Identity Governance Becomes Must-Do Item on Personnel Management and Security Checklist

Transcript of BriefingsDirect podcast on the identity governance and best practices for IT systems access provisioning.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: SailPoint Technologies.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Today, a sponsored podcast discussion about a serious and potentially catastrophic set of issues for many companies. I’m going to be talking about security and risk aversion around personnel, applications, and IT systems. We’re looking how companies can more properly manage identity information and access rules for the users of applications and systems. We will also develop an understanding of a new class of solutions to this growing problem.

The goal is to work more toward identity governance, a step above simply giving access and privileges, and of getting pro-active in managing access across multiple dimensions in a business.

We use the word “governance” because it helps to develop an appreciation for the large-picture solution of properly provisioning users, giving them the right level of access privilege, and then being able to exercise lowering risk from the people, process, and systems perspective -- a comprehensive control and monitoring capability.

These issues and risks are reinforced these days by the sudden and unexpected financial pressure affecting many banks. There are dislocations, mergers, acquisitions, and most likely significant downsizing. There are a lot of bright people who have access to a lot of very sensitive systems. These are very powerful applications. If there were ever a need for identity governance, this would be it.

To help this better understand these issues and some of the newest solutions around identity governance, we are now joined by two executives from SailPoint Technologies. We’re talking with Mark McClain, the CEO and founder, and also Jackie Gilbert, the vice president of marketing and also a founder at SailPoint Technologies. Welcome to you both.

Mark McClain: Thank you, Dana.

Jackie Gilbert: Thanks, Dana.

Gardner: There was a time, and it doesn't seem that long ago, when folks would get themselves a directory and provision people on and off of IT systems through that. It was fairly straightforward. A limited number of people in IT managed this. But it seems that times have changed fairly rapidly. Mark, help me understand what's different now. Why do we need this more holistic governance approach to identity issues?

McClain: Sure, Dana. That's an accurate representation of where the market has evolved to, or it's continuing to evolve to. Some of this has been around for quite some time. It was probably initially referred to in many peoples' minds as a concept of user management, when we first went to distributed computing, and we had all these challenges of managing a whole bunch of identities on systems that were distributed around the enterprise, as opposed to a single well-maintained mainframe or something like that.

The advent of distributed systems, and, to some degree, the Internet drove us to seek how to secure the open enterprise. That was a challenge, as you said, of a lot of provisioning and de-provisioning of accounts, focused on operational efficiency, because it became a very costly solution in many organizations.

They understood that they had some security risk, but many times, their biggest concern was how much it was costing to manage, and also the very poor quality of service that, in many cases, was being offered to their users and partners. Someone would start with the company and not get everything they need to do their job for a few weeks, which is highly unproductive and quite costly.

But then I think if you look back over most of this decade, back to the turn of the century – it’s still funny to say that phrase – you see a series of issues with breaches. There’s been a series of issues with fraud or potential fraud, everything from Enron to things that happened with other companies where there are questionable practices, and then various clear issues of fraud or criminal activity.

And all of that together has brought about a new focus on privacy, financial oversight, and good governance, which is, in many cases, all related to the management of risk.

It comes down to how we get a good handle on who has access to what in our enterprises -- which critical data and applications are exposed to which people? The better we understand that, the better we can understand the actual potential risks we have in sharing that information or allowing it go sometimes outside of our four walls.

In many ways, this focus on governance has been driven by those kinds of things. Now, in the current situation, as you just said, there is lots of churn in the financial markets and in the companies that make up those markets, where people are potentially moving inside of companies, changing jobs, lots of potential lay-offs happening.

That's when these issues of good governance, good controls over who has access to which critical information become very, very acute. That's because people are very sensitized to, "Hmm, if I get a disgruntled employee who may reach back and do something negative, do I have people who have been moved around quickly in a state of churn and now they have access to multiple things that they shouldn't?

It's this segregation of duties challenges. There are lots of issues that we can continue to talk about, but I think it's a well-understood pain-point that's getting more intense all the time as we see kind of more churn and concerns in the markets.

Gilbert: To add to and build on what Mark just said, the other thing that is unique in the current phase we are in, which is all about oversight, audit, risk-management, is that it has created a need for more and more people from the business side of organizations to become involved with identity management – and that has real implications.

