Showing posts with label wainewright. Show all posts
Showing posts with label wainewright. Show all posts

Wednesday, July 15, 2009

Panda's SaaS-Based PC Security Manages Client Risks, Adds Efficiency for SMBs and Providers

Transcript of a BriefingsDirect podcast on security as a service and cloud-based anti-virus protection and business models.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod and

Download the transcript. Learn more. Sponsor: Panda Security.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion on automating and improving how PC security can be delivered as a service. We'll discuss how the use of cloud-based anti-virus and security protection services are on the rise, and how small to medium-size businesses (SMB) can find great value in the software-as-a-service (SaaS) approach to manage PC support.

We'll also examine how the use of Internet-delivered security provides a strong business opportunity for resellers and channel providers to the businesses trying to protect all of their PCs, regardless of location.

Recent announcements by Panda Security for cloud-based PC anti-virus tools, as well as a Managed Office Protection solution, highlight how "security as a service" is growing in importance and efficiency.

Here to help us better understand how cloud-delivered security tools can improve how PCs are protected across the spectrum of end users, businesses, resellers, and managed-service providers, we're joined by Phil Wainewright, independent analyst, director of Procullux Ventures, and a ZDNet SaaS blogger. Welcome back to the show, Phil.

Phil Wainewright: It's great to be here, Dana.

Gardner: We're also joined by Josu Franco, director of the Business Customer Unit at Panda Security. Welcome to the show, Josu.

Josu Franco: Hello, Dana. Nice to be here.

Gardner: Let's start, Josu, with looking at the big picture. The general state of PC security, the SaaS model, and the dire economy are, for many organizations, conspiring to make a cloud-based solution more appropriate, perhaps now more than ever. Tell us why a cloud-based solution approach to PC security is a timely approach to this problem.

Franco: There are two basic problems that we're trying to solve here, problems which have increased lately. One is the level of cyber crime. There are lots and lots of new attacks coming out every day. We're seeing more and more malware come into our labs. On any given day, we're seeing approximately 30,000 new malware samples that we didn't know about the day before. That's one of the problems.

The second problem that we're trying to solve for companies is the complexity of managing the security. You have systems with more mobility. You have vectors for attack -- in other words, ways in which a system can be infected. If you combine that with the usage of more and more devices in the networks, that combination makes it very difficult for administrators to really be on top of the security mechanisms they need to watch.

In order to address the first problem, the levels of cyber crime, we believe that the best approach that we, as an industry, need to take is an approach that is sustainable over time. We need to be able to address these rising levels of malware in the future. We found the best approach is to move processing power into the cloud. In other words, we need to be able to process more and more malware automatically in our labs. That's the part of cloud computing that we're doing.

In order to address the second problem, we believe that the best approach for most companies is via management solutions that are easier to administer, more convenient, and less costly for the administrators and for the companies.

Centralized approach

Gardner: Now, Phil, we've seen this approach of moving out toward the Web for services -- the more centralized approach to a single instance of an application, the ability to manage complexity better through a centralized cloud-based approach across other applications. It seems like a natural evolution to have PC security now move to a SaaS model. Does that make sense from your observations?

Wainewright: It certainly does. To be honest, I've never really understood why people wanted to tackle Web-based malware in an on-premise model, because it just doesn't make any sense at all.

The attacks are coming from the Web. The intelligence about the attacks obviously needs to be centralized in the Web. It needs to be gathering information about what's happening to clients and to instances all around the Web, and across the globe these days. To have some kind of batch process, whereby your malware protection on your PC is something that gets updated every week or even everyday, is just not fast enough, because the malware attacks are going to take advantage of those times when your protection is not up-to-date.

Really making sure that the protection is up-to-date with the latest intelligence and is able to react quickly to new threats as they appear means that you've go to have that managed in the center, and the central management has got to be able to update the PCs and other devices around the edge, as soon as they've got new information.

Gardner: So, the architectural approach of moving more back to the cloud, where it probably belongs, at least certainly from an architectural and a timeliness or a real-time reaction perspective, makes great sense. But, in doing this, we're also offloading a tremendous burden from the client in terms of these large agents, tremendous demand on the processing of this client, the need to move large files around, drag on the networks, labor for moving around the organization, and physically getting to these machines. It seems almost blatantly obvious that we need to change this model. Do you agree, Josu?

Franco: I do. One point that I want to make, though, is that when we refer to SaaS, we use the term to refer to the management console of the security solutions. So, SaaS for us is an interface for the administrator, it’s an interface obviously based on the Web.

When we refer to cloud computing, it refers to our capacity to process larger and larger volumes of malware automatically, so that our users are going to be better protected. Ideally, cloud computing and SaaS should be going together, but that's going to take a little bit of time, although, in our case at least, all of our solutions align into those two concepts. We've been moving towards that. The latest announcements that we've made about this product for consumers go certainly into that direction.

I just want to make clear that SaaS for me is one thing. Cloud computing is a different thing. They need to work together, but as a concept we should not confuse the terms.

Wainewright: That's very important, Dana. One of the key things that people misunderstand about notions of cloud computing and SaaS is this idea that everything gets sucked up into the network and you don't do anything on the client anymore.

That's actually a rather primitive way of looking at the SaaS and cloud spectrum, because the client itself is part of the cloud. It's a device that interacts with other peers in the Web environment, and it's got processing power and local resources that you need to take advantage of.

The key thing is striking the right balance between what you do on the client and what you do in the cloud, and also being cognizant of where people are at in terms of their overall installed infrastructure and what works best in terms of what they've got at the moment and what their roadmap is for future migration.

Separating SaaS and cloud

Gardner: I see. So, we do need to separate SaaS and cloud. We need to recognize that this is a balance and not necessarily an all-or-nothing approach -- neither all-cloud nor all-client. This seems to fit particularly well into the demands of an SMB, a distributed business, or perhaps even a multi-level marketing (MLM) company, where there are people working at home, on the road, in remote offices, and it's very difficult for the administrators or the managed providers or resellers to get at these machines. Moving more of that balance towards the cloud is our architectural goal.

Let's move to the actual technical solution here. Josu, you described some new products. Clearly, there's still an agent involved, coming down to the PC. I wonder if you could describe some of the two big announcements you've had, one around this consumer security cloud service, and then the second around your Managed Office Protection solution.

Franco: The announcement that we've made about the Cloud Antivirus, is a very important announcement for us, because we've been working on this for a couple of years now, and this involves rebuilding the endpoint agent from scratch.

We saw the opportunity, or, I would say, the necessity of building a much lighter agent, much faster than previous agents, and, very importantly, an agent that is able to leverage the cloud computing capacity that we have, which we call "Collective Intelligence," to process malware automatically.

As I said before, this aligns with our technology vision, which is basically these three ideas: cloud computing or collective intelligence, as we call it, regarding the capacity to process

We believe that the more intelligence that we can pack into the agent, the better, but always respecting the needs of consumers -- that is to be very fast, to be very light, to be very transparent to them.

malware; SaaS as the approach that we want to take for managing our security solutions; and third, nano-architecture as the new endpoint architecture, in which we want to base all of our endpoint based solutions.

So, Cloud Antivirus is a very tiny, very fast agent that sits on the endpoint and is going to protect you by some level of local intelligence. I want to stress the fact that we don't see the agents disappearing anytime soon to protect the endpoints. We believe that the more intelligence that we can pack into the agent, the better, but always respecting the needs of consumers -- that is to be very fast, to be very light, to be very transparent to them.

This works by connecting with our infrastructure and asking for file determinations, when the local agent doesn't know about a particular file that it needs to inspect.

The second announcement is more than an announcement. Panda Managed Office Protection is a solution that we've been selling for some time now, and is working very well. It works by having this endpoint agent locally in every desktop or PC or laptop. Once you've downloaded this agent, which works transparently for the end user, all the management takes place via SaaS.

It's a management console that's hosted from our infrastructure, in which any admin, regardless of where they are, can manage any number of computers, regardless of where they are located. This works by having every agent talk to this infrastructure via Internet, and to talk to other agents, which might be installed in the same network, distributing updates or distributing other types of polices.

Gardner: Now, an interesting and innovative approach here is that you've made the Cloud Antivirus agent free to consumers, which should allow them to get protection for virtually nothing, but in doing so you've increased the network population for what you can do to gather instances of problems. The agent immediately sends that back to your central cloud processing, which can then create the fix and then deliver it back out. Is that oversimplifying it?

Staying better protected

Franco: That's a very true statement. We're not the first ones giving away a security agent for free. There are some other companies that I think are using the Freemium model. We've just released this very first version of Cloud Antivirus. We're distributing it for free with the idea that first we want people to know about it. We want people to use it, but very importantly, the more people that are using it, the better protected they're all going to be. As you say, we're going to be gathering intelligence about the malware that's hitting the streets and we're going to able to process that faster and to protect all those users in real-time.

