Standards and APIs: How to Build Platforms and Tools to Best Manage Identity and Security

Transcript of a BriefingsDirect podcast on how strides are being made to develop identity standards and smooth the way for developers to use them quickly and easily


Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Ping Identity.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect. Today, we present a sponsored podcast discussion on the pressing need for improved identity management and federation technologies, as well as workable standards and best practices for the application programming interface (API) economy.

Gardner

We'll now examine how business and end-user trends are forcing organizations to both seek openness and improve security for accessing applications, APIs, data, and services anytime, anywhere, and from any device.

Developers are scrambling to find the platforms and tools to help them manage identity and security. Meanwhile, the mobile tier is becoming an integration point for scads of cloud services and APIs, yet unauthorized access to data remains common. Mobile applications are not yet fully secure, and identity control that meets audit requirements is hard to come by.

So while the game has changed for creating new and attractive mobile processes, the same old requirements remain wanting around security, management, interoperability, and openness.

We'll now hear from a panel of experts on how to better chart the waters of identity management and federation, while preserving the need for enterprise-caliber risk remediation and security.

With that, please join me now in welcoming our guests, Bradford Stephens, the Developer and Platforms Evangelist in the CTO’s Office at Ping Identity. Welcome, Bradford.

Bradford Stephens: Hello. Thanks for having me.

Gardner: We're also here with Ross Garrett, Senior Director of Product Marketing at Axway. Good to have you with us, Ross.

Ross Garrett: Good to be here.

Gardner: And we're also here with Kelly Grizzle, Principal Software Engineer at SailPoint Technologies. Welcome, Kelly.

Kelly Grizzle: Thanks, Dana. Happy to talk to you.

Gardner: We are approaching the Cloud Identity Summit 2014 (CIS), which is coming up on July 19 in Monterey, Calif. There's a lot of frustration with identity services that meet the needs of developers and enterprise operators as well. So let’s talk a little bit about what’s going on with APIs.

First to you, Bradford. From a high level, what are the trends in the market that keep this problem pressing? Why is it so difficult to solve?

Interaction changes

Stephens: Well, as soon as we've settled on a standard, the way we interact with computers changes. It wasn’t that long ago that if you had Active Directory and SAML and you hand-wrote security endpoints of model security products, you were pretty much covered.

Stephens

But in the last three or four years, we've gone to a world where mobile is more important than web. Distributed systems are more important than big iron. And we communicate with APIs instead of channels and SDKs, and that requires a whole new way of thinking about the problem.

Gardner: Anything to offer on that, Ross? How do you see the challenge?

Garrett: Ultimately, APIs are becoming the communication framework, the fabric, in which all of the products that we touch today talk to each other. That, by extension, provides a new identity challenge. That’s a lot of reason why we've seen some friction and schizophrenia around the types of identity technologies that are available to us.

So we see waves of different technologies come and go, depending on what is the flavor of the month. That has caused some frustration for developers, and will definitely come up during our Cloud Identity Summit in a couple of weeks.

Gardner: Kelly, how has the role of APIs, as we have now been describing them, changed the identity world? Do you see this as an API and identity collision? 

Grizzle: APIs are becoming exponentially more important in the identity world now. As Bradford alluded to, the landscape is changing. There are mobile devices as well as software-as-a-service (SaaS) providers out there who are popping up new services all the time. The common thread between all of them is the need to be able to manage identities. They need to be able to manage the security within their system. It makes total sense to have a common way to do this.

Grizzle

APIs are key for all the different devices and ways that we connect to these service providers. Becoming standards based is extremely important, just to be able to keep up with the adoption of all these new service providers coming on board.

Gardner: As we describe this as the API economy, I suppose it’s just as much a marketplace and therefore, as we have seen in other markets, people strive for predominance. There's jockeying going on. Bradford, is this a matter of an architectural shift? Is this a matter of standards? Or is this a matter of de-facto standards? Or perhaps all of the above?

Stephens: It’s getting complex quickly. I think we're settling on standards, like it or not, mostly positively. I see most people settling on at least OAuth 2.0 as a standard token, and OpenID Connect for implementation and authentication of information, but I think that’s about as far as we get.

There's a lot of struggle with established vendors vying to implement these protocols. They try to bridge the gap between the old world of say SAML and Active Directory and all that, and the new world of SCIM, OAuth, OpenID Connect. The standards are pretty settled, at least for the next two years, but the tools, how we implement them, and how much work it takes developers to implement them, are going to change a lot, and hopefully for the better.