When you are just focused on automation and making processes more efficient, that stays within the realm of IT and can be very much a focus for IT tools and technical users. Now, you have executives, boards, and business managers, who are being asked to be accountable and to gauge the risk and the effectiveness of controls around identity.

Those people are being asked to use tools and approve, certify, and deem whether access privileges and the accounts the users hold are correct, and do not place businesses at risk. So, if you think about it, it has actually forced the marriage of business and IT all around this issue of identity governance.

Gardner: I suppose it's not that people are any better or worse than they used to be, but that these systems are extremely powerful. One person with access to some trading applications, for example, can suddenly lose $5 billion. Right?

McClain: Absolutely. As to your comment there about the nature of people, you'd hope that the fundamental moral fiber of the country hasn't declined. But having said that, there are a couple of interesting things that have changed.

One is that, the world of hackers has evolved from seeing what they can get away with to prove their technical prowess, and has now really migrated to a fairly significant level of organized-crime involvement.

We've heard stories from companies of their employees being solicited by criminal elements to give up information. There were people getting phone calls saying, "Hey, would you be willing to sell access to your systems for some amount of money? Are you in credit trouble? Are you having financial difficulties?" People are soliciting employees to perform criminal behavior for money, which is a completely new element in the last 5 to 10 years, for sure.

Gilbert: A recent example of that was at Countrywide Financial. There was just some recent news this week about the arrest of a former employee who was actually selling Social Security numbers and mortgage information over a two-year period to the black market. This person admitted, I think, to receiving more than $70,000, by just selling this proprietary information. I think over 45,000 people were compromised that were Countrywide customers, and this isn't an isolated example.

There have been many cases of bank employees selling costumer information to collection agencies. So I think what Mark was referring to is that there is actually more temptation and more opportunities to commit fraud now because there is a market for it.

Gardner: So, that means that we need to plug these holes and almost develop the ability to forecast vulnerabilities in advance – and that cuts across a chief security officer (CSO), the IT people, line-of-business people, and for the human resources department. So who owns identity governance, if it, in fact, cuts across so many different aspects of a large enterprise?

McClain: It's a good question. I think that's one of the challenges that businesses are wrestling with today. As Jackie pointed out earlier, we saw, when we were focused on the identity provisioning challenges a number of years ago, then it was kind of the help desk and the security group, all within IT, that were wrestling with the problem. Now, you have those constituencies as well as two or three key others.

We now have the auditors, both internal and external, and/or the compliance people who want to have a say, or a seat at the table, to talk about how well we are managing these kinds of access privileges and what risks are involved, when they are not managed well.

You certainly have the business people paying attention now because you have senior management who are highly motivated to avoid being the next headline. They don't want their company showing up out there with Cox Communications, the IRS, Wachovia, and any number of companies like Dupont, which have hit the headlines in the last two or three years with some sort of significant breach related to access.

Business people are very tuned-in to the risk and the potential for fraud, or the potential for abuse – and they are motivated. Your ownership questions are good ones, Dana. This is such a rapidly evolving challenge, but all those people are certainly at the table.

There is a little a bit of a hot potato now going on where IT and security groups are saying, "Hey, I am not going sign-up and own this problem entirely, because I don't have the business context to know exactly what does or doesn't represent risk. You business people have to define that for us."

Gardner: It's tough to be responsible for something that you don't have authority over.

McClain: Absolutely.

Gilbert: One of our customers at a financial institution, the vice president of IT, told me that he has become more savvy and is actually pushing back on the lines of business. He said that when the IT auditor comes in and shows a bunch of red ink, he says that his counterpart in the line of business needs to help own and resolve this issue because IT alone really doesn't have the knowledge that it takes to figure out where is the risk and how to mitigate the risk.

Gardner: As we've seen in other aspects of maturing business processes and IT, solutions often involve bringing enough information up to the right people, through management consoles, analysis, and good data. How do we give whoever becomes the owner of this problem, or perhaps those managing a federated approach to the problem, the tools, the visibility, and the comprehensive access that they need to the right information? What is our first step toward the solution here?