Gardner: Phil, this strikes me as Pandora opening the box. I can't imagine us going back meaningfully in the marketplace to the older methods in architecture for security. Do you agree with me that this is a compelling shift in the market?

Wainewright: It is, obviously. We're talking about network scale here. The malware providers are already using network scale to great effect, particularly in the use of these zombie elements of malware that effectively lurk on devices around the Web, and are called into action to coordinate attacks.

You've got these malware providers using the collective intelligence of the Web, and if the good guys don't use the same arsenal, then they're just going to be left behind.

The malware providers are already using network scale to great effect, particularly in the use of these zombie elements of malware

I think the other thing that’s great about this Freemium model is that, even though the users aren't paying anything for the software, in effect they're giving something back, because the intelligence that's being collected is making the potential protection stronger. So, it's a great demonstration of how you can derive value even from something that is actually distributed for free.

Gardner: Sort of all for one, one for all?

Wainewright: Yes, that's right.

Gardner: So, if this works well for security, it strikes me that this also makes a great deal of sense for remediation, general support, patches, upgrades, or managing custom applications. It certainly seems to me that crossing the Rubicon, if you will, into security from a cloud perspective will open up an opportunity for doing much, much more across the general total cost of ownership equation for PCs. Is that in your future? Do you subscribe to that vision, Josu?

Franco: Yes, I do. First, we've been a specialized player in the anti-malware business, but I certainly do see the opportunity to do more things once you are installing an endpoint to be able to use the same management approach and be able to configure the PC, or to do a remote session on it based on the same console. For now, we're just doing the full anti-malware and personal firewall in this way, but we do see the opportunity of doing more PC lifecycle management functionalities within it.

Gardner: That brings us back to the economy. Phil, I've heard grousing from CEOs, administrators, and just about anybody in the IT department for years about how expensive it is, from the total cost perspective, to maintain a rich PC-client experience. Nowadays, of course, we don't have a luxury of, "It would be nice to cut cost." We really have to cut cost. Do you see a significant move towards more cloud-based services as an economic imperative?

Increasing the SaaS model

Wainewright: Oh yes, and one of the interesting phenomena has been that things like help desk, security, and remote support have increasingly been delivered using the SaaS model, even in large enterprises.

If you are the chief security officer for a large enterprise that's very dependent on the Web for elements for its operations, then you've got a tremendously complex task. There's an increasing recognition that it's much better to access pools of expertise to get those jobs done, than for everyone trying to become a jack of all trades and inevitably fall behind the state of the art in the technology.

More and more, in large enterprises, but also in smaller businesses, we're seeing people turning to outside providers for expertise and remote management, because that's the most cost effective way to get at the most up-to-date and the most proficient knowledge and capabilities that are out there. So yes, we're going to see more and more of that, spot on.

Gardner: I understand how this is a benefit to end-users -- a simple download and you're protected. I understand how this makes sense for SMBs who are trying to manage PCs across distributed environment, but without perhaps having an IT department or a security expertise on staff. But, I'm not quite sure I understand how this relates now to an additional business model benefit to a reseller or a value-added provider of some kind, perhaps a managed service provider.

Josu, help me understand a little bit better how this technology shift and some of these new products benefit the channel.

This means that for the end user it's going to reduce the operating cost, and for the reseller it's going to increase the margins for the services they're offering.

Franco: In the current economic times, more and more resellers are looking to add more value to what they are offering. For them, margins, if they're selling hardware or software licenses, are getting tougher to get and are being reduced. So, the way for them to really see the opportunity into this is thinking that they can now offer remote management services without having to invest any amount in what is infrastructure or in any other type of license that they may need.

It's really all based on the SaaS concept. They can now say to the customers, "Okay, from now on, you'll forget about having to install all this management infrastructure in-house. I'm going to remotely manage all the endpoint security for you. I'm going to give you this service-level agreement (SLA), whereby I'm going to check the status of your network twice or three times a week or once a day, and if there is any problem, I can configure it remotely, or I can just spot where the problems are and I can fix them remotely."

This means that for the end user it's going to reduce the operating cost, and for the reseller it's going to increase the margins for the services they're offering. We believe that there is a clear alignment among the interests of end users and partners, and, most importantly, also from our side with the partners. We don't want to replace the channel here. What we want is to become the platform of choice for these resellers to provide these value-added services.

Gardner: Does Panda then lurk behind the scenes, the picks and shovels for solution? Do you allow them to brand around it? Are you an OEM player? How does that work?

Franco: We can certainly play with a certain level of branding. We've been doing so with some large sales that we've made, for example, here in Spain. But, most of them want to start touching and kicking the tires and see if it works. They don't need the re-branding in the first instance, but yes, we've seen some large providers who do want some customization of the interface for their logos, and that's certainly a possibility.

Gardner: We've also seen in the market more diversity of endpoints. We've seen, for cost and convenience, reason to move towards netbooks. Smartphones have certainly been a fast growing part of the mix, despite the tough economy. This model of combining the best of SaaS, the best of cloud, and a small agent coordinating and managing them, strikes me as something that will move beyond the PC into a host of different devices. Am I wrong on that Phil?

Attacking the smartphones

Wainewright: No, you're absolutely right. One of the scary things is that many of us are carrying around smartphones now. It's only a matter of time before these very capable, intelligent platforms also become vulnerable to the kind of attacks that we've seen on PCs.

On top of that, there is a great deal more support required to make sure that the users gets the best out of those devices. Therefore, we're going to see much more of this kind of remote support being provided.

For example, the expertise to support half a dozen different types of mobile devices within our organization is something that the typical small business can't really keep up with. If they're able to access a third-party provider that has got the infrastructure and the experts on how to do that, then it becomes a manageable issue again. So, yes, we're going to see a lot more of this.

Ultimately, it's going to give us a lot more freedom just to be able to get on with our jobs, without having to worry about understanding how the device works, or even worse, working out how to fix it when something goes wrong. Hopefully, there will be much fewer instances when that downtime happens.

Gardner: Well, let's hope that we nip the bud here for this malware on multiple devices in the cloud before it ever gets to the device, and that removes the whole incentive or rationale

I think that we're going to see a convergence between the world of the consumer and the world of what we call a business.

for trying to create these problems in the first place. So, maybe moving more into the cloud actually starts stanching the problem from its root and core.

Let's move forward now to some of the proof points. We've talked about this in theory. It certainly makes sense to me from an architectural and vision perspective, but what does it mean in dollars and cents? Josu, do you have any examples of organizations that have started down this path -- SMBs perhaps, and/or resellers? How has this affected their bottom line?

Franco: Yes, we do have very good examples of people who have moved along this path. Our largest installation with the Managed Office Protection product is over 23,000 seats in Europe. It's a very large school or education institution, and they're managing their entire network with just a very few people. This has considerably reduced their operating cost. They don't need to travel that much to see what's happening with their systems.

We also have many other examples of our resellers that are actually using this product, not only to manage business spaces, but also managing even consumer spaces. I think that we're going to see a convergence between the world of the consumer and the world of what we call a business.

Moving to the consumer space

Some analyst friends are talking a lot about the consumerization of IT. I think that we'll also see that consumers are going to start using technologies that perhaps we thought belonged in the business space. I'm talking, for example, about the ability for a reseller to centrally manage the PCs of consumers. This is an interesting business model, and we have some examples of this emerging trend. In the US, we have some researchers who are managing thousands of computers from their basement.

So, even though our intention was to position this product for SMBs, we do see that there are some verticalized niches in the market into which this model fits really well. Talking about highly distributed environments, what's more highly distributed than a network of consumers, everyone in their own home, right? So, I think this is definitely something that we're going to see happening more and more in the future.

Gardner: Without going down this very interesting track too much, we're starting to see some CIOs cotton to the notion of letting people pick their end device, but then accessing services back in the enterprise, and with some modest governance and security. It sounds as if a service like this might fill that role.

Then, in addition to the choice of the consumer or end user on device, it seems to me that we're also in a position now for the providers of the bit pipes -- the Internet, telephony,

The value that's being created and is being shared out by the vendors and the providers in the SaaS model is that time saving and opportunity cost saving

communications, and collaboration -- to start offering the whole package, a PC with security, remediation, protection, and you pay a flat fee per month. Do you think these two things are around the corner, Phil, or maybe three or four years out?

Wainewright: To the previous point, people often think of the consumer Web as completely separate from the business Web. In fact, the reality today is that individual users at home are just as likely to be doing business things or work things on their home PCs as they are to be doing actually home things or even side businesses on their work PCs.