Evolving standards

Gardner: Ross, do you agree that we've settled on the handful of standards that we need, or at least the major ones, and that this is a matter now of implementation? How do you view the evolution?

Garrett: We have identified a number of new standards that are bridging this new world of API-oriented connectivity. Learning from the past of SAML and legacy, single sign-on infrastructure, we definitely need some good technology choices.

Garrett

The standards seem to be leading the way. But by the same token, we should keep a close eye on the market changing with regards to how fast standards are changing. We've all seen things like OAuth progress slower than some of the implementations out there. This means the ratification of the standard was happening after many providers had actually implemented it. It's the same for OpenID Connect.

We are in line there, but the actual standardization process doesn’t always keep up with where the market wants to be.

Gardner: We've seen this play out before that the standards can lag. Getting consensus, developing the documentation and details, and getting committees to sign off can take time, and markets move at their own velocity. Many times in the past, organizations have hedged their bets by adopting multiple standards or tracking multiple ways of doing things, which requires federation and integration.

Kelly, are there big tradeoffs with standards and APIs? How do we mitigate the risk and protect ourselves by both adhering to standards, but also being agile in the market?

Grizzle: That’s kind of tricky. You're right in that standards tend to lag. That’s just part and parcel of the standardization process. It’s like trying to pass a bill through Congress. It can go slow.

You're right in that standards tend to lag. That’s just part and parcel of the standardization process.

Something that we've seen some of these standards do right, from OAuth and from the SCIM perspective, is that both of those have started their early work with a very loose standardization process, going through not one of the big standards bodies, but something that can be a little bit more nimble. That’s how the SCIM 1.0 and 1.1 specs came out, and they came out in a reasonable time frame to get people moving on it.

Now that things have moved to the Internet Engineering Task Force (IETF), development has slowed down a little bit, but people have something to work with and are able to keep up with the changes going on there.

I don’t know that people necessarily need to adopt multiple standards to hedge their bets, but by taking what’s already there and keeping a pulse on the things that are going to change, as well as the standard being forward-thinking enough to allow some extensibility within it, service providers and clients, in the long run, are going to be in a pretty good spot.

Quick primer

Gardner: We've talked a few technical terms so far, and just for the benefit of our audience, I'd like to do a quick primer, perhaps with you Bradford. To start: OAuth, this is with the IETF now. Could you just quickly tell the audience what OAuth is, what it’s doing, and why it’s important when we talk about API, security and mobile?

Stephens: OAuth is the foundation protocol for authorization when it comes to APIs for web applications. OAuth 2 is much more flexible than OAuth 1.

Basically, it allows applications to ask for access to stuff. It seems very vague, but it’s really powerful once you start getting the right tokens for your workflows. And it provides the same foundation for everything else we do for identity and APIs.

The best example I can think of is when you log into Facebook, and Facebook asks whether you really want this app to see your birthday, all your friends’ information, and everything else. Being able to communicate all that over the OAuth 2.0 is a lot easier than how it was with OAuth 1.0 a few years ago.

Gardner: How about OpenID Connect. This is with the OpenID Foundation. How does that relate, and what is it?

If OAuth actually is the medium, OpenID Connect can be described as the content of the message. It’s not the message itself.

Stephens: If OAuth actually is the medium, OpenID Connect can be described as the content of the message. It’s not the message itself. That’s usually done with the Token, Javascript object notation (JSON) Web Token, but OpenID Connect provides the actual identity information.

When you access an API and you authenticate, you choose a scope, and one of the most common scopes is OpenID Profile. This OpenID Profile will just have things like your username, maybe your address, various other pieces of identity information, and it describes who the "you" is, who you are.

Gardner: And SCIM, you mentioned that Kelly, and I know you have been involved with it. So why don’t you take the primer for SCIM, and I believe it’s Simple Cloud Identity Management?

Grizzle: That's the historical name for it, Simple Cloud Identity Management. When we took the standard to the IETF, we realized that the problems that we were solving were a little bit broader than just the cloud and within the cloud. So the acronym now stands for the System for Cross-domain Identity Management.

That’s kind of a mouthful, but the concept is pretty simple. SCIM is really just an API and a schema that allows you to manage identities and identity-related information. And by manage them, I mean to create identities in systems to delete them, update them, change the entitlements and the group memberships, and things like that.

Gardner: From your perspective, Kelly, what is the relationship then between OAuth and SCIM?