McClain: You partially answered your own question, because you used the word "visibility," which we think is one of the three core pillars of this emerging segment of identity governance. It starts first and foremost with visibility. As a business person or even as an IT or control audit person, I can't define and manage the risk in my organization, unless I understand the current state of the union.

So it really does start with answering the fundamental question that most companies wrestle with, which is "Who has access to what?" One of my customers has joked about the fact that on the day you start with the company, you have access to nothing, and on the day you leave, you have access to everything. Quite often, the only person who actually knows all of the access privileges I may have after 15 years at a company is me.

There have been multiple groups I have moved through, multiple help desks, and IT organizations that have been part of granting me access over the years. So, it's quite probable that, literally, only I understand all of the privileges I have as an employee -- and that's a problem.

This problem starts by helping customers understand the criticality of gaining visibility across critical applications and data for who has access to what. We have to be able to correlate and aggregate a lot of technical information. We have to figure out that "D Gardner" and "Dana G" and "Dana_Gardner" are, in fact, the same person, and then correlate all the privileges that you have into a single view, so I can at least start with visibility.

Gilbert: If you think about it, for most Fortune 1000 companies that is a very difficult thing to do – just based on the fact that they have tens of thousands of employees, and hundreds -- maybe even thousands -- of applications that span mainframes, UNIX, Windows, and custom and packaged applications. The more complex and varied the IT is – and the bigger the company is – the more frequent churn of people.

Some industries have 30-percent churn, with people coming in and out of the organization. All that makes this an extremely difficult problem, as Mark said, just getting proper visibility.

Gardner: Are we talking about this problem in a way that we are going to just grab all of this information, data and access information, and then put it all in one big, honking repository to manage it centrally?

Or are we talking about, "Let's leave the access privileges and controls where they are, but elevate the metadata and put that into some sort of a management framework that we can act on"?

McClain: We would say it is the latter. In other words, efforts to completely centralize all of the real-time access control, real-time authorization of who can get to what has almost always have failed.

There were a number of projects years ago, where people were going to create one enterprise directory. What you find now is that a lot of the more modern applications do rely on a directory, and that directory has become more standardized and more carefully managed. We would say philosophically that this is really more like a business intelligence (BI) application.

In that sense, I want to leave the operational data in the transactional systems that it belongs to. Yet, I have to be able to pull out of that, aggregate it, and put it into a repository that can be searched and cross-referenced across all the information, so that I can get that visibility.

By the way, a highly related point here is, if I just aggregate and correlate all this information from all the underlying systems – like Jackie said, from the mainframes and directories and Windows and UNIX servers – just getting it in one place is only part of the problem. The other huge part of the problem is giving it the right business context.

That's because one of the dirty, dark secrets today is that governance and compliance have become harder, and auditors have been forcing more frequent and periodic review of the access information. Quarterly or annually, these managers and applications owners need to re-certify who has access to what.

Another dirty secret in the industry right now is that managers and applications owners must sign-off on these reports, but they don't understand them, because those reports are generated out of the IT systems and they are incomprehensible to the business people.

Knowing that Dana has access to "server FQ 93T," doesn't tell me much of anything about what Dana can do. If I can understand that that server actually is the front end to the accounts payable system, then now I know something about whether that's appropriate for Dana to have access to.

A second core pillar that we've spent a lot of time talking to our prospects and customers about is this concept of business context. Not only do they have to aggregate and correlate visibility across everything they do, I, as a customer, need to give it context so I can understand the business risks and the criticality of the information that you can access.

Gilbert: Part of the way that context is accomplished can be as simple as just providing business-friendly descriptors for entitlements. We also use the context of business roles, so that we can take a group of entitlements and assign them to a business role.

For example, a "database administrator in the Austin region" gets these types of privileges. By making that linkage and creating that higher level of abstraction around a role, we can ask people to approve whether "Joe" should be in that particular role. And they are much more likely to understand that than they are just looking at the low-level entitlements, and trying to make an intelligent decision about whether that is appropriate.

Gardner: I’m fairly clear that we have a distinct problem here, and that we are not going to solve it through a central forced march into a single approach or product. And, I understand that the identity governance solution has to be understood in the business context.