If someone is auctioning off their collection of plastic toys on eBay, then are they an individual consumer or are they a business? The lines are shading. I think what you need to look at is, what is the opportunity cost? If it's going to cost me time that I can't afford, or if it's going to mean that I'm not going to be able to earn money that I could otherwise be earning, then it's going to be worth my while to pay that monthly subscription.

One of the key things that people forget, when they're comparing the cost of a SaaS solution or a Web provided solution to a conventional installed piece of packaged software, is they never look at the resource and time that the user actually spends to get things setup with the packaged software, to fix things when they go wrong, or to do upgrades.

The value that's being created and is being shared out by the vendors and the providers in the SaaS model is that time saving and opportunity cost saving.

Gardner: Now, we have to assume that the security is going to be good, because if it doesn't protect, then that's going to become quite evident. But what we're also talking about, now that I understand it better, Josu, is really we're focusing on simplicity and convenience vis-à-vis these devices, vis-à-vis security, but also in the larger context of the level of comfort, of trust that the device will work, that the network will be supported, and that I'm not going to run into trouble. Is that what we're really talking about here as a value proposition -- simplicity and convenience?

Franco: As you said, it needs to protect. It needs to be very effective at a time when we're seeing really huge amounts of malware coming out every day. So, that's preconditioned. It needs to protect.

But if it's something that is going to be there protecting users, and many users see security as something that they need to live with, it's not truly something that they see as a positive application that they have. It's something that sometimes annoys people. Well, let's make it as simple, as transparent, as fast, as imperceptible as possible, and that's what this is all about.

Gardner: Very good. We've been learning a lot today about PC security and how it can be delivered as a service in conjunction with the cloud-based central management and processing. This architectural approach is now quite prominent for security, and perhaps will become more prominent across other aspects of client device support and convenience and lower cost and higher trust. So a lot of goodness. I certainly hope it works out that way.

Cost and protection benefits, along with productivity benefits, and as a result less downtime, is a good thing. We've looked at it across the spectrum of end users and businesses, resellers, and managed service providers. Helping us understand this we've been joined by our panel. I want to thank them. Phil Wainewright, independent analyst, director of Procullux Ventures, and a ZDNet SaaS blogger. I appreciate your time, Phil.

Wainewright: It's been great to be with you today, Dana.

Gardner: We've also heard from Josu Franco, director of the Business Customer Unit at Panda Security. Thank you Josu.

Franco: It's been my pleasure, thanks.

Gardner: I also want to thank the sponsor of this discussion, Panda Security, for underwriting its production.

This is Dana Gardner, principal analyst at Interarbor Solutions, thanks for listening, and come back next time.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod and

Download the transcript. Learn more. Sponsor: Panda Security.

Transcript of a BriefingsDirect podcast on security as a service and cloud-based anti-virus protection and business models. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.

Monday, December 15, 2008

IT Systems Analytics Become Crucial as Move to Cloud and SaaS Raises Complexity Bar

Transcript of a BriefingsDirect podcast on the role of log management and analytics as enterprises move to cloud computing and software as a service.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. More related podcasts. Sponsor: LogLogic.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you're listening to BriefingsDirect. Today, we present a sponsored podcast discussion on the changing nature of IT systems' performance and the heightening expectations for applications delivery from those accessing application as services.

The requirements and expectations on software-as-a-service (SaaS) providers are often higher than for applications traditionally delivered by enterprises for their employees and customers. Always knowing what's going on under the IT hood, being proactive in detection, security, and remediation, and keeping an absolute adherence to service level agreements (SLAs), are the tougher standards a SaaS provider deals with.

Increasingly, this expected level of visibility, management, and performance will apply to those serving up applications as services regardless of their hosting origins or models.

Here to provide the full story on how SaaS is making all applications' performance expectations higher, and how to meet or exceed those expectations is Jian Zhen, senior director of product management at LogLogic. Welcome to the show Jian.

Jian Zhen: Thank you for having me.

Gardner: We're also joined by Phil Wainewright, an independent analyst, director of Procullux Ventures, and SaaS blogger at ZDNet and ebizQ. Welcome back to the show, Phil.

Phil Wainewright: Glad to be here, Dana.

Gardner: Phil, let’s start with you. The state of affairs in IT is shifting. Services are becoming available from a variety of different models and hosts. We're certainly hearing a lot about cloud and private cloud. I suppose the first part of this that caught the public's attention was this whole SaaS notion and some successes in the field for that.

Maybe you could help us understand how the world has changed around SaaS infrastructure, and what implications that has for the IT department?

Wainewright: One thing that's happening is that the SaaS infrastructure is getting more complicated, because more choice is emerging. In the past people might have gone to one or two SaaS vendors in very isolated environments or isolated use cases. What we're now finding is that people are aggregating different SaaS services.

They're maybe using cloud resources alongside of SaaS. We're actually looking at different layers of not just SaaS, but also platform as a service (PaaS), which are customizable applications, rather than the more packaged applications that we saw in the first generation of SaaS. We're seeing more utility and cloud platforms and a whole range of options in between.

That means people are really using different resources and having to keep tabs on all those different resources. Where in the past, all of an IT organizations' resources were under their own control, they now have to operate in this more open environment, where trust and visibility as to what's going on are major factors.

Gardner: Do you think that the type of application delivery that folks are getting from the Web will start to become more the norm in terms of what delivery mechanisms they encounter inside the firewall from their own data center or architecture?

Wainewright: If you're going to take advantage of SaaS properly, then you need to move to more of a service-oriented architecture (SOA) internally. That makes it easier to start to aggregate or integrate these different mashups, these different services. At the end of the day, the end users aren't going to be bothered whether the application is delivered from the enhanced data center or from a third-party provider outside the firewall, as long as it works and gives them the business results they're looking for.

Gardner: Let's go to Jian Zhen at LogLogic. How does this changing landscape in IT and in services delivery affect those who are responsible for keeping the servers running, both from the host as well as the receiving end in the network, and those who are renting or leasing those applications as services?

Zhen: Phil hit the nail on the head earlier when he mentioned that IT not only has to keep track of resources within their own environment, but now has to worry about all these resources and applications outside of their environment that they may or may not have control over.

That really is one of the fundamental changes and key issues for current IT organizations. You have to worry not only about who is accessing the information within your company firewall, but now you have all this data that's sitting outside of the firewall in another environment. That could be a PaaS, as Phil said, it could be a SaaS, an application that's sitting out there. How do you control that access? How do you monitor that access. That's one of the key issues that IT has to worry about.

Obviously, there are data governance issues and activity monitoring issues. Now, from a performance and operational perspective, you have to worry about, are my systems performing, are these applications that I am renting, or platforms or utilities I am renting, are they performing to my spec? How do I ensure that the service providers can give me the SLAs that I need.

Those are some of the key issues that IT has to face when they are going outside of this corporate firewall.

Gardner: I suppose if it were just one application that you knew you were getting as a service, if something would go wrong, you might have a pretty good sense of who is responsible and where, but we are very rapidly advancing toward mixtures, hybrids, multiple SaaS providers, different services that come together to form processes. Some of these might be on premises, and some of them might not be.

It strikes me that we're entering a time when finger pointing might become rampant if something goes wrong, who is ultimately responsible, and under whose SLA does it fall?

Phil, from your perspective, how important will it be to gain risk, compliance, and security comfort, by being able to quickly identify who is the source of any issue?

Wainewright: That's vitally important, and this is a new responsibility for IT. To be honest Dana, you're a little bit generous to the SaaS providers when you say that if you only dealt with one or two, and if something went down, you had a fair idea of what was going on. What SaaS providers have been learning is that they need to get better at giving more information to their customers about what is going wrong when the service is not up or the service is not performing as expected. The SaaS industry is still learning about that. So, there is that element on that side.

On the IT side, the IT people have spent too much time worrying about reasons why they didn't want to deal with SaaS or cloud providers. They've been dealing with issues like what if does go down, or how can I trust the security? Yes, it does go down sometimes, but it's up 99.7 percent of the time or 99.9 percent of the time, which is better than most organizations can afford to do with their own services.

Let's shift the emphasis from, "It's broken, so I won't use it," to a more mature attitude, which says, "It will be up most of the time, but when it does break, how do I make sure that I remain accountable, as the IT manager, the IT Director, or the CIO. How do I remain accountable for those services to my organization, and how do I make sure that I can pinpoint the cause of the problem, and get it rectified as quickly as possible?"

Gardner: Jian, this offers a pretty significant opportunity, if you, as a vendor and a provider of services and solutions, can bring visibility and help quickly decide where the blame lies, but I suppose more importantly, where the remediation lies. How do you view that opportunity, and what specifically is LogLogic doing?

Zhen: We talked to a lot of customers who were either considering or actually going into the cloud or using SaaS applications. One of the great quotes that we recently got from a customer is, "You can outsource responsibility, but not accountability." So, it fits right into what Phil what was saying about being accountable and about your own environment.