Managing identities

Grizzle: OAuth, as Bradford mentioned, is primarily geared toward authorization, and answers the question, "Can Bob access this top-secret document?" SCIM is really not in the authorization and authentication business at all. SCIM is about managing identities.

OAuth assumes that an identity is already present. SCIM is able to create that identity. You can create the user "Bob." You can say that Bob should not have access to that top-secret document. Then, if you catch Bob doing some illicit activity, you can quickly disable his account through a SCIM call. So they fit together very nicely.

Gardner: In the real world, developers like to be able to use APIs, but they might not be familiar with all the details that we've just gone through on some of these standards and security approaches.

How do we make this palatable to developers? How do we make this something that they can implement without necessarily getting into the nitty-gritty? Are there some approaches to making this a bit easier to consume as a developer?

The best thing we can do is have tool-providers give them tools in their native language or in the way developers work with things.

Stephens: As a developer who's relatively new to this field -- I worked in database for three years -- I've had personal experience of how hard it is to wrap your head around all the standards and all these flows and stuff. The best thing we can do is have tool providers give them tools in their native language, or in the way developers work with things.

This needs well-documented, interactive APIs -- things like Swagger -- and lots of real-world code examples. Once you've actually done the process of authentication through OAuth, getting a JSON Web Token, and getting an OpenID Connect profile, it’s really  simple to see how it all works together, if you do it all through a SaaS platform that handles all the nitty-gritty, like user creation and all that.

If you have to roll your own, though, there's not a lot of information out there besides the WhitePages and Wall Post. It’s just a nightmare. I tried to roll my own. You should never roll your own.

So having SaaS platforms to do all this stuff, instead of having documents, means that developers can focus on providing their applications, and just understand that I have this media and project, not about which tokens carry information that accesses OAuth and OpenID Connect.

I don’t really care how it all works together; I just know that I have this token and it has the information I need. And it’s really liberating, once you finally get there.

So I guess the best thing we can do is provide really great tools that solve the identity-management problems.

Tools: a key point

Garrett: Tools, that’s the key point here. Whether we like it or not, developers tend to be kind of lazy sometimes and they certainly don’t have the time or the energy to understand every facet of the OAuth specification. So providing tools that can wrap that up and make it as easy to implement as possible is really the only way that we get to really secure mobile applications or any API interaction. Because without a deep understanding of how this stuff works, you can make pretty fundamental errors.

Having said that, at least we've started to take steps in the right direction with the standards. OAuth is built at least with the idea of mobile access in mind. It’s leveraging REST and JSON types, rather than SOAP and XML types, which are really way too heavyweight for mobile applications.

So the standards, in their own right, have taken us in the right direction, but we absolutely need tools to make it easy for developers.

Gardner: Do you have anything to offer on that, Kelly, in terms of maybe a service-provider role? As an identity service provider yourself, is there something that intermediary can bring to help developers and automate some of these issues?

Grizzle: I think so. Bradford and Ross hit on a lot of it. Tools are of the utmost importance, and some of the identity providers and people with skin in the game, so to speak, are helping to create these tools and to open-source them, so that they can be used by other people.

Identity isn’t the most glamorous thing to talk about, except when it all goes wrong, and some huge leak makes the news headlines.

Another thing that Ross touched on was keeping the simplicity in the spec. These things that we're addressing -- authorization, authentication, and managing identities -- are not extremely simple concepts always. So in the standards that are being created, finding the right balance of complexity versus completeness and flexibility is a tough line to walk.

With SCIM, as you said, the first initial of the acronym used to stand for Simple. It’s still a guiding principle that we use to try to keep these interactions as simple as possible. SCIM uses REST and JSON, just like some of these other standards. Developers are familiar with that. Putting the burden on the right parties for implementation is very important, too. To make it easy on clients, the ones who are going to be implementing these a lot, is pretty important.

Gardner: Do these standards do more than help the API economy settle out and mature? Cloud providers or SaaS providers want to provide APIs and they want the mobile apps to consume them. By the same token, the enterprises want to share data and want data to get out to those mobile tiers. So is there a data-management or brokering benefit that goes along with this? Are we killing multiple birds with one set of standards?

Garrett: The real issue here, when we think about the new types of products and services that the API economy is helping us deliver, is around privacy and ultimately customer confidence. Putting the user in control of who gets to access which parts of my identity profile, or how contextual information about me can perhaps make identity decisions easier, allows us to lock down, or better understand, these privacy concerns that the world has.

