CIOs and IT departments forces them more towards that transformational level of change. So, that could include a lot more SOA, a lot more virtualization, internal on-premises cloud infrastructures, and so on.

Jim or Tony, how do you feel about the possibility that more economic pressure is actually a catalyst towards transformation rather than iterative change?

Kobielus: You mentioned my name first so I’ll respond first and I’ll be brief, so Mr. Tony can go right after me. I see definitely the economic downturn is going to expand the footprint, as it were, for the cloud in data warehousing, where data warehouses are becoming ever larger in the hundreds of terabytes and now into the petabyte.

I’m seeing an upsurge in the number of start-ups and data warehousing vendors that now have cloud based offerings. For example Vertica and Oracle now support databases that can run in the Amazon EC2. There are other vendors, like 1010data, that are very much pure plays in the fact that they only operate in the cloud and they are very highly scalable, share nothing, and parallel process.

There are, of course, SaaS-based offerings on a subscription basis. In other words, where there is a capital expenditure crunch or a budget crunch, and users can’t afford to pay the millions of dollars to bring one of these petabyte-scale data warehouses in house, they are going to go outside to the likes of a 1010data or using Amazon EC2 to aggregate, persist these huge datasets.

They can do very complex analyses and also run a greater degree of their data mining and predictive analytics algorithms in that very cloud. It just saves them money, and it's not a huge capital expenditure. It's a pay-as-you-go kind of thing. I think that's going to be the trend and those vendors who are already out there could be the major beneficiaries of this current economic crunch.

Gardner: So, that might mean if you are going to go to market, you want to have a cloud avenue for your go-to-market activities in addition to on-premises, or even say an open-source support model, right?.

Kobielus: Yes, for sure.

Gardner: Tony, what's your take on the possibility of harsh economic times as actually a catalyst towards the increased transformation?

Baer: Well, I am going to pair a couple of words that would otherwise seem like an oxymoron, which is tactical transformation. In times like these, obviously you have changing economic conditions, changing in a very unpredictable manner. On the other hand, the financial crunch and the credit crunch is going to restrict the amount of resources you have at your disposal. So, you’re basically going to look very opportunistically. You are going to look at, let's say, the low-hanging fruit that will give you the greatest gain in savings or a way to respond to the market in a more agile manner.

That will be very much in the way that Dave and Jim mentioned, which is that you will be taking advantage of specific services in the cloud. You won’t necessarily do a global top down or enterprise-architectural SOA transformation, if you haven't done SOA already. But, opportunistically, if you are trying to take advantage of some of these cloud-based services to start doing mining on a more massive scale, at the same time trying to lower your risk, it will require certain applications or data source that you may have. You may need to conduct a transformation, where you will implement, more flexible architectures, data SOA architecture.

But you will do it opportunistically in these tactical areas, where you can take advantage of services in the cloud that give you the advantages of the transformation to solve the problem you need to deal with, and at the same time, minimizing your risk.

Gardner: So, they are going to be looking for innovation without a big CAPEX, and if they can do that at the same time they are shutting down their own high-cost, high-labor applications in data centers that will be particularly attractive.

Baer: Or put it another way, “Capital, what capital?”

Gardner: Remember, not all companies are like banks. They have cash on hand, or they have ability to raise capital in a variety of different ways, rather than just going to a bank. So, we don't need to lump all these different types of enterprises into just the financial crisis problem.

Baer: Agreed. It's not to say that capital is totally shut-off, but the fact is that it's going to be rationed and a lot more carefully. I was just reading the advice that all these VCs are reading, and what they are saying is that if you have capital, find ways of stretching it.

Gardner: Save more cash, hold your cash basically. Speaking of verticals, let's look at this now through the lens of verticals, which verticals will do well and which will not.

My first take on this is that the government vertical is actually going to explode and might even start going down this road towards transformation in a much more significant way. Now, we can't read the tea leaves entirely on the economy, but politically we do start to see quite a momentum around the Democratic ticket and potentially a substantial majority for Democrats in Congress. They have put down platforms that include significant investments in such things as energy, healthcare, and of course they are going to need to transform how the government and the financial sector work together to calm the markets down.