I guess what I am not clear about is how we actually go out and get this information, make it visible, get that single view of the employee, and then create the opportunity for execution and action against that information?

Gilbert: As Mark said, it's pretty analogous to BI and even data warehousing or data mining, if you will. Our approach is to take a very lightweight, read-only access to the data. We pull entitlement data and account data from applications and servers throughout the enterprise and we aggregate that into what is basically an entitlement warehouse.

We physically create a common data view of users and their entitlements. What that gives you is not only the visibility in one, single place, but it gives you the business context to better understand it. And it allows us to do some automation of controls and policy enforcement, and some risk assessment. It's amazing the value you can derive, once you get the data all in one place and normalized, so that you can apply all kinds of rules and logic to it.

For example, we can much more easily send and route that information around to the people who need to approve access or review it on a quarterly basis. And, it's all in one place. They’re not getting a single spreadsheet per application. They’re getting it all centralized per employee or per application, however they want to see it.

We can also scan that data, looking for policy violations. A good example of that would be what we call "toxic combinations," such as “you can't have an employee who both has the ability to set up a vendor and pay a vendor.” Those are two different access privileges that together indicate a high potential for fraud. So by combining all the entitlement data into one single database, you can much more easily scan for and detect potential policy violations and also the potential for risk to the business.

Gardner: I suppose carrying on with that analogy about BI, that the same information, those same rules, can be used by a number of different constituencies in the organization, whether it's provisioning, personnel, security, or compliance. It all seems to have a common reach, but a differentiation in terms of how people can then use it.

McClain: Yes, I think that's right. The idea of that once you have defined business roles. Once you have defined access policies, these segregated duties, and "toxic" combinations, that that's useful information, whether you are doing annual or quarterly re-certification processes, but also when you are taking on a new employee or adding a new partner or something.

You want to be able to refer to those kinds of systems that data of who has access to what and which are the appropriate policies, what are the appropriate combinations to avoid. So that if I’m going to provision someone, for instance, to a new system, or give them new entitlements, I can check it against that same repository of information on the users and the policies that I care about. I can make sure I’m not creating any problems at the time that I grant access.

Gardner: You can use this identity governance, of course, for prevention and insight. But, it also sounds like it would be very powerful, if we were doing a merger and acquisition (M&A), or if I were forced, tough as it maybe, to fire everybody and then re-hire them under a different ownership or structure. Trying to do something like that without this sort of comprehensive information set would be really onerous.

Have you had any customers or use-case scenarios where people have used these ID governance systems to that degree, and what sort of paybacks have they seen?

Gilbert: That's a really good point. In fact, M&A activity, is a use-case that we have seen with our customers.

A typical example would be that one bank has just bought another bank, and there is going to be a gradual process of integrating the new bank into the larger bank. During that time, we want to manage the population of users in a very shared way, so that a certain set of people will maintain access to just the old bank and then others will get merged access to the combination of the two banks.

Then, for people who potentially are being laid off or replaced as part of the M&A, we are going to manage them with potential risks in mind. So, we are going to limit their access and we may want to monitor their activity.

We actually provide a tool to segment user populations and then manage them differently in terms of the kind of controls and monitoring that we would allow the company to provide around that M&A acquisition activity.

Gardner: When it comes to implementing something like this, and I believe your product is called SailPoint IdentityIQ 3.0, is this strictly a product approach, or is this professional services and consulting or some level of competency or skill-sets within the organization's combination? I suppose the question is how much of this is actually accomplished by the product, and to what degree is the user company's skill sets required?

McClain: We would love to say you drop it in and it works, but it's not quite that simple. Many times, this is a fairly substantial project, although the ability to get to value quickly is something we've demonstrated with a number of our companies. We work with them to scope an appropriate size project, some limited number of applications or users – to show how the technology can significantly help them with these processes of certification or managing roles or better risk management.

But, quite often there is a very fairly significant consulting part of the conversation, because ultimately this is an opportunity to bring these constituencies to the table, sometimes for the first time. The auditors, the application people, and the IT security people sit down and say, "What do we want to accomplish here? How can we best provide good governance, meet our compliance requirements, and manage our risks appropriately?"