Identity isn’t the most glamorous thing to talk about -- except when it all goes wrong -- and some huge leak makes the news headlines, or some other security breach has lost credit-card numbers or people’s usernames and passwords.

Hand in hand

In terms of how identity services are developing the API economy, the two things go hand in hand. Unless people are absolutely certain about how their information is being used, they simply choose not to use these services. That’s where all the work that the API management vendors and the identity management vendors are doing and bringing that together is so important.

Gardner: You mentioned that identity might not be sexy or top of mind, but how else can you manage all these variables on an automated or policy-driven basis? When we move to the mobile tier, we're dealing with multiple networks. We're dealing with multiple services ... cloud, SaaS, and APIs. And then we're linking this back to enterprise applications. How other than identity can this possibly be managed?

Stephens: Identity is often thought of as usernames and passwords, but it’s evolving really quickly to be so much more. This is something I harp on a lot, but it’s really quickly becoming that who we are online is more important than who we are in real life. How I identify myself online is more important than the driver's license I carry in my wallet.

And it’s important that developers understand that because any connected application is going to have to have a deep sense of identity.

As you know, your driver’s license is like a real-life token of information that describes what you're allowed to do in your life. That’s part of your identity. Anybody who has lost their license knows that, without that, there's not a whole lot you can do.

Bringing that analogy back to the Internet, what you're able to access and what access you're able to give other people or other applications to change important things, like your Facebook posts, your tweets, or go through your email and help categorize that is important. All these little tasks that help define how you live, are all part of your identity. And it’s important that developers understand that because any connected application is going to have to have a deep sense of identity.

Gardner: Let me pose the same question, but in a different way. When you do this well, when you can manage identity, when you can take advantage of these new standards that extend into mobile requirements and architectures, with the API economy in mind, what do you get? What does it endow you with? What can you do that perhaps you couldn’t do if you were stuck in some older architectures or thinking?

Grizzle: Identity is key to everything we do. Like Bradford was just saying, the things that you do online are built on the trust that you have with who is doing them. There are very few services out there where you want completely anonymous access. Almost every service that you use is tied to an identity.

So it’s of paramount importance to get a common language between these. If we don’t move to standards here, it's just going to be a major cost problem, because there are a ton of different providers and clients out there.

If every provider tries to roll their own identity infrastructure, without relying on standards, then, as a client, if I need to talk to two different identity providers, I need to write to two different APIs. It’s just an explosive problem, with the amount that everything is connected these days.

So it’s key. I can’t see how the system will stand up and move forward efficiently without these common pieces in place.

Use cases

Gardner: Do we have any examples along these same lines of what do you get when you do this well and appropriately based on what you all think is the right approach and direction? We've been talking at a fairly abstract level, but it really helps solidify people’s thinking and understanding when they can look at a use-case, a named situation or an application.

Stephens: If you want a good example of how OAuth delegation works, building a Facebook app or just working on Facebook app documentation is pretty straightforward. It gives you a good idea of what it means to delegate certain authorization.

Likewise, Google is very good. It’s very integrated with OAuth and OpenID Connect when it comes to building things on Google App Engine.

The thing that these new identity service providers have been offering has, behind the scenes, been making your lives more secure.

So if you want to secure an API that you built using Google Cloud on Google App Engine, which is trivial to do, Google Cloud Endpoints provides a really good example. In fact, there is a button that you can hit in their example button called Use OAuth and that OAuth transports OpenID Connect profile, and that’s a pretty easy way to go about it.

Garrett: I'll just take a simple consumer example, and we've touched on this already. It was the idea in the past, where every individual service or product is offering only their identity solution. So I have to create a new identity profile for every product or service that I'm using. This has been the case for a long time in the consumer web and in the enterprise setting as well.

So we have to be able to solve that problem and offer a way to reuse existing identities. It involves so taking technologies like OpenID Connect, which is totally hidden to the end user really, but simply saying that you can use this existing identity, your LinkedIn or  Facebook credentials, etc., to access some new products, takes a lot of burden away from the consumer. Ultimately, that provides us a better security model end to end.

The thing that these new identity service providers have been offering has, behind the scenes, been making your lives more secure. Even though some people might shy away from using their Facebook identity across multiple applications, in many ways it’s actually better to, because that’s really one centralized place where I can actually see, audit, and adjust the way that I'm presenting my identity to other people.