On the other hand some, verticals that don't look good include retail and manufacturing. The auto industry is getting whacked. So, as IT spending is sliced and diced according to vertical, do we get a net-net up, down, or flat, when we look across verticals. I want to take a look at that. Dave Linthicum.

Linthicum: Yeah, it’s great living in Washington DC, let me tell you, because I think no matter where this thing goes, there is going to be full employment. The housing prices have actually crept up.

I think that you’re absolutely right. People are going to look to government to solve some of these issues and bureaucratic changes are going to be built here in different divisions, and people are going to have oversight of the financial industry.

If the Democratic administration comes in, there is going to be more civilian spending, and there is going to be probably a little shift from the spending in the Department of Defense on the military side.

So, this area is going to be explosive yet again, based on some things that are occurring and based on the government taking power in particular industries that they think they can be helpful in taking power. You can argue whether that's a good thing or a bad thing, but you are definitely going to see a lot of job shifts as things shift to that vertical.

The retail space is going to suffer tremendously. They already have very narrow razor-thin margins. I think we are going to see a lot of the larger retailers suffer and perhaps go away. I think healthcare is going to remain fairly static, and I think some of their costs maybe reduced. As they start moving into more of a socialized medicine, if the Democrats take it there, there is going to be some big shifts there.

Believe it or not, even though you are moving into a healthcare-for-everyone kind of an environment, you are going to see that actually cost probably will go up, as a bureaucracy is put in place to maintain and administer that.

Finance is obviously going to be killed for a long time, especially the banking industry. That's going to be an area that isn't going to recover very quickly from what's going on right now, but I think that manufacturing ultimately will recover and we are going to see some good growth in the year 2009-2010.

Gardner: Why do you see manufacturing as doing okay?

Linthicum: Because, the need for products worldwide is down right now, because people don't have the capital or access to the credit to make that happen. However, they are going to continue to have to replace airplanes, factory equipment, those sorts of things. It's just going to be a pent-up demand, and I think that's going to basically get unleashed in 2009-2010.

You’re going to see the large durable goods, large manufacturing kind of systems. People are going to just spend money on that area and that's going to be a worldwide driven thing. It's not going to be just driven from the United States.

Gardner: Great. Jim Kobielus, you mentioned earlier that you saw financial organizations buying data warehousing services and solutions as sort of still growing, if not at the same rate. I'd like to have your take on the financial sector alone Sure, there’s lots of turmoil, lots of contraction, but that doesn't necessarily mean you can shut off your IT systems. Mergers and acquisitions, consolidation sometimes can have a short-to-medium increase in IT requirement.

Kobielus: Right, and one of the things, Dana, that occurred to me is that the financial vertical and the government vertical are becoming overlapped. There is a degree of nationalization already that's taking place. The government is taking back Fannie Mae and Freddie Mac. I think they have taken over AIG, but all around the world, you hear governments, especially in Europe saying, “Hey, we need to re-nationalize or, to some degree, exert tighter control over the financial vertica., I think this is everywhere in the world.

What we’re already seeing is that the government vertical, as they have indicated, will continue to grow, because it's going to exercise much greater oversight and equity positions within the financial vertical. I think the early part of this decade is a prelude to what we’re going to see in even greater abundance in the next 10 years.

After the whole Enron fiasco, with Sarbanes-Oxley and so forth, we saw the growth of this market and this technology called governance, risk management, and compliance (GRC) to exert tighter control over the financials of private enterprise, and bring greater transparency.

I think we are going to see now, the government exert ever tighter GRC reigns over the financial sector, to a degree unprecedented, because we now have government actually owning or controlling a number of the key firms in that space. So, the whole GRC sector is in an embryonic stage. There are a number of vendors like SAP and Oracle who have taken sort of a leading-edge position in that area. That will expand greatly, and we are going to see more of these risk dashboards and controls being implemented in the context of BI and the data warehousing investments that enterprises have already made.

In terms of the horizontals, the GRC sector will come into its own, and it will be primarily the driver. There will be the financials, and then it will be around the world. All governments will enforce the use of this kind of technology.

Gardner: Right, and at a higher abstraction, that really means governance, and as much as internal governance it's perhaps governance from the extended enterprise sense, where there is going to be governance that crosses organizational boundaries. That's not going to be done with folks holding clipboards. That's going to be largely automated.