The requirement to comply with government regulations and industry mandates really doesn't change all that much, just because of SaaS or because a company is going into the cloud. What it means is that the end users are still responsible for complying with Sarbanes-Oxley (SOX), payment cared industry (PCI) standards, the Health Insurance Portability and Accountability Act (HIPAA), and other regulations. It also means that these customers will also expect the same type of reports that they get out of their own systems.

IT organizations are used to transparency in their own environment. If they want to know what's happening in their own environment, they can get access to it. They can at least figure out what's going on. As you go into the cloud and use some of the SaaS applications, you start to lose some of that transparency, as you move up the stack. Phil mentioned earlier, there's infrastructure as a service, PaaS, SaaS. As you go up the stack, you're going to lose more and more of that transparency.

From a service-provider perspective, we need these providers to provide more transparency and more information as to what's happening in their environment and who has access. Who did access the information? LogLogic's can help these service providers get that kind of information and potentially even provide the reports for their end users.

From a user's perspective, there is that expectation. They want to know what's going on and who is accessing the data. So, the service providers need to have the proper controls and processes in place, and need to continuously monitor their own infrastructure, and then provide some of these additional reports and information to their end customers as needed.

Gardner: LogLogic is in the business of collating and standardizing information from a vast array of different systems through the log files and other information and then offering reports and audit capabilities from that data. It strikes me that you are now getting closer to what some people call business intelligence (BI) for IT, in that you need to deal almost in real time with vast amounts of data, and that you might need to adjust across boundaries in order to gain the insights and inference.

Do you at LogLogic cotton to this notion of BI for IT, and if so, what might we expect in the future from that?

Zhen: BI for IT or IT intelligence, as I have used the term before, is really about getting more information out of the IT infrastructure; whether it's internal IT infrastructure or external IT infrastructure, such as the cloud.

Traditionally, administrators have always used logs as one of the tools to help them analyze and understand the infrastructure, both from a security and operational perspective. For example, one of the recent reports from Price Waterhouse, I believe, says that the number one method for identifying security incidents and operational problems is through logs.

LogLogic's can provide the infrastructure and the tools to help customers gather the information and correlate different log sources. We can provide them that information, both from an internal and external perspective. We work with a lot of service providers, as you know, companies like SAVVIS, VeriSign, Verizon Business Services, to provide the tools for them to analyze service provider infrastructures as well.

A lot of that information can be gathered into a central location, correlated, and presented as business intelligence or business activity monitoring for the IT infrastructure.

Gardner: Phil, the amount of data that we can extract from these systems inside the service providers is vast. I suppose what people are looking for is the needle in the haystack. Also, as you mentioned, it probably behooves these providers to offer more insights into how well they did or didn't do.

What's your take on this notion of BI for IT, and does it offer the SaaS providers an opportunity to get a higher level of insight and detail about what is going on within their systems for the assurance and risk mediation for their customers?

Wainewright: Yes, it does. This is an area where we are going to see best practices emerge. We're in a very early stage. Talking about keeping logs reminds me of what happened in the early days of Web sites and Web analytics. When people started having Web sites, they used to create these log files, in which they accumulated all this data about the traffic coming to the site. Increasingly, it became more difficult to analyze that traffic and to get the pertinent information out.

Eventually, we saw the rise of specialist Web-traffic analytics vendors, most of them, incidentally, providing their services as SaaS focused on helping the Web-site managers understand what was going on with their traffic.

IT is going to have to do the same thing. Anyone can create a log file, dump all the data into a log, and say that they've got a record of what's been going on. But, that's the technically easy challenge. The difficult thing, as Jian said, is actually doing the business analytics and the BI to see what was going on, and to see what the information is.

Increasingly, it comes back to IT accountability. If your service provider does go down, and if the logs show that the performance was degrading gradually over a period of time, then you should have known that. You should have been doing the analysis over time, so that you were ahead of that curve and were able to challenge the provider before the system went down.

If it's a good provider, which comes back to the question you asked, then the provider should be on top of that before the customer finds out. Increasingly, we'll see the quality of reporting that providers are doing to customers go up dramatically. The best providers will understand that the more visibility and transparency they provide the customers about the quality of service they are delivering, the more confidence and trust their customers will have in that service.

Gardner: As we mentioned, the expectations are increasing. The folks who rent an application for a few dollars a month actually have higher expectations on performance than perhaps far more expensive applications inside a firewall and the traditional delivery mechanisms.

Wainewright: That's right, Dana. People get annoyed when Gmail goes down, and that's free. People do have these high expectations.

Gardner: Perhaps we can meet those expectations, even as they increase, but even more importantly for these providers is the cost at which they deliver their services. The utilization rates, the amount of energy that’s required per task or some metric like that, these log files, and this BI will decide their margins and how competitive they are in what we expect to be a fairly competitive field. In fact, we are starting to see the signs of marketplace and auctioning types of activities around who can put up a service for the least amount of money, which, of course, will put more downward pressure on margin.

I've got to go back to Jian on this one. We can certainly provide for user expectations and SLAs, but ultimately how well you run your data center as a service provider dictates your survival ability or viability as a business.

Zhen: You're absolutely right. One of the things that service providers, SaaS providers, or cloud providers have always talked about is the economy of scale. Essentially, that's doing more with less in order to understand your IT infrastructure and understand your customer base. This is what BI is all about, right? You're analyzing your business, your user base, the user access, and all that information in trying to come up with some competitive advantage to either reduce cost or increase efficiency.

All that information is in logs, whether logs that are spewed out by your IT infrastructure, logs that are instrumented using agents or application performance, monitoring type of tools. That information is there, and you need to be able to automate and enhance the ways things are done. So, you need to understand and see what's going on in the environment.

Analyzing all those logs gives you critical capability, not only managing hundreds or thousands of systems and making them more efficient, but bringing that BI throughout. Seeing how your users are accessing, reacting to, or changing your system makes it more efficient for the user, faster for the user, and, at the same time, reduces that cost to manage the infrastructure, as well as to do business.

So, the need to understand and see what's going on is really driving the need to have better tools to do system analysis.

Gardner: Well, how about that Phil? With apologies to Monty Python, every electron is important, right?

Wainewright: Well, it certainly can be. I think the other benefits of providers monitoring this information is that, if they can build out a track record and demonstrate that they all providing better service, then maybe that's the way of defending themselves, of being able to justify asking higher prices than they might otherwise have done.

If the pricing is going to go down because of competitive pressures, there will be differential pricing according to the quality that providers can show they have a track record for delivering.

Zhen: I definitely agree with that. Being able to provide better SLAs, being able to provide more transparency, audit transparency, are things that enterprises care about. As many reports have mentioned, it's one of the biggest issues that's preventing enterprises from adopting the cloud or some of these SaaS applications. Not that the enterprises are not adopting, but the movement is still very slow.

The main reasons are security and transparency. As SaaS providers or service providers start providing a lot more information based on the data that they analyze, they can provide better SLAs, both from an uptime and performance perspective, not just uptime. A lot of the SLAs today just talk about uptime. If they can provide a lot of that information by analyzing the information that they already have -- the log data, access data, and what not -- that’s a competitive advantage for the providers. They can charge a higher price, and often, enterprises are willing to pay for that.

Wainewright: I've been speaking to enterprise customers, and they are looking for better information from the providers about those performance metrics, because they want to know what the quality of service is. They want to know that they're getting value for money.

Gardner: Well, we seem to have quite a set of pressures. One, to uphold performance, provide visibility, reduce risk, and offer compliance and auditing benefits. On the other side, it's pure economics. The more insight and utilization you have, and the more efficiently you can run your data centers, the more you can increase your margin and scale out to offer yet more services to more types of customers. It seems pretty clear that there's a problem set and a solution set.

Jian, you mentioned that you had several large service providers as customers. I don’t suppose they want all the details about what happens inside their organizations to come out, but perhaps you have some use case scenarios. Do you have examples of how analytics from a system’s performance, vis-à-vis log data, helps them on either score, either qualitatively in terms of performance and trust, and more importantly, over time, their ability to reap the most efficiency out of their system?

Zhen: These are actually partners of LogLogic. We've worked with these service-provider partners to provide managed services or cloud services for log management to the end customers. They're using it both working with the customers themselves, as well as using it internally.

Often, the use cases are really around compliance and security. That’s where the budget is coming from. Compliance is the biggest driver for some of these tools today.

However, some of the reports I mentioned, especially from Enterprise Strategy Group (ESG), one of the fastest-growing use cases for log management is operational use. This means troubleshooting, forensic analysis, and being able to analyze what's going on in the environment. But, the biggest driver today for purchasing that type of log-management solution is still compliance -- being able to comply with SOX, PCI, HIPAA, and other regulations.