So, there is often a very beneficial set of conversations that come out of that. Then, of course, the challenge of our tool, of our software, is to capture those policies, capture those things in the product.

We have definitely seen very significant payback conversations because of the amount of manual effort and money being spent on these projects, particularly the Sarbanes-Oxley related certification projects, where not only can we save the companies a great deal of money – either in "soft" dollars internally or "hard" dollars being served with consultants.

But frankly, one of the things we hear consistently is that SailPoint IdentityIQ 3.0 is a big frustration reducer for the business.

This is a very significant source of pain and frustration in the business community today. Even if it's not purely a financial justification that we are able to give the customer, sometimes their eyes light up with, "Oh, wow, if I could give this to my users (the line of business or the auditors), they would be so much happier doing what they are doing today." So quite often there is a very significant emotional payback, I'll call it, as well as a financial payback in this kind of a solution.

Gardner: Often, risk reduction and security management is a large undertaking that requires organizational and cultural shifts, and that can involve such things as the Information Technology Infrastructure Library (ITIL), and how to re-engineer your processes within IT department itself. Granted that these are complicated and large undertakings, let's just drill down on the product itself, what does the SailPoint IdentityIQ product do in terms of "picks and shovels" that these other practitioners can put to use?

Gilbert: We've touched on a few of these points before, but a big area we contribute to is in automating some of the types of controls that would be defined by a framework like ITIL, control objectives for information and related technology (COBIT), or some of the frameworks that attempt to say, "Here's a common set of good practices that we've captured, and many of these really involve best practices and business processes for improving security controls."

SailPoint’s automated workflow replaces the manual paper-based quarterly review of access. It provides you with a much more effective set of controls that are predictable, but customizable.

We have one customer who was doing quarterly reviews. They would spend most of the quarter compiling the data, reviewing it, and then manually reconciling it. Then, they would have one or two weeks of a break before they would start the process over again.

So, as Mark said, one of the things that really helps is that we are coming in and replacing something that is painful, onerous, and not very reliable, where people have low confidence. We are replacing that with a set of controls that is much more in line with the sort of recommendations you would see coming out of an ITIL or a COBIT, in terms of how you align controls to reduce risk and how you perform these kinds of activities in a way that is reliable and predictable.


Gardner: Examples often help, but I don’t suppose there are a lot of people jumping up and down saying, "I'm really a high-risk over here!" So, there are not too many companies that you can trot out and say, "Well, we took them from 90 percent risk to 20 percent risk.” But are there any examples of how this has worked, and perhaps some of the paybacks, both business terms and even IT terms of how people have benefited?

Gilbert: A couple of examples come to mind. One of our customers, again a financial services company, went through the first quarterly certification process across dozens of Sarbanes-Oxley relevant applications. In that very first round of review, they detected that, on average, 20 percent of the entitlements for their users were inappropriate and needed to be revoked.

That’s the kind of benefit of oversight you're getting right out of the gate. Once you have the ability to see the data and see it with the right context, you are much more productive at spotting what needs to be taken away and what is inappropriate.

IT audits uncover many of these problems. Another customer was written up by their auditors because they concluded – just based on a sampling – that the access data for the corporation was, on average, only 70 percent accurate, meaning that 30 percent of it was erroneous or incorrect.

These cases that are easy to quantify, and you're giving this immediate benefit of data clean-up and removing inappropriate access. We call it entitlement creep, that's our expression for it over time. People transfer, they change jobs, they need temporary access to some system for a project – and it never gets removed.

Part of what you are getting right out of the gate is the ability to say, "Hey, Joe doesn't really need this. He's not even in the accounts-payable department anymore," but he still has all the system access.

Gardner: Have there been any unintended positive consequences from using this? That's to say, for people who have put identity governance in place did they get what they were expecting, but also more? Where there other ancillary payoffs that people have enjoyed?

McClain: Tha’s an interesting question. I certainly think this idea of happier users is one. IT is so consistently under-appreciated, under-loved, under-paid. When they can provide a tool to the business user that makes the job simpler, faster, easier, especially for something like these audit processes or certification, re-certification processes, that no one looks forward to, I think that's always a win for the IT staff in particular.