It’s going to have to be enforced through policies and rules and governance engines, it sounds an awful lot like SOA, but we are not going to apply the infrastructure we have developed for SOA. Just like services, we can apply it across a multitude of different business processes and activities in order to satisfy what you are talking about.

Baer: This reminds of something I heard from Microsoft this week. I was in Seattle at their BI conference, and they were talking about how Microsoft internally is using their own BI tools and stack. They described a number of roles -- like marketing, sales, and finance -- and how they use BI. Then, I asked the person, “Okay, your CEO, Steve Ballmer, obviously uses BI, but does he have a risk dashboard or a compliance dashboard or tools?”

Clearly, Microsoft is under a number of legal and regulatory mandates, compliance and so forth, and the people from Microsoft couldn’t answer that question immediately. They weren't really quite sure what's on Steve's dashboard.

In three years time, every CEO in the world will have a GRC dashboard that tells them on any given day the hoops they need to jump through to satisfy the regulators, I think that's coming fairly soon.

Gardner: Not just regulators, but the market doesn’t want to be caught unaware, as we apparently have been with this meltdown. In the future, they are going to want to know not just what they have to do to comply, but what the unknown risks are in terms of how the markets themselves are behaving.

Let's go to Tony Baer. Tony, what's your take on the opportunity for governance infrastructure to move beyond SOA, and is the new environment for business a growth area for SOA governance infrastructure?

Baer: Yeah, big time. I was talking before about these opportunistic areas. In the case of governance, I don't know if I would call it “opportunistic,” but it is an area in which you do not have an option as to whether you comply or not. Therefore, the only economic way to provide all the information and to do all the audits without having to rip apart all of your existing back-end infrastructure is through a service's layer on top of all that.

Maybe I can come up with a cheap buzzword here, a buzz-line or a tag-line, such as “Son of SOX,” for what's going to become a changing regulatory environment. You’ll need a governance layer that can contend with changes in this moving target.

Obviously, the only feasible way, from an architectural standpoint, to deal with that is do a flexible architecture, and that's essentially what a SOA is.

I very much agree with Dave and with Jim in terms of what are likely to be the growth sectors, but there are a couple of extra points I want to plug in there. This ties in with this question. The financial industry itself will not be a growth sector over the next few years, it will be very much a consolidating sector, but guess what, as you consolidate, you need to invest in consolidation.

Imagine all these huge mergers going on. Wells Fargo just finally got the agreement to acquire Wachovia, but of course there will be a some litigation from Citibank. Also, Bank of America acquired Merrill and there’s the whole reorganization of Wall Street, from investment banks into banking institutions.

The fact is, there is going to be a lot of transformation going on, and it's not transformation to support a growing business. It's transformation to support a changing business. There will be a lot of investment there, in addition to whatever investment will be necessary to deal with the new governance risks in compliance requirements.

Another area -- and I wanted to slip this in because it's nothing intuitive -- but if you look back at past history during economic downturns, and I hate to use the 'D' word but back in the depression, and I hope we are not heading into one, what area boomed during that era? Hollywood, the film industry. People were going out to the movies for cheap thrills.

In today's environment, the equivalent of that is, if you already have an Xbox 360 out there, you are going to be buying more games. Those are cheap thrills. It's going to be cheaper than going out and buying a new HDTV or going out to Six Flags.

Gardner: That's interesting. We haven't talked about one sector, and that is the Entertainment/Web 2.0/Internet. We’ve seen some downturn in advertising, including Internet advertising, but is there an opportunity for buying $3 movie and downloading it, a $2 song, a $3 game. How might our Internet /Media/Entertainment economy fare and will it be sliced and diced between those who depend on advertising and those who are not?

Baer: Very much so. The only downward pressure on this would be downward pressure on households to cut expenses and, if they consider that broadband is a discretionary expense, that would be the ceiling there. My sense though is that today to participate in the modern economy, broadband is becoming a necessity.

Gardner: Yeah, it's a utility. It’s like water, electricity. It's one of the last things that will go, right?