Gardner: Let’s wrap up with some crystal-ball gazing. First, from Phil. How do you see this market shaking out? I know we're under more economic pressure these days, given the pending or imminent global recession, but it seems to me that it could be a transformative pressure, a catalyst, toward more adoption of services, and keeping application performance at lowest possible cost. What's your sense of where the market is going.

Wainewright: It’s a terrible cliché, but it’s about doing more with less. It may be a cliché, but it’s what people are trying to do. They've got to cut costs as organizations, and, at the same time, they have to actually be more agile, more flexible, and more competitive.

That means a lot of IT organizations are looking to SaaS and they're looking to cloud computing, because this is the way of getting resources without a massive outlay and starting to do things with a relatively low risk of failure.

They're finding that budgets are tight. They need to get things done quickly. Cloud or SaaS allows them to do that, and therefore there's a rosy future, even in bleak economic conditions, for this type of offering.

There are still a lot of worries among IT people as to the reliability and security and privacy compliance and all the other factors around SaaS. Therefore, the SaaS providers have to make sure that they're monitoring that, and that they're reporting. Likewise, the IT people, for their own peace of mind, need to make their own arrangement, so that they can also be keeping an eye on their side. I think everyone is going to be tracking and monitoring each other.

The upside of is that we're going to get more enterprise-class performance and enterprise-class infrastructure being built around the cloud services and the SaaS providers, so that enterprises will be able to have more confidence. So, at the end of the economic cycle, once people start investing again, I think we'll see people continue to invest in cloud services and SaaS, not because it's the low-cost option, but because it's the proven option that they have confidence in.

Gardner: Jian Zhen, how do you and LogLogic see the market unfolding? Where do you think the opportunities lie?

Zhen: I definitely agree with Phil. With the current economic environment, a lot of enterprises will start looking at SaaS and cloud services seriously and consider them.

However, enterprises are still required to be compliant with government regulations and industry mandate, so that's not going to go away. For the service providers and the SaaS providers, what they can do to attract these customers really is to make themselves more attractive, and make themselves be compliant with some of these regulations, and provide more transparency, giving people a view into who is accessing the data, and how they protect the data.

Amazon did a great thing, which was to release a white paper on some of their security practices. It's a very high level, but it’s a good start. Service providers need to start thinking more along the lines of, how to attract these enterprise customers, because the enterprise customers are willing and seriously considering SaaS services.

Phil had an article a while back, calling for a SaaS code of conduct. Phil, one of the things that you should definitely add there is a code to have the service providers provide all the transparency. That’s a thing that service providers can use to offer essentially a competitive advantage for their enterprise customers.

Gardner: Now, you sit at a fairly advantageous point, or a catbird's seat, if you will, on this regulatory issue. As enterprises seek more SaaS and cloud services for economic and perhaps longer-term strategic reasons, do we need to rethink some of our compliance and regulatory approaches?

We have a transition in the United States in terms of the government. So, now is a good time, I suppose, to look at those sorts of things. What, from your perspective, should change in order to allow companies to more freely embrace and use cloud and SaaS services, when it comes to regulation and compliance?

Zhen: As far as changing the regulations, I'm not sure there are a lot of things. We've seen SOX become a very high level and very costly regulation to be compliant with. However, we've also have seen PCI. That’s much more specific, and companies and even service providers can adopt and use some of these requirements.

Gardner: That's the payment card issue, right?

Zhen: Correct. The PCI data-security standard is a lot more specific as to what a company has to do in order to be compliant with it. Actually, one of the appendixes is really for service providers. A lot of service providers have used, for example, the Statement on Auditing Standards (SAS) 70 Type II kind of a report as one of the things they show the customer that they are compliant with. However, I don’t think the SAS 70 Type II is sufficient, mainly because the controls are described by the service providers themselves.

Essentially, they set their own requirements and they say, "Hey, we meet these requirements." I don’t think that’s sufficient. It needs to be something that’s more industry standard, like PCI, but maybe a little bit different, definitely more specific as to what the service providers needs to do.

On top of that, we need some kind of information on when security incidents happen with service providers. One of the things that 44 states have today is data-breach notification laws. That law obviously doesn’t apply to SaaS providers, but in order to provide more transparency there may need to be some standard or some processes in how breaches are reported and handled.

Some of these things certainly will help enterprises be more comfortable in adopting the services.

Gardner: Well, there are some topics Phil for about 150 blog entries, this whole notion of how to shift regulation and compliance in order to suit a cloud economy.

Wainewright: Yeah, it's going to be a difficult issue for the cloud providers to adapt to, but a very important one. This whole issue of SAS 70 Type II compliance, for example. If you're relying on a service provider for part of the services that you provide, then your SAS 70 Type II needs to dovetail with their SAS 70 Type II processes.

That’s the kind of issue that Jian was alluding to. It's no good just having SAS 70 Type II, if the processes that you've got are somehow in conflict with or don't work in collaboration with the service providers that you are depending on. We have to get a lot smarter within the industry about how we coordinate services and provide accountability and audit visibility and trackability between the different service providers.

Gardner: Very good. We've been discussing requirements and expectations around SaaS providers, looking at expected increases and demands for visibility, and management and performance metrics. Helping us to better understand these topics -- and I'm very happy that they joined us -- are Jian Zhen, senior director of product management at LogLogic. Thanks for your input, Jian.

Zhen: Thank you, Dana.

Gardner: Also Phil Wainewright, independent analyst, director of Procullux Ventures, and SaaS blogger at ZDNet and ebizQ. Always good to have you here Phil, thank you.

Wainewright: Thanks, Dana.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You've have been listening to a sponsored BriefingsDirect podcast. Thanks, and come back next time.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. More related podcasts. Sponsor: LogLogic.

Transcript of a BriefingsDirect podcast on the role of log management and analytics as enterprises move to cloud computing and SaaS. Copyright Interarbor Solutions, LLC, 2005-2008. All rights reserved.

Thursday, May 15, 2008

BriefingsDirect Insights analysts probe future of online advertising and find transactional lucre lurking

Edited transcript of periodic BriefingsDirect Analyst Insights Edition podcast, recorded May 9, 2008.

Listen to the podcast. If you'd like to learn more about BriefingsDirect B2B informational podcasts, or to become a sponsor of this or other B2B podcasts, contact Interarbor Solutions at 603-528-2435.

Dana Gardner: Hello, and welcome to the latest BriefingsDirect Analyst Insights Edition, Volume 29, a periodic discussion and dissection of software, services, cloud computing, and related news and events with a panel of industry analysts and guests.

I'm your host and moderator Dana Gardner, principal analyst at Interarbor Solutions. Our distinguished panel this week, and this is the week of May 5, 2008, consists of Joe McKendrick, an independent analyst and prolific service-oriented architecture (SOA) blogger. Welcome back to the show, Joe.

Joe McKendrick: Thanks, Dana, good to be here.

Gardner: We’re also joined by Tony Baer, a principal at onStrategies and also a prolific software blogger. Welcome back, Tony.

Tony Baer: Hey, Dana, top of the morning.

Gardner: And, last on our panel this week, Phil Wainewright, an independent analyst, director of Procullux Ventures, and also a prolific software-as-a-service (SaaS) blogger. Welcome back, Phil. [Update: See Phil's blog on this topic.]

Phil Wainewright: Great to be back, Dana.

Gardner: Well, I think we've had a little bit of activity this week. Let's go through that, before we get into our main topic of the day, and that will be on the economic models that will support cloud computing and software through the wire, SaaS applications. Principally, we're going to be looking at subscription and advertising -- how they mix and how they come together.

But, before we get into a discussion on cloud computing's economic future, let's go around the table. I was at JavaOne in San Fransisco this week, and I understand that, Phil, you were attending a event in London.

Wainewright: Yes, indeed, their first full Dreamforce event in Europe.

Gardner: Tell us a little bit about what it was like and some of your takeaways.

Wainewright: It was a great to actually have the Salesforce crew in my own timezone, so that I could take all of that on board. We had the usual two-and-a-half-hour Marc Benioff Dreamforce keynotes, and he was the one that got ragged this time, instead of me, so that was nice.

Gardner: He came to see you.

Wainewright: Well, that's right, although to be honest, it was my first Dreamforce, because I had never made it to San Fransisco for the Dreamforce events in the fall, and that's something that Marc has often complained to me about. So, it was good of him to bring the show over to me. I appreciate that, Marc, thanks.

Gardner: Of course, in addition to your importance, this must be also an indicator that the use of Salesforce in Europe and EMEA in general is increasing.

Wainewright: Oh, yes, it is. There were 2,500 people there. So, it was a big show. Some of the independent software vendors (ISVs) who have been putting software on the platform are actually from Europe, most notably CODA, which is a well-established financials application vendor, an ERP vendor.