I have made something you have to do easier and quicker and less painful. That's quantifiable, but under the given consequence of an improved relationship between IT, security groups, and the users. Also, the relation between internal audit and many of these groups has become fairly combative. You talk to people that have been around IT for years now, and they say, "Look, it's not like we are buddy-buddy with our auditors, but we all were sort of working together, trying to make sure that the company was being well-governed."

We have a few cases that became very combative, with a lot of anger. One person said, "Oh, you mean the ‘A word’" about the group of auditors that they were talking to. What we are finding is that this helps them get back to, "Look, aren't we all trying to accomplish an objective here of better risk management, better governance?"

One of the things that our customers have told us is that they are so focused on just getting through the audit to check the compliance box, people have lost sight of why we were doing this stuff in the first place. Ultimately we're trying to mitigate and manage risk. We’re trying to provide good repeatable processes and good governance, so the right people have the access they need to do their job correctly, and only the access that they need to do their job correctly.

So often, we've gotten away from that. It's become just, "I have to get through this process to check the box, to meet the audit by this date." It's become a must-do that has lost sight of its original objective, in many cases.

Gilbert: You mentioned the culture issue earlier. To be honest with you, we find a lot of people that may be talking about risk management, but inside most IT departments, it is really hard to understand how to put that into action.

Because we give them the ability to begin aggregating the data, doing certifications and revoking and solving policy violations, they can automatically accumulate risk data, allowing them to profile their users by risk. I think people are looking for ways to put a risk-based approach into action. What does that mean to me as an IT practitioner? I think there is a desire to get to that, but there is really a struggle on how to quantify risk, and put risk management it into practice.

Gardner: As we’re wrapping up, it's interesting to look at the future. This is a fast-moving space. When we look to identity governance, say two or three years from now, is this a case of the role growing? Is there a larger payback or a productivity benefit, or are we just going to make what we've got in terms of the problem set work better? What does the future hold?

McClain: The one that we've debated around here, that I think might be useful, as there is this acronym that's fairly prevalent out there, GRC (governance risk management and compliance). Oracle has a GRC suite, IBM has a GRC suite, SAP has a GRC suite. And we've joked about the fact that if you were to look at that from a chronological standpoint, it should have been CRG instead of GRC. Meaning a lot of the focus for the last few years has been on compliance. How do I either reduce the cost and complexity of it? How do I meet the audits more quickly and effectively, and just this huge focus on getting to the audits and all that stuff.

People would tell you that they have compliance relatively under control now. They are generally passing their audits. They generally are not having big material deficiencies, but they sure would like to take cost out of the process and get away from so much manual work, to more automation.

This risk management, the R of CRG seems to be a emerging now as we've talked a lot today. I think senior management is sitting on their perch in the CxO suite. "So, we've spent all this money on security, we're supposedly compliant, why do we still have these breaches?"

Most big companies are still experiencing breaches, most of which don't hit the press, but some do. So, I think they are starting to ask the fundamental question of, "So we are compliant, but we still have risk. We're not managing well. What are we going to do to get better about that?"

Governance, which is I think the focus of our talk today, is in some ways, an umbrella over all that this incorporates and then hopefully moves to just good sound, repeatable, business management of identity and access. How do I place policies? How do I provide a risk matrix, as Jackie was just talking about, that enables me to understand, measure, manage risk?

I think really we are seeing the shift from the C, kind of through the R of GRC. People are just sort of half a foot in the water, half a tail in the water, on the risk management side of it. And, to your point, what does this look like three years from now? I'd like to think a lot of companies are using some risk matrix to address these issues.

They hopefully have compliance well under control. They can pass their audits. They can generate the reports in a timely automated fashion, and they're moving to more sophisticated governance or clarity around the business policies and how those affect the underlying IT systems. So I think it's kind of that progression from the C to R to G, flipping the acronym upside down.

Gardner: Well, great. I have certainly learned quite a bit, and have much better appreciation for why identity governance needs to happen. I have certainly been in cases in my jobs where I've gone from one department or unit to another and I had accessed all those other applications.

McClain: Fortunately you are high-ethics guy and you didn't view it.

Gardner: Yes, right, I didn’t do anything bad about it but I could see where that's certainly a risk.

McClain: Exactly.