Gardner: My mother is 93, and I finally got her to get broadband. So we won’t give it up.

Kobielus: I have to jump in here and be dangerous one more time. I have another degree in Journalism and I was primarily a student of the mass media. If you look at the depression of the 1930s, historians and people who lived through the period talk about, what kept them company, in the dust bowl or wherever when they didn't have a job. It was the radio, which had been introduced in the previous decade.

Now, if gosh forbid, we have something similar coming up in the teens of this decade, what is the new radio? It's the Web. And so, who are the new entertainers? Well, actually in many ways it will be each other. I mean, through the whole Web 2.0 user-generated content paradigm. If you think about it, that's cheap entertainment, because it's generated for free and there is an unlimited supply of it available over some pipe that you've got coming into your home.

Gardner: I'd like to point out that this podcast is coming to you completely free. Continue.

Kobielus: And we are free to say what we want on this podcast.

Gardner: Does anybody else have some thoughts out there on the impact on Internet and startups? What's the impact with startups? We have seen this slide deck from Sequoia Capital saying “batten down the hatches, no discretionary spending, hoard your cash. Is this the VCs overreacting, because it's their pool of money that's its stake, or aare there actually opportunities beyond what they are saying in these dire predictions?

Linthicum: There are huge opportunities out there. If you saw my column I did in SOA World Magazine, I think this is a great time to do a startup.

Number one, VCs be damned at this point. You don't need their money at all, just some angel investors to invest in some very minute infrastructure. With cloud computing out there and the number of things you can do from a marketing, application developer's, and outsourcing perspective, you can basically get a technology company up and running -- and profitable -- probably for the least real cost we've seen in years. It's a great time for people who are innovative, able, and resourceful to get out there and start technology companies.

There are two types of companies out there right now. There seemed to be the big behemoths that are very slow and cumbersome and strategically challenged, even though they are making a lot of money and grabbing a large share of the market. Then, there are the old maids and basically a lot of small startups that just haven't been able to get acquired to do their exits.

Now is a great time for small innovative new startups to get out there and help create new spaces, such as Web 2.0, and I think there are a number of SOA problems that needs solving as well. I'd love to see some startups get out there and take those problems on.

Gardner: So, unintended consequence of the VCs contracting might be laying off a bunch of engineers and entrepreneurs. They'll go out there and say, “Okay, what am I going to do, sit in my garage and cry or am I going to look for platform-as-a-service (PaaS) providers and cloud providers that will allow me to develop a whole new set of applications on the cheap that I could put on my credit card. Then, I only pay for infrastructure as I need it and as I can create a business model?

Linthicum: Yeah, one of the things I would love to see come out of this whole mess that we are in right now is some of the Sarbanes-Oxley stuff contracting a bit. Quite frankly, a lot of the startups out there are unable to do any kind of exit other than acquisitions. You have no chance to take anything public. It's economically not viable for you to do so, because of the cost of maintaining the regulations around the whole publicly traded company opportunity.

I would love to see the government reopen that market a bit and make it much easier for startups that are profitable, that have a good track record and good technology to get access to the public marketplaces. Right now, they have to keep going back to the venture capital community. In many instances, those guys are strategically challenged. They are not focused on a particular industry, they are basically just focused on investment. That's going to be difficult to going forward.

Gardner: So in the ‘30s, we had the Works Progress Administration (WPA), which got people out there with shovels -- and my grandfather was one of them -- moving stuff around in the city in order to create works. Perhaps with an Internet Public Assistance Program, we can let the government be the seed and even steer them towards solutions of the government’s needs.

Now, the government wants to hire investment bankers to solve the problem that investment bankers created, but perhaps there is an opportunity for technologists to be brought in to solve some of these problems too.

Linthicum: Absolutely. What if a couple of the billions of dollars we are pumping back into the banks just went off to assist organizations and start-up companies around the technology space. I think there would be a huge boom in the area, and it would create jobs and be profitable fairly quickly.

I think some of them would probably go away, but overall, I think that it would have a positive effect on the economy. If you think about 1999, we were doing so well, because of the innovations around the Internet technology and other things that were booming. I think we are able to do that again, but we are just putting so many regulations, so much bureaucracy out there, that it makes it very difficult for the upstarts to get going.