Unit 4 Agresso recently bought CODA, which was an independent company listed on the UK stock market. CODA decided that to have a SaaS offering, it's going to use So, the Salesforce guys are really appreciative of CODA, deciding to gamble on them as the platform that they are going to use to enter the SaaS market.

Gardner: Very good. So, we're seeing more of that ecology development, the important tidal wave of developer interest in the model around SaaS. Maybe I mis-characterized that as a tidal wave. How would you characterize it?

Wainewright: Well, I think it's an incoming tide. Whether it's got the speed and force of a tidal wave is another matter.

Gardner: I set you up here Phil, and you didn't go for the bait.

McKendrick: Can't you call it one of the "Four Horsemen of the SaaS Apocalypse" or something like that?

Wainewright: People started talking to me earlier this week about these four vendors, all listed vendors on the stock market, that have got a certain size. Taleo just did an acquisition this week that brings them out to the 200 million-a-year run rate, close to the run rate that Concur has. Taleo is talent management, and Concur is travel and expense management. Then, you have Omniture, which is Web analytics. They expect to do around about 300 million this year. Then, the big Daddy of them all,, is looking to do $1 billion this year.

You are starting to see the leaders emerge now. Thank goodness it's not just Salesforce, but kind of gang of four, to use another foursome analogy, and they are riding the wave. I'm not quite sure what apocalypse it is yet. We might argue that it's an apocalypse for the conventional software vendors. Certainly, SAP seem to be having some trouble getting the SaaS product out of the door. So who knows, maybe this is bad news for the established software business.

Gardner: And, this event came right on the heels of the news last weekend that Microsoft, at least for the time being, is walking away from its bid for Yahoo! And, from comments from Bill Gates and others, it seems that Microsoft might be fully done with that merger or proposition. Was there any talk of that or did any Benioff mention it?

Wainewright: No, he was strangely silent, actually. The president of Google EMEA, was one of the people who came on stage during the Benioff keynotes. So, there was a talk about Salesforce and Google teaming up and working together, but very little about Microsoft.

The thing that interested me about Benioff's presentation, and this is something that I blogged about, was that he is really positioning not as the platform of the future, but as one of the platforms of the Web, and the one that he believes will be the leading platform for enterprise applications. But, he is now starting to talk about a whole forest of different platform-as-a-service (PaaS) vendors and acknowledging other platforms -- like Google App Engine, Amazon Web Services, and even Facebook -- as platforms people use to build functionality in the sky.

That's an interesting change of emphasis. In the past, it was always about. "Salesforce is a platform of the future. Microsoft Windows is the platform of the past. And, we are going to replace Microsoft as everyone's favorite platform."

It's good that he's now talking about the context of the Web being everyone's favorite platform and Salesforce's being just one of the platforms that you can choose to put functionality on the Web.

Gardner: So perhaps we are not going to replace one dominant platform with another, but replace one dominant platform with a diverse portfolio of others.

Wainewright: That's right, and perhaps that change of emphasis is something that Microsoft has not quite taken on board yet, and that's one of the reasons they thought buying Yahoo might be the way to go. Perhaps that's a topic we will get into later in the podcast.

Gardner: Okay. Let's go over to Tony in New York. Did you have any events you went to this week or did you observe some from a far, and do you have any input?

Baer: I have been observing from afar. I have been remote, as they say, but have been devoting most of my attention to JavaOne. I do want to add a thought there about Microsoft or Microhoo and also about Marc Benioff's thoughts on an emerging SaaS ecosystem.

One thing I want to make clear is that when you just have one company in the market, essentially it's one-trick pony. When you have competitors, that validates the market. What Benioff was indirectly saying there is that if SaaS is no longer synonymous with Salesforce, that now validates the SaaS platform. It vindicates his contention that SaaS is a platform, and that the future is "no software."

That's one thought. The other thought, before going on JavaOne, regards Microsoft walking away from Yahoo. My sense is that Yahoo is not going to get any better price for their shares than what Microsoft was going to offer. But, I think it is a blessing in disguise, at least for Microsoft, if not for Yahoo shareholders.

This would have been a horrendous deal for Microsoft. This is not the type of deal that they do best. They do very well in making small, very strategic technology acquisitions. What's gotten lost in the noise here is that Microsoft does have this stake in Facebook, which only happens to be "The most Popular," software development platform in the social computing space.

And, I've got to believe that maybe they are facing a war in ads, but why not work around this, instead of co-opting this, to become or federate with the social application development platform of choice.

Gardner: I think that there are some indications that the bloom is off the rose of social networking, both as a significant revenue generator, as well as an application development platform, at least for one of the social networks to become a development platform. That's from some recent revenue indicators from Google that its relationship with MySpace has not proven to be as monitizable as they expected.

Also, some recent statistic show that the types of applications that have been generated on Facebook are very tenuous, very one-off or fun things that would appeal to teenagers, but not with any significant depth or business value. The amount of activity from developers on Facebook has been slacking off, or at least plateauing, which is not a good indicator.

So I take your point that Microsoft is in the game of social networking, but I am not sure if that's enough to do much for them in terms of overall online activity.

Baer: I'll put this way. For social networks, we are getting into kind of a Gartner-style "trough of disillusionment" there. But, I see this thing fitting more into the mold of the strategic technology buys or technology acquisitions that Microsoft does, because, if you think about it, this has not been tapped.

I totally agree with you. I'm very turned off by the types of applications and sort of frat-partying environment that you have on Facebook. But, I think there's a lot of untapped potential in terms of turning some of these techniques and using them to extend enterprise applications, whether they be on premises, in the cloud, or what have you. So, I could see this as being potentially an extension of the Visual Studio Platform in the .NET framework.

Gardner: That's means Microsoft has to put a lot of lipstick on a pig to turn Facebook into what you're describing, in my humble opinion. Phil, what do you think?

Wainewright: I'm just thinking about advertising and Facebook. People are surprised that for these social networking sites the ads don't work. I remember back in the Web 1.0 boom and the dot-com boom, one of the things that was interesting was the discussion sites were very bad at generating ad revenue, because people didn't click on the ads.

The cost per thousand (CPM) for discussion sites, or for the discussion area of a site, was always a lot lower than other types of sites that were more information heavy. So it's old news about kind of sites where people follow what other people are saying. It's a bad site for advertising, because you are interested in the conversation. You don't go there to click away on something else.

Baer: That's right, and it's not necessarily the metadata of the discussion content that creates some affinity-based relationship between buyer and seller as a result, and, therefore, you get a higher value CPM advertising revenue benefit. It does seem to push it down to a lower common denominator of just page views for the sake of page views.

Wainewright: Yeah, that's right. People start chasing page views without remembering the reason that they are chasing is to generate value for advertises. They think, "We've got lots of page views," but they don't think back to whether those page views are going to deliver value.

Gardner: This actually jettisons us very nicely into the heart of our discussion topic today. We may get back to JavaOne, although there's probably not much to discuss there.

Our topic is what are going to be the revenue models now that we have a fairly good expectations of SaaS, Web services, publicly available APIs, mashups, and increasingly robust cloud community of not only host and providers and infrastructure providers, but ecologies.

I emphasize the plural of development activities that create business value in some form over the wire. This is all well and good for the end user, but in order to support such an ecology, there needs to be revenue commensurate with the cost, perhaps even leaving some margin on the table.

Let's go to you, Joe McKendrick. You've been studying SOA for some time. You've been familiar with data for some time, technologically and functionally, but let's look at the economics of this as we move more toward an online world. Microsoft has indicated this through its Yahoo purchase attempt, desperate as it may have been and now perhaps squashed as it may be.

If you see the future as an online world, do you have any sense of how the money is going to be made, now that we are segueing into this new era?

McKendrick: Good question, Dana. And, in fact, Microsoft has given us another clue. Another memo from Ray Ozzie surfaced a couple of weeks back. You may recall the memo back in 2005, the famous "turn the world upside down" memo that talked about the advertising support of the online model for software. He kind of reinforced that with his latest memo.

It wasn't saying, "We must offer software advertising to support software," but it was more of a discussion about the social mesh, the community, the social networking, a paradigm that's emerging. It's way too early in the game, but I think it's inevitable. We are really seeing it on the consumer side. It's going to be interesting, but I think it's going to leach into the enterprise over the next couple of decades as well. I'm talking years from now, but it's definitely a model that will be sustaining consumer computing. We are seeing that emerging on the social computing side.

Gardner: Well, here's an interesting factoid to throw out and put some context into this discussion of software as a business. Depending on how you slice it and dice it, when we talk about consumer-side software, perhaps in the PC operating system, we're talking about maybe a $100-$150 billion a year business worldwide. Even that might be throwing a little bit much into the kitchen sink, because prices are coming down and the margins are coming down. But, advertising, at least in the United States, is something above $300 billion.