Gardner: Okay, we are talking about identity governance and risk, and how to come to more of a solutions focus around this. We've enjoyed the talk. It’s a sponsored podcast today with Mark McClain, CEO and founder, and Jackie Gilbert, vice president of marketing and founder, at SailPoint Technologies. I want to thank you both.

McClain: Thank You, Dana.

Gilbert: Thank You.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You have been listening to a sponsored BriefingsDirect podcast. Thanks for listening and come back next time for more in-depth discussions about enterprise software and strategies. Thanks, and bye for now.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: SailPoint Technologies.

Transcript of BriefingsDirect podcast on on the identity governance and best practices for IT systems access provisioning. Copyright Interarbor Solutions, LLC, 2005-2008. All rights reserved.

BriefingsDirect Analysts Discuss IT Winners and Losers in Era of Global Economic Recession

Edited transcript of BriefingsDirect Analyst Insights Edition podcast, Vol. 31, on the outlook for IT in the face of the economic downturn, recorded October 10, 2008.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsors: Active Endpoints, Hewlett-Packard.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Dana Gardner: Hello, and welcome to the latest BriefingsDirect Analyst Insights Edition podcast, Volume 31. This periodic discussion and dissection of IT infrastructure related news events with a panel of industry analysts and guests comes to you with the help of our charter sponsor, Active Endpoints, makers of the ActiveVOS visual orchestration system.

I’m your host and moderator Dana Gardner, principal analyst at Interarbor Solutions, and our panel this week consists of Jim Kobielus, senior analyst of Forrester Research. Welcome, Jim.

Jim Kobielus: Hi, Dana. Hi, everybody.

Gardner: Tony Baer, senior analyst at Ovum. Welcome back, Tony.

Tony Baer: Hey, Dana, good to be here again.

Gardner: And, Dave Linthicum, independent consultant with the Linthicum Group. Is that the correct designation these days, Dave?

Dave Linthicum: That's right. Thanks guys, good to be back.

Gardner: Very good. We’re going to talk primarily today about the burning issue of the moment, and hopefully not for the next 10 years, and that's the financial situation of fairly well-defined panic. We‘re not sure why, but there’s certainly a panic at this point in the global markets, and bailouts and other attempts by governments around the world not necessarily helping, so far. We’re coming to you on October 10, 2008.

Hopefully, when you hear this in the next few weeks, things won't seem quite as dire, but we are going to take a pulse of whether this is panic or whether this is a prelude. We’re certainly not going to look at this through the full lens of the economy. We’re not economists, and people will probably think we don't know what we are talking about, but we wouldn't be alone in that category right now.

So, we will focus it on what we do know a little about, and that is the IT sector, the software business, how this will affect IT vendors, users and enterprises.

First, we've heard a couple of different takes on this whole situation. IBM just came out with some fairly encouraging results, 2 percent real top-line growth and 20 percent bottom-line growth. So IBM says, “Not so bad,” HP had similar results and Oracle as well. They’re saying that we’re seeing some bumps in the road, but certainly not a meltdown. On the other hand, companies like SAP and Dell are saying that they’re really feeling it.

For my first question, I want to take this out to Tony Baer. Is this going to be something that drops the tide on all boats in IT? If not, who are the winners and losers likely to be?

Baer: Well, I think the winners are those who are likely to be more diversified into services, services that can help companies harvest more of what they already have. I was actually doing a mental comparison before we got on the call between, for example, IBM and SAP. In other words, why has IBM reported positive results and SAP hasn't. On first blush, they are both global companies, they both have incredible penetration into the Global 2000.

So, part of it is fairly hard to explain, you have to drill down a little bit deeper into the SAP’S acquisition of Business Objects, a two-product company With maybe some exceptions on the Business Objects side, it’s not so much new sales, but essentially maintenance and upgrades to new versions In a tightening economy, putting in a new version of SAP or NetWeaver is probably a discretionary expense.

Just look at IBM, which, besides the fact that it's much more diversified, has services. The fact is that in an economic situation like this, especially where there are a lot of known unknowns, having a services business is a good way of helping clients to discover new economies. And it's also potentially a much more flexible arrangement than having to put in an upgrade of a new version of SAP software.