Gardner: One little subset on this media discussion would be the press. Jim Kobielus, press has been under a tremendous amount of pressure lately. How are folks like Sam Zell going to fare on their traditional media, as advertising dries up, going to the Internet, seeing appreciable advertising business uptake there. It seems to me they are in the dead-end situation.

Kobielus: There is an ongoing crunch in the whole media sector that continues to ripple and ripple. It forces people out of being full-time journalists. So, it's not a happy thing. There was a Doonesbury cartoon recently in which Rick Redfern had been forcibly retired from the Washington Post. He was told, “Go and be a blogger!” He said, “Yeah, I will be one of a trillion bloggers out there.” “Well, you have a special differentiation. You are ex-Washington Post.”

Everybody is going to be from the journalism space, and even publishers are going to be “ex-journalists.” They have to find some next stage in their career, and I think a lot of smart people are going to become, as Dave indicates, entrepreneurs, but who will be self-funded from whatever remaining savings they have. It's not going to be a happy thing until the credit crunch eases.

Gardner: We only have a few more minutes. Let's look at some other potentially unintended consequences of all this.

If technology company stocks plummet some more, we might see some interesting things there. Somebody floated the idea that Sun Microsystems might just take its cash and buy itself out when its stock is trading at $5 -- and that was a stock that had a reverse four-way split. So it's down like a buck and change from what it was a few years ago.

Also RIM, still a strong company, a potentially for a takeover, is looking back to the buy side. What sort of interesting unintended consequences might we see among the vendors. Any thoughts?

Kobielus: I have no thoughts. Guys?

Linthicum: Just from your first point, I think you’re going to see some guys who are going to buy themselves off from the market for now, and I can't blame them.

If I were CEO of a publicly traded company, and my stock price was below my market capital, with cash in the bank -- where some of them are -- I’d get off the market quick, because it's a good deal.

Gardner: Absolutely.

Kobielus: I think we've talked in a previous podcast about the upsurge of private investing, of companies going private. I think the difference this time will be that if companies are going to go private, they are going to have to basically bootstrap it. They are not to be able to get a Silver Lake or anybody like that in the short-term.

Gardner: So a takeaway might be, if you can ride this out for two or three years, there is a buying opportunity, even buying yourself.

Kobielus: Right, if you get cheap enough. The other dividend of all that is once you go private, of course, you don't have to worry about all the GRC.

Gardner: One other subject that we haven't talked about is the analysis business. Is this an opportunity for people that need to know more about what's going on, and are folks like us going to be okay? Any thoughts?

Baer: Folks like us. Yeah. I think everybody is becoming an analyst. There is a whole blogosphere. Everybody in the blogosphere, to some degree, is an analyst. So, we’re going to be okay in the sense that we can still do analysis to our hearts delight for free, if we so choose.

In terms making a living on it, I think more-and-more analysts need to be half analyst, half consultant, doing projects for those who will pay us to actually show up and attend to only their needs and help them out with projects and also to make sense of what's going on in the space.

In any good time or bad time, analysts are essentially like reporters or journalists. We not only are in the industry, but we are in a sense above the industry, surveying what's going on and reporting to everybody else what we can see in terms of broad patterns and trends.

So I think there is a greater requirement on analyst to come in and offer reassurances or to tell people, “Okay, this strategy that you have been taking is not going to pan out. You better jump ship and try something different.”

Gardner: So changes are growth engines.

Kobielus: Yeah, and from that standpoint, it basically supplements the fact that there is going to be a decline in the journalist population, essentially a migration towards the extremes, which is on one hand journalism and this is not a development.

I’m very happy to see is that, as the financial base and the business model for journalism businesses is evaporating at this point, you are seeing more-and-more citizen journalists taking up more of the load. People are reading more blogs. They are not buying newspapers.

On the other end, it will create an appetite, and it will create a demand for people who are above the level of citizen blogger to say, “I have some professional credentials, and I can provide you some value-added analysis on your positions, so that you can essentially improve the competitiveness of your business.”

Gardner: Traditional and trade media will contract, which opens up a vacuum that can be filled by the expert-blogger function.