That’s a really great example of how these new technologies are changing the way we interact with products everyday.

Standardized approach

Grizzle: At SailPoint, the company that I work for, we have a client, a large chip maker, who has seen the identity problem and really been bitten by it within their enterprise. They have somewhere around 3,500 systems that have to be able to talk to each other, exchange identity data, and things like that.

The issue is that every time they acquire a new company or bring a new group into the fold, that company has its own set of systems that speak their own language, and it takes forever to get them integrated into their IT organization there.

So they've said that they're not going to support every app that these people bring into the IT infrastructure. They're going with SCIM and they are saying that all these apps that come in, if they speak SCIM, then they'll take ownership of those and pull them into their environment. It should just plug in nice and easy. They're doing it just because of a resourcing perspective. They can't keep up with the amount of change to their IT infrastructure and keep everything automated.

They can't keep up with the amount of change to their IT infrastructure and keep everything automated.

Gardner: I want to quickly look at the Cloud Identity Summit that’s coming up. It sounds like a lot of these issues are going to be top of mind there. We're going to hear a lot of back and forth and progress made.

Does this strike you, Bradford, as a tipping point of some sort, that this event will really start to solidify thinking and get people motivated? How do you view the impact of this summit on cloud identity?

Stephens: At CIS, we're going to see a lot of talk about real-world implementation of these standards. In fact, I'm running the Enterprise API track and I'll be giving a talk on end-to-end authentication using JAuth, OAuth, and OpenID Connect. This year is the year that we show that it's possible. Next year, we'll be hearing a lot more about people using it in production.

Gardner: You've been listening to a sponsored BriefingsDirect podcast discussion on the pressing need for improved identity management and federation technologies, as well as workable standards and best practices for the API economy.

While we've seen how unauthorized access to data remains a problem, and mobile application aren't always secure, we're beginning to see a lot of progress made in ways that standards can be used to extend safety while increasing the ability for developers to get their jobs done.

So a big thanks to our guests, Bradford Stephens, Developer and Platforms Evangelist in the CTO’s Office at Ping Identity. Thanks so much, Bradford.

Stephens: Thank you, everybody else. You made this one really interesting.

Gardner: Also, we have been pleased to have Ross Garrett with us, the Senior Director of Product Marketing at Axway. Thank you, sir.

Garrett: Thank you very much.

Gardner: And lastly, Kelly Grizzle, the Principal Software Engineer at SailPoint Technologies. Thanks so much for your input.

Grizzle: Thanks for inviting me, Dana.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. A big thanks to our audience for joining us as well. You can find more information on these subjects at the IETF, at Ping Identity, Axway, SailPoint Technologies, and of course there will be a lot of information generated at the Cloud Identity Summit on July 19.

So once again to our audience thanks for listening, and don’t forget to come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Ping Identity.

Transcript of a BriefingsDirect podcast on how strides are being made to develop identity standards and smooth the way for developers to use them quickly and easily. Copyright Interarbor Solutions, LLC, 2005-2014. All rights reserved.

You may also be interested in:

• The Open Group and MIT Experts Detail New Advances in Identity Management to Help Reduce Cyber Risk
• Effective Enterprise Decurity Begins and Ends with Architectural Best Practices Approach
• BYOD Brings New Challenges for IT: Allowing Greater Access while Protecting Networks
• Identify and Access Management as a Service Gets Boost with SailPoint's IdentityNow Cloud Service
• Identity Governance Becomes Must-Do Items on Personnel Management and Security Checklist

How Capgemini's UK Financial Services Unit Helps Clients Manage Risk Using Big Data Analysis

Transcript of a sponsored BriefingsDirect podcast on how HP tools are helping companies harness big data to provide better risk assessment.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to the next edition of the HP Discover Podcast Series. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this ongoing sponsored discussion on IT innovation and how it’s making an impact on people’s lives.

Gardner

Once again, we’re focusing on how companies are adapting to the new style of IT to improve IT performance and deliver better user experiences, and business results. This time, we’re coming to you directly from the recent HP Discover 2013 Conference in Barcelona.

We’re here to learn directly from IT and business leaders alike how big data, mobile, and cloud, along with converged infrastructure are all supporting their goals.

Our next innovation case study interview highlights how Capgemini's Financial Services Global Business Unit in the United Kingdom is using big data and analysis to help its organization clients better manage risk.

To tell us more about how they do that, we're joined by Ernie Martinez, Business Information Management Head at the Capgemini Financial Services Global Business Unit in London. Welcome Ernie.