Look at what Google has done with just a small slice of the advertising market -- text ads associated with search and search criteria that they are going to start automating through a similar auction bid process, advertising that goes on banners ads across the Web, beyond just the text ads.

Then, they've got their designs on radio, magazine, and newspaper advertisements, particularity done at the local level. They've got designs on television advertising across both cable and broadcast, but certainly with the television that goes out over the Web. So, Google is looking at a potential of hundreds of billions of dollars of market, where Microsoft's annual revenues are what -- between $40 and $50 billion I believe? We're talking about several significant multiples of potential revenue here when advertising is factored as a full business.

So, just using as the factoid, Phil Wainewright, what do you think about the opportunity for software companies to take more and more of this advertising pie?

Wainewright: Well, we touched on this in our discussion last week, and I really think people have got this completely the wrong way around. To focus on advertising is just so "0.0," to coin a phrase. Advertising exists only because we don't have the Web. Advertising is something the B2B market has to use through magazines, TV shows, or whatever, because they couldn't reach the consumer directly.

Now, the Web enables people to reach potential consumers and business prospects directly, rather than having to go through this advertising. So, the idea that the software industry is going to get funded by advertising has got it completely the wrong way around. Actually, what is going to happen is that business is increasingly going to use software in order to get closer to its consumers and its prospects. It can actually skip having to spend the money on advertising in order to make that connection.

Let me explain how that might work, instead of running adverts on sites that host discussions about bookkeeping services for small companies, for example, or instead of paying for search ads that pop up when people are searching on the Internet for bookkeeping services for small companies. As a small company, if you are using a financial application to run your company and you want some bookkeeping services, a bookkeeping service might pop up as a menu option in the software. You can sign up for and use an outsourced service over the Internet.

Instead of the bookkeeping service actually having to advertise on the search engines, in the publications, the discussion forums, and the social networking sites, they just pay to have their service made available within a software package that relates directly to the service that they are offering.

Therefore, it's not really advertising any more. It's just product placement at a point where the consumer or the business, in this case, actually needs that service.

McKendrick: Phil's got it exactly right. Another good example is mortgage calculator, something that popped up about 10 years ago on the Web. Mortgage calculator is software, and probably before 1998, if you wanted such software you had to go out and buy a package at Staples or Office Depot. Now, you can go to a mortgage company site, for those who are still looking for mortgages, and check out a calculator on site. The software is made available as a value-add. Phil has got it right in terms of their reverse. We have to look at this in a reverse sense.

Baer Joe you are so 2006, I have to say.

Gardner: Now hold on. So, what we were saying is that business activities and consumer activities more and more move online. Not only will we be doing away with the on-premises software business to a significant extent, but we will be doing away with the advertising business to a significant extent. Then, no longer will the entertainment businesses be glossing themselves with adverts to support themselves, but, increasingly, we'll see placement of services in the context of an activity or process, be it for consumer, entertainment, or business, in the same way that we might go to a shopping mall. People pay rent to the mall organizer, which draws people in, to put their wares out on the doorstep in front of the glass pane, in order for people to pick and choose.

So we are moving from an advertising to a placement or even visibility value, and it becomes rent to those who can draw the people in. Does that sound reasonable?

Baer: I'd say so. Look at the Amazon model which isn't necessarily overt advertising, but its affinity. You just bought a book, say, on accounting and they'll say, "By the way, based on your pattern of orders, would you also like to get a book about taxes or something like that?" So, it's basically keeping it in context.

Just a couple of days ago I was reading an interview in one of the business journals with someone who was critiquing TV ads and saying, "You know something? These are so obsolete. I really hate watching this because, basically, when you're watching a program, statistically very small minority of the audience is interested in that particular product at that particular time."

You start looking at migration to digital broadcasting. At some point -- I don't know the exact technology mix involved -- combining that with the Internet, there will be some way of micro casting. There may be a large population segment watching a specific program, but you maybe identified in terms of which demographic you specifically are. It's almost sounding 1984-ish.

McKendrick: Tony, you are so 1984.

Wainewright: Tony, that's right. I think Google actually realizes that and understands that. Therefore what they are aiming to do is get into TV advertising and all these other sectors. These are vendors that enable this kind of personalization of the message, being a conduit between the prospects and the business that's trying to sell to that prospect, and using software automation to enable that.

They are thinking beyond the old model of advertising, and I think that's Microsoft's problem. Microsoft hasn't really understood this, is still thinking about online advertising as a segment, and is not looking beyond the wider opportunity to use the automation on the Web as a way of just bringing buyers and sellers close together.

Gardner: Alright. So advertising has been a blunt instrument. There's an old adage that, "I know I am wasting half of my money on advertising, I just don't know which half." I think it's largely true. What we're really talking about here is a more precise instrument to match buyers and sellers based on affinity, where every single click that they make, almost in real time, gives us a further indicator of what it is that they might be interested in. We are able, at service level, to match needs and wants to availability, and we are able to even adjust the terms of the potential transition in real time as well.

This requires a tremendous amount of cloud compute, to the same levels we have seen in matching search criteria to results and then matching that to advertising. That advertising is then bought through an auction-bid process among those seeking the highest placement.

So if we take that same model and apply it to all sorts of different needs and wants of business, personal, entertainment, and luxury across the board, what do we call it? It's not really advertising.

Here is our chance at the BriefingsDirect Analyst Insights podcast to come up with a name for this thing. Any takers?

Wainewright: I've struggled with it actually, Dana. I have been planning a blogpost about this for probably a year. I saw someone really calling it "featuretisment," which I am not advocating, but it's a possibility. Maybe it's "online merchandising," maybe it is "placement," maybe it is just "promotion," rather than advertising. But, I think we do need a different word, because, if we use the word "advertising," we approach it too much from the old mindsets.

Gardner: Anyone else who has created a word here that sticks in people's mind for next 50 years?

Baer: Here is one that I hopefully don't use, which is "lifestyle enhancement" or "lifestyle augmentation." I hope we don't use that.

Gardner: That sounds like spam mail.

Baer: I want to just shoot that one down immediately.

McKendrick: I want to throw another note in here. When we talk about social computing, the whole Web 2.0 paradigm world, we are talking about the incoming generation. You have the 20-something is coming in, and even younger than that.

These folks are well accustomed to SaaS, online/on-demand software and are accustomed to seeing advertising online. I have a nine year old daughter and her favorite sites are Webkinz in which you buy stuffed animal, get a special password code log in and you can virtually manage your Webkinz online. She loves that and --.

Gardner: Yeah, we've got those.

McKendrick: Yeah, Club Penguin is another one, Disney took that.

Gardner: We've got those.

McKendrick: What's interesting is, 10 years ago, our kids would have had to go out and buy a CD and install a CD locally in the computer. These things are all delivered online to kids. Kids don't want this. My nine-year-old probably doesn't know how to install something from a CD.

Gardner: That's right. My nine-year-old is the same way. Everything is through the browser. If it's not through the browser, he's not interested.

McKendrick: Exactly. Everything is through the browser now. That's what they are expecting. That's what expected now. College students as well.

Gardner: Here's another factoid to throw out there. I was at an IBM event not too long ago and I raised some of these issues with them, saying, "Hey, you have some of the ingredients that are necessary in this new vision, including audience, including installed software, including communications and groupware applications that draw lots of metadata, ad activities in individuals. When we are going to start to see advertisements in IBM services?"

This statement came out loud and clear. Sam Palmisano says he is never going to put advertisements in anything IBM ever does. I thought that was interesting. Maybe, if we bend the advertising concept as we have been doing here, IBM is going to need to change its tune, particularly as more of those revenues from those AS400s and RS6000s started to dwindle, and they go out to cloud computing environments, and the margin they make on a blade server isn't the same.

They need to consider some of these other more interesting business models, particularly in the context of business. We're not talking about a $15 music download or an $8 movie download. We're talking about anywhere from $50,000 to hundreds of thousands of dollars of purchasing that happens very rapidly across the entire B2B economy.

Any thoughts about how IBM, in particular, might be able to move to this, without offending Sam's sensibilities?

Baer: Actually, take a look at the emerging model for downloading films or TV shows, that's probably is a better example. For a certain price you can get it without ads. For free, you get it with ads. I don't know if that directly applies, there maybe some sort of variation of that, which can keep Sam Palmisano's feeling that he can go to sleep at night.

Gardner: Okay, so we think that advertising is in the rear-view mirror. We're going to move to a new era of something different or better, perhaps subscription as a business model, where you, in a sense, rent digital assets. Any thoughts about how the future of advertising and the future of subscription services overlap or relate?

Wainewright: I think they do. The subscription model does take, but I think you will still have indirectly funded applications, particularly for volume markets like the business markets, the small business market, and obviously the consumer market, which is indirectly funded.