Kobielus: Right, expert blogger, but also the fact is that you get what you pay for. If you are a business and you are trying to improve your chance of surviving the market, you are going to work with key experts, key thought leaders out there, and you will pay for that.

It's not to say this is an infinite market for analysts. The business model for analyst firms is going through some stresses. Especially when you take a look at blogging. A lot of analyst firms have really not adapted to the blogosphere very well, or the more rapid flow of information.

So, even though I think they will continue to be a need for analysis and for paid analysis. The analyst industry or the analyst-firm industry needs to adapt to the new world of faster more instantaneous communications.

Gardner: Well, great. We've had a well-rounded discussion about the situation. We found some bright spots and some counter-cyclical possible growth areas within this sad situation we find ourselves in. But, as we exit I want to go around the panel and on a 1-to-10 scale, with 10 being flush, financial nirvana, and 1 being a dead-pool bankruptcy, where on a scale of 1 to 10 at a median level will the software business be in a year from now, let's start with you, Jim Kobielus.

Kobielus: I give it 5, straight down in the middle. I am trying not to lean towards either the manic or the depressive ends of the spectrum here. I think that some will do quite well and some will not. It's just a matter of taking a deep breath and recognizing that the economy goes through cycles, and the economy occasionally goes through panics -- the banking panics of the early 1900s and the late 1800s. We are sort of in the middle of one right now, which is an interesting phenomenon. I say interesting in the old Chinese sense of may you live through interesting times.

This has been a harsh decade. We started off with a tech-crunch and we are going to end with a tech-crunch, and a financial crunch, and it's going to take some time to sort it through, so just breathe easy.

Gardner: Tony Baer, 1 to 10, software industry.

Baer: Well, I'll give it 4, only because there are different headwinds on this go around. On the positive side, as Dave was mentioning before, the fact is that the barriers to entry are so much lower. So, if you can take advantage of the cloud, you can start in your own garage, and essentially marshal resources for very little cost. Basically, if you can sustain yourself and live close to the ground for the next two or three years, you and many others who are taking advantage of platform-as-a-service will have a whole new generation of solutions that will be ready for the next uptake.

Gardner: Dave Linthicum.

Linthicum: I am going to say 7.5. There are huge opportunities for the innovative and resourceful few out there in the market space. I think that technology shift, moving to higher regulations, you’ve got this “mother of all Sarbanes-Oxley” coming. Everybody is going to need folks in there to re-architect and re-automate and re-cast these businesses.

Then I think if there is going to be some upside in the future. Every cloud has a silver lining and those who are smart out there can certainly find the silver linings in this cloud. I think IT is going to stumble a bit, but a lot of more innovation is going to come into play, and people are going to use the cost-reduction capabilities, become a little bit more modernized and innovative in moving to cloud computing and SOA. All that stuff is going to accelerate tremendously in the next couple of years.

Gardner: I am going to go with 6.5. I agree that this is a transformation period, not just a contraction. I think this is going to necessitate a lot of the things that people have been working towards, but accelerate that, and force them to cut bait on the old stuff that doesn't work and adopt the new stuff that does. So, I’ m fairly bullish on IT, but with a lot of spottiness. There are going to be some pockets of certain failure and the ability in people to move among and between those is what's going to become essential.

I want to thank our panel for a very interesting discussion about the IT sector in this economic maelstrom.

We have been talking with Jim Kobielus, senior analyst of Forrester Research. Thanks, Jim.

Kobielus: Thank you. It was great!

Gardner: Tony Baer, senior analyst at Ovum. Thank you, sir.

Baer: Hey, thanks, Dana!

Gardner: Dave Linthicum, independent consultant with Linthicum Group. Thank you.

Linthicum: Thank you!

Gardner: I also want to thank our sponsor, the charter sponsor for the BriefingsDirect Analyst Insights Edition is Active Endpoints, makers of the ActiveVOS visual orchestration system. I am Dana Gardner, principal analyst at Interarbor Solutions. Thanks for listening, and come back next time.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsors: Active Endpoints, Hewlett-Packard.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Transcript of BriefingsDirect podcast on the outlook for IT in the face of the economic downturn. Copyright Interarbor Solutions, LLC, 2005-2008. All rights reserved.