Ernie Martinez: Thank you. Glad to be here.

Gardner: Ernie, risk has always been with us. I suppose it will always remain with us in some fashion or another. Is there anything new, pressing, or different about the types of risks that your clients are trying to reduce and understand in this climate and market?

Martinez

Martinez: As you said, risk has always been with us. I don't think it's as much about what's new within the risk world, as much as it's about the time it takes to provision the data so companies can make the right decisions faster, therefore limiting the amount of risk they may take on in issuing policies or taking on policies with new clients.

Gardner: In addition to the risk issue, of course, there is competition. The speed of business is picking up, and we’re still seeing difficult economic climates in many markets. How do you step into this environment and find a technology that can improve things? What have you found?

Martinez: There is the technology aspect of delivering the right information to business faster. There is also the business-driven way of delivering that information faster to business.

Bottom up

Why Capgemini and our business information management (BIM) practices jumped in with a partnership with HP and Vertica in the HAVEn platform is really about the ability to deliver the right information to business faster from the bottom up. That means the infrastructure and the middleware by which we serve that data to business. From the top down, we work with business in a more iterative fashion in delivering value quickly out of the data that they are trying to harvest.

Gardner: Capgemini is a large global organization. Perhaps you could tell us a bit about what your unit does and the types of clients you have.

Martinez: The BIM practice is a global practice. We’re ranked in the top upper right-hand quadrant in Gartner as one of the best BIM practices out there with about 7,000 BIM resources worldwide.

Our focus is on driving better value to the customer. So we have principal-level and senior-level consultants that work with group-level CEOs in the financial services, insurance, and capital markets arenas. Their main focus is to drive a strategy and roadmap, consulting work, enterprise information architecture, and enterprise information strategy with a lot of those, the COO- and CFO-level customers.

We then drive more business into the technical design and architectural way of delivering information in business intelligence (BI) and analytics. Once we define what the road to good looks like for an organization, when you talk about integrating information across the enterprise, it's about what is that path to good looks like and what are the key initiatives that an organization must do to be able to get there.

This is where our technical design, business analysis, and data analysis consultants fit in. They’re actually going in to work with business to define what do they need to see out of their information to help them make better decisions.

Learn more about the HP+Capgemini CIRA Solution

To get a product demonstration, send an email to:

HAVEnAlliancesMarketing@HP.com

Gardner: Of course, the very basis of this is to identify the information, find the information, and put the information in a format that can be analyzed. Then, do the analysis, speed this all up, and manage it at scale and at the lowest possible cost. It’s a piece of cake, right? Tell us about the process you go through and how you decide what solutions to use and where the best bang for the buck comes from?

Martinez: Our approach is to take that senior-level expertise in big data and analytics, bring that into our practice, put that together with our business needs across financial services, insurance, and capital markets, and begin to define valid use cases that solve real business problems out there.

We’re a consulting organization, and I expect our teams to be able to be subject matter experts on what's happening in the space and also have a good handle on what the business problems are that our customers are facing. If that’s true, then we should be able to outline some valid use cases that are going to solve some specific problems for business customers out there.

In doing so, we’ll define that use case. We’ll do the research to validate that indeed it is a business problem that's real. Then we’ll build the business case that outlines that if we do build this piece of intellectual property (IP), we believe we can go out and proactively affect the marketplace and help customers out there. This is exactly what we did with HP and the HAVEn platform.

Wide applicability

Gardner: So we’re talking about a situation where you want to have wide applicability of the technology across many aspects of what you are doing, that make sense economically, but of course it also has to be the right tool for the job, that's to go deep and wide. You’re in a proof-of-concept (POC) stage. How did you come to that? What were some of the chief requirements you had for doing this at that right balance of deep and wide?

Martinez: We, as an organization, believe that our goal as BI and analytics professionals is to deliver the right information faster to business. In doing so, you look at the technologies that are out there that are positioned to do that. You look at the business partners that have that mentality to actually execute in that manner. And then you look at the organization, like ours, whose sole purpose is to mobilize quickly and deliver value to customer.

I think it was a natural fit. When you look at HP Vertica in the HAVEn platform, the ability to integrate social media data through Autonomy and then of course through Vertica and Hadoop -- the integration of the entire architecture -- gives us the ability to do many things.

But number one, it's the ability to bring in structured and unstructured data, and be able to slice and dice that data in a rapid fashion; not only deploy it, but also execute rapidly for organizations out there.