The consumer doesn't pay, but it is supported by some kind of either advertising, commissions on product placement, or just the expectation that a certain percentage of free users will upgrade to a paid version, and, therefore, the free-user population is a marketing expense.

We see all of those models already in the SaaS segment. The thing that is going to make this a slow transition is having a set of subscription services, where there are lots of different providers being aggregated, and they're getting some cut off the subscription. These are big billing and settlement challenges.

Actually, the software, the infrastructure software, that can support doing all of that measurement and doing it accurately and dealing with all of the questions: "I want my money back -- how do I get my money back?" These are questions that come up when money changes hands. This is something that still hasn't been worked out properly.

I was interested to see that Salesforce is still at the first stages of working at providing billing and settlement for In a sense, they are probably behind other players in that space, in terms of having an infrastructure for doing that. I think that could be a brake on this kind of thing taking hold very quickly, simply because the technology doesn't exist yet.

Gardner: Well, it doesn't exist yet at, but it does exist in some other quarters, where logistics and transportation have been largely made an efficiency function of good software. I am thinking of UPS and FedEx. They have become more and more sophisticated at managing that delivery and vetting of the transactions and working with exception management, in terms of returns or warranty issues. They do it with physical objects. There is no reason they couldn't do it with digital objects across the wire.

Baer: Just to underscore your point, it's not only that they perfected it for their core business, they now are handling increasing portions. A lot of their business is business process outsourcing. So, they're saying, "We don't only deliver the product to your customer, but we will take on large chunks of the fulfillment process or the warranties service repair process." And, they've have got the billing mechanisms down for that.

Gardner: So, the intellectual value of understanding how to manage that process is what ultimately buoys them and makes them now part of a potentially larger virtual ecology, rather than physical.

Wainewright: Hold on! They are doing that as a single company, they are not doing it with all kinds of tiers and partners, who are all contributing their own services and wanting to bill and charge back for those services. So, it's an order of magnitude larger.

Gardner: Perhaps the message to them is that they should be thinking along these lines, taking what assets they have, and extending them into partnerships, APIs, and Web services that can be plugged in through a SOA, and perhaps they get some transactional revenues as a result.

McKendrick: Which should make and UPS natural partners.

Gardner: Natural partners, yes. Now, I mentioned transactions, and it seems to me that one of the common threads between the "son of advertising" -- maybe that's what we'll call it from now on, the "son of advertising," the "progeny of advertising" -- and syndication, sponsorship, and buying things on a subscription basis, is the transaction.

Those vendors who want to be positioned well in front of an activity, the fulfillment of the actual transaction financially, would be in extremely advantageous position. Even if they take a fraction of a percent per transaction, ultimately we are talking about a massive business, one that everyone essentially would have to do some level of business with.

Any thoughts about the transactional hub, and the cloud compute power that would be required to do that?

Baer: StrikeIron kind of hits upon that model. They offer a marketplace of Web services, and part of what they do with that paradigm is that for the software developers -- someone who creates a service and offers it through the StrikeIron service -- they handle the transactions, the micro transactions. You may get a few pennies each time some uses your service. I think their model is going to take off. I think there is lot of potential for the model. We are going to see a lot of micro transactions taking place across the Web in the entire network.

Gardner: That's the one I was thinking of. StrikeIron is saying, "Hey, we can create a small subset business for ourselves, maybe even outsource some of that transactional activity back to something like a Google, and many others will want to stake out positions in a virtual bazaar of services, commerce, and goods, and perhaps back toward some of the integration to a large providers like a Google, which then becomes like a Visa in terms of financial transactions. It's really just matching up, and folks have taken a vig along the way.

Any other thought about the role of Google and what other organizations might be able to step up to the plate in this regard?

Speaker: Amazon Web Services.

Wainewright: I was just going to say that Rearden Commerce is perhaps an example of a vendor that's getting into that opportunity. Rearden this week announced a funding, a $100 million in venture funding, which mainly came from American Express and Chase.

So we see travel booking and the credit card company are teaming up with the transaction providers or the transaction handlers and getting at this nexus of bringing buyers and sellers together in the travel and employee services space. The amount of money that's being invested in Rearden says that people feel that there is quite a lot of potential in that particular vision.

Gardner: Now this company, Rearden, what kind of company is it?

Wainewright: Rearden Commerce provides software that allows you, as a business, to have your employees book their flights, their dining, and their corporate expense activity in a controlled, managed, and largely automated way. At the moment, most of their customers are relatively large customers or are customers of AMEX's travel management services. They charge a license fee at the moment, but I think in their road map, they see a potential to make money just by taking a cut out of the value of the transaction, rather than sending a traditional subscription license.

Baer: Just to go full circle here, I remember just talking to an enterprise vendor back in the 1990s. They were trying to export different mechanisms for pricing, and were talking about what they called at the time "risk sharing." Instead of charging the traditional license fee upfront, they were getting some sort of share of the benefits. Obviously, that never panned out, but today through SaaS, through micro-pricing and transactional pricing, and the acceptance of subscriptions and variable pricing, the time may have come for merging of some variance of that.

Gardner: Right. I think we've recognized that we have the son of advertising, which will be an interesting opportunity and Google is well-positioned.

We have the "son of software" in services, also a place where Google is well-positioned. We also have the "son of financial services." That is the next era that will require the compute ability to manage on a real-time, micro level across multiple variations of transactions and very complex process and event landscapes.

And, once again, Google could rise up and be prominent in that place as well. It seems that the algorithm is what rules the future, and he with the best algorithm that can execute on that algorithm and draw in the most partners is the winner. Any thoughts?

Wainewright: And, therefore, Microsoft, as long as it talks about software, rather than focusing properly on services, is always going to be the loser.

Gardner: You need to focus on being able to develop, control and adjust the algorithms and then execute on all the variables within those algorithms at massive scale, and that becomes ultimately who's got the best compute cloud infrastructure. I'm not sure it's going to be built on Windows.

Baer: The interesting thing about Microsoft is their whole scale has been more penetration, it's never been scale in terms of that we can now conduct scalable processing.

Gardner: Microsoft scales best at the department level, not even the individual level, and they don't have the infrastructure to support the granularity beyond that at this time.

McKendrick: It's getting to the point where the operating system is something that gets in the way. I think people will be happy with just some kind of device, such as a mobile device with a very thin layer and browser accessing everything out on the network.

Baer: And, from that standpoint, the one interesting thing that I saw from JavaOne this week, is the battle over where that rich Internet layer is going to be. Should it be within the Java virtual? Should it be in the flash runtime? You are talking about a couple battles of runtimes. You are not talking about battles of operating systems.

Gardner: I see that as a real mistake. Sun made a fundamental mistake this week. It's trying to position itself as a leader on this presentation level, which is irrelevant for the most part. It's important through some development, but the runtime on the client is a commodity. It's all about the runtime on the compute side, the server side, the cloud side. We would think that an OpenSolaris or a Solaris plus the high performance silicon designs that they've developed would be the real story there.

Wainewright: Dana, I would disagree with you about runtime on the client. I think it's going to be important, but I think it's the topic over another podcast.

Gardner: Alright, we'll do that another time. I think we've provided some good consulting value today to the logistics industry, the FedExs, UPSs: That they should start moving very closely to the digital domain, not the physical domain, and create APIs to create partnerships. We also probably have some good recommendations for the Citigroups, and the other large banking organizations, that they've proven themselves inept at that managing risk in association with mortgage-backed derivatives, but they should start thinking about how to create a compute cloud in algorithmic support infrastructure for the transactional future.

Baer: Phil mentioned Rearden Commerce, and I want to add that all it's components are built on SOA-enabled services. So, there is a good lesson there. If you want to get out in the cloud, SOA paves the path.

Gardner: That's the only technology that we've developed today that perhaps can these mixtures of ecologies and transactional hubs and federated business partnerships and activities.

Baer: It's the only way to go, Dana.

Gardner: Okay, this is Dana Gardner, principal analyst at Interarbor Solutions. You've been listening to a BriefingsDirect Analyst Insights Edition, Volume 29. Our guests have been Joe McKendrick. Thanks, Joe.

McKendrick: Thanks, Dana. It's great to be here.

Gardner: Tony Baer, I appreciate your input.

Baer: Hey, good talking again.

Gardner: And also excellent input from Phil Wainewright. We appreciate your joining us.

Wainewright: Good to be here, Dana.

Gardner: Come back next time, and we'll try to get into some of those issues that we haven't hit on yet. There's a lot more to dig into here. Thanks.

Listen to the podcast.

Transcript of BriefingsDirect podcast on the future of advertsing. Copyright Interarbor Solutions, LLC, 2005-2008. All rights reserved.