Being here at HP Discover this week has certainly solidified in my mind that we’re betting on the right horse.

Over the course of the last six months of 2013, that conversation began to blossom into a relationship. We all work together as a team and we think we can mobilize not just the application or the solution that we’re thinking about, but the entire infrastructure derivatives to our customers quickly. That's where we’re at.

What that means is that once we partnered and got the go ahead with HP Vertica to move forward with the POC, we mobilized a solution in less than 45 days, which I think shows the value of the relationship from the HP side as well as from Capgemini.

Gardner: Down the road, after some period of implementation, there are general concerns about scale when you’re dealing with big data. Because you’re near the beginning of this, how do you feel about the ability for the platform to work to whatever degree you may need?

Martinez: Absolutely no concern at all. Being here at HP Discover has certainly solidified in my mind that we’re betting on the right horse with their ability to scale. If you heard some of the announcements coming out, they’re talking about the ability to take on big data. They’re using Vertica and the HAVEn network.

There’s absolutely zero question in my mind that organizations out there can leverage this platform and grow with it over time. Also, it gives us the ability to be able to do some things that we couldn’t do a few years back.

Business value

Gardner: Ernie, let's get back to the business value here. Perhaps you can identify some of the types of companies that you think would be in the best position to use this. How will this hit the road? What are the sweet spots in the market, the applications you think would be the most urgently that make a right fit for this?

Martinez: When you talk about the largest insurers around the world, whether from Zurich to Farmers in the US to Liberty Mutual, you name it, these are some of our friendly customers that we are talking to that are providing feedback to us on this solution.

We’ll incorporate that feedback. We’ll then take that to some targeted customers in North America, UK, and across Europe, that are primed and in need of a solution that will give them the ability to not only assess risk more effectively, but reduce the time to be able to make these type of decisions.

Reducing the time to provision data reduces costs by integrating data across multiple sources, whether it be customer sentiment from the Internet, from Twitter and other areas, to what they are doing around their current policies. It allows them to identify customers that they might want to go after. It will increase their market share and reduce their costs. It gives them the ability to do many more things than they were able to do in the past.

It allows them to identify customers that they might want to go after. It will increase their market share and reduce their costs.

Gardner: And Capgemini is in the position of mastering this platform and being able to extend the value of that platform across multiple clients and business units. Therefore, that reduces the total cost of that technology, but at the same time, you’re going to have access to data across industries, and perhaps across boundaries that individual organizations might not be able to attain.

So there's a value-add here in terms of your penetration into the industry and then being able to come up with the inferences. Tell me a little bit about how the access-to-data benefit works for you?

Martinez: If you take a look at the POC or the use case that he POC was built on, it was built on a commercial insurance risk assessment. If you take a look at the underlying architecture around commercial insurance risk, our goal was to be able to build an architecture that will serve the uses case that HP bought into, but at the same time, flatten out that data model and that architecture to also bring in better customer analytics for commercial insurance risk.

So we’ve flattened out that model and we’ve built the architecture so we could go after additional business, instead of more clients, across not just commercial insurance, but also general insurance. Then, you start building in the customer analytics capability within that underlying architecture and it gives us the ability to go from the insurance market over to the financial services market, as well as into the capital markets area.

Gardner: All the data in one place makes a big difference.

Martinez: It makes a huge difference, absolutely.

Future plans

Gardner: Tell us a bit about the future. We’ve talked about a couple of aspects of the HAVEn suite. Autonomy, Vertica, and Hadoop seem to be on everyone's horizon at some point or another due to scale and efficiencies. Have you already been using Hadoop, or how do expect to get there?

Martinez: We haven’t used Hadoop, but certainly, with its capability, we plan to. I’ve done a number of different strategies and roadmaps in engaging with larger organizations, from American Express to the largest retailer in the world. In every case, they have a lot of issues around how they’re processing the massive amounts of data that are coming into their organization.

When you look at the extract, transform, load (ETL) processes by which they are taking data from systems of record, trying to massage that data and move it into their large databases, they are having issues around load and meeting load windows.

The HAVEn platform, in itself, gives us the ability to leverage Hadoop, maybe take out some of that processing pre-ETL, and then, before we go into the Vertica environment, be able to take out some of that load and make the Vertica even more efficient than it is today, which is one of the biggest selling points of Vertica. It certainly is in our plans.

This is a culture that organizations absolutely have to adopt if they are going to be able to manage the amount of data at the speed at which that data is coming to their organizations.

Gardner: Another announcement here at Discover has been around converged infrastructure, where they’re trying to make the hardware-software efficiency and integration factor come to bear on some of these big-data issues. Have you thought about the deployment platform as well as the software platform?

Martinez: You bet. At the beginning of this interview, we talked about the ability to deliver the right information faster to business. This is a culture that organizations absolutely have to adopt if they are going to be able to manage the amount of data at the speed at which that data is coming to their organizations. To be able to have a partner like HP who is talking about the convergence of software and infrastructure all at the same time to help companies manage this better, is one of the biggest reasons why we're here.

We, as a consulting organization, can provide the consulting services and solutions that are going to help deliver the right information, but without that infrastructure, without that ability to be able to integrate faster and then be able to analyze what's happening out there, it’s a moot point. This is where this partnership is blossoming for us.

Gardner: Before we sign off, Ernie, now that you have gone through this understanding and have developed some insights into the available technologies and made some choices, is there any food for thought for others who might just be beginning to examine how to enter big data, how to create a common platform across multiple types of business activities? What did you not think of before that you wish you had known?

Lessons learned

Martinez: If I look back at lessons learned over the last 60 to 90 days for us within this process, it’s one thing to say that you're mobilizing the team right from the bottom up, meaning from the infrastructure and the partnership with HP, and as well as the top-down with your business needs to finding the right business requirements and then actually building to that solution.

In most cases, we’re dealing with individuals. While we might talk about an entrepreneurial way of delivering solutions into the marketplace, we need to challenge ourselves, and all of the resources that we bring into the organization, to actually have that mentality.

What I’ve learned is that while we have some very good tactical individuals, having that entrepreneurial way of thinking and actually delivering that information is a different mindset altogether. It's about mentoring our resources that we currently have, bringing in that talent that has more of an entrepreneurial way of delivering, and trying to build solutions to go to market into our organization.

Learn more about the HP+Capgemini CIRA Solution

To get a product demonstration, send an email to:

HAVEnAlliancesMarketing@HP.com

I didn’t really think about the impact of our current resources and how it would affect them. We were a little slow as we started the POC. Granted, we did this in 45 days, so that’s the perfectionist coming out in me, but I’d say it did highlight a couple of areas within our own team that we can improve on.

Gardner: So, it’s important to either identify or find a culture of innovation?

Martinez: That's correct.

Gardner: Well, great. I am afraid we’ll have to leave it there. We’ve been talking about how the Capgemini Financial Services Global Business Unit has been entering into a proof-of-concept phase around big data and some of the choices that they have been making. I want to thank our guest, Ernie Martinez, the Business Information Management Head at Capgemini Financial Services Global Business Unit in London. Thank you, Ernie.

Martinez: Thanks, Dana. I appreciate your time.

Gardner: Thank you to our audience as well for joining us for this special new style of IT discussion coming to you directly from the HP Discover 2013 Conference in Barcelona.

I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this ongoing series of HP sponsored discussions. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Transcript of a sponsored BriefingsDirect podcast on how HP tools are helping companies harness big data to provide better risk assessment. Copyright Interarbor Solutions, LLC, 2005-2014. All rights reserved.

You may also be interested in:

• Big data meets the supply chain — SAP’s Supplier InfoNet and Ariba Network combine to predict supplier risk
• Big data should eclipse cloud as priority for enterprises
• HP Updates HAVEn Big Data Portfolio as Businesses Seek Transformation from More Data and Better Analysis
• Perfecto Mobile goes to cloud-based testing so developers can build the best apps faster
• HP's Project HAVEn rationalizes HP's portfolio while giving businesses a path to total data analysis
• Big data’s big payoff arrives as customer experience insights drive new business advantages
• Fast-changing demands on data centers drive need for uber data center infrastructure management
• How healthcare SaaS provider PointClickCare masters quality and DevOps using cloud ITSM
• HP delivers the IT means for struggling enterprises to remake themselves
• Istanbul-based Finansbank Manages Risk and Security Using HP ArcSight, Server Automation
• HP Access Catalog smooths the way for streamlined deployment of mobile apps
• HP adds new value to Vertica data analytics platform with community marketplace
• HP Vertica General Manager Colin Mahony on the next generation of analytics platforms
• HP Vertica architecture gives massive performance boost to toughest BI queries for Infinity Insurance
• HP Experts analyze and explain the HAVEn big data news from HP Discover