Gardner: What I think I hear you saying is that companies that are in the services business, and that have primarily revenue through subscription, might fare better than those who are in a product cycle, where licensing and actual product upgrade, in addition to their maintenance, might be in a situation where people will postpone those upgrades.

Baer: Absolutely!

Gardner: Where does that put Microsoft?

Baer: Good question, because they are in a transition. I just had a fairly detailed briefing with them yesterday on their Software Plus Services strategy and that's clearly where they want to go, and they do have some impressive early wins. But it's obviously still not the majority of their business. In the short-term, I think it's going to hurt their business, because clearly take-up of Vista has pretty well-flagged, especially on the corporate side.

Obviously they are trying to cultivate the Software Plus Services side, but that business is still very much in its early in its cycle. In the long run, it will be a good strategy for Microsoft, but they are so early along that it accounts for a pretty slow proportion of their revenue. In the short-term, Microsoft is more vulnerable.

Gardner: I was at a Red Hat conference earlier this week. Their model built very much on subscription and support, not on licensing the software. They give it away essentially. They felt pretty confident too that this wasn't going to be a cliff for them. So, I guess that further substantiates our trend.

Jim Kobielus, how do you see the shaping up for IT vendors? Is there going to be a dichotomy between those who have a recurring revenue model around subscriptions, versus those who have little bit more reliance on software licensing?

Kobielus: By the way, full disclosure, I have a degree in economics from way long ago and I am not going to even try to be dangerous. . . .

Gardner: Well, you might as well, because they don't see that what's going on either, right.

Linthicum: There’s an instant CNN gig out there for you, dude.

Gardner: By the way Jim, you are pretty dangerous, so go right ahead.

Kobielus: Okay, I do see in any economic downturn in the things that get cut from corporate budgets, for example, large capital expenditure (CAPEX) projects. That's going to hurt a number of IT vendors in particular niches, for example the hardware vendors, and where it's a discretionary software upgrade purchase. Those are going to feel the crunch.

Ongoing maintenance of existing systems, existing solutions that will relatively weather the storm. In other words, just to keep on keeping on.

So, the business model that open-source companies like Red Hat have established, and likewise, very mature software vendors like SAP and also Business Objects in the business intelligence (BI) space, they will do relatively okay because a large percentage of their revenue is from maintenance and support.

Those who will get hurt are those vendors who rely on new-product sales, especially new product sales that are very much hardware-centric. And where that comes in now ties in with my core focus areas, BI and data warehousing. We see in the data warehousing arena more of a focus on appliances, the hardware-software bundles that are pre-configured and so forth.

So, all the vendors in the data-warehousing space, pretty much all of them have re-geared their entire go-to-market strategy around hardware optimization of their own with turnkey solutions.

How will this economic crunch shake out the data warehousing appliance industry, really the data warehousing market? In any downturn, users, large corporate IT, look to rationalize and streamline their vendor commitments. In other words, they consolidate to a few very large, very strategic vendors. So, the big guys will get bigger and the small, pure-play data-warehousing appliance vendors will be acquired or will vanish.

Gardner: Is that the flight-to-quality kind of effect, do you think?

Kobielus: “Flight-to-quality,” explain that Dana?

Gardner: Well, you are not sure about where vendors might be and you might want to have one throat to choke, a bit more opportunity to deal with them, and that they can bargain with you because they want you long-term business. They are in a more powerful position and so quality, not unnecessarily the buy side but on the sell side, makes some sense.

Kobielus: Okay, yes, it's very much the phenomenon. They are the dynamic in play here. I think that the larger data-warehousing vendors will do relatively okay, especially those who are well-established and have a substantial amount of maintenance and support revenue themselves. I’m talking about the likes of Teradata and Oracle and IBM and a few others.

But, right now, with the data warehousing and BI vendors, every time I talk to them, I ask them, “Okay, a substantial proportion of your business is in the financial services vertical. How are you feeling? Are you seeing any softness in demand for your solutions?” And pretty much uniformly, they say, “Well, so far so good. We’re not really seeing a huge cut back in orders, or even any substantial delays in placement of orders that were expected,” but everybody is sort of bracing for the worst.

Gardner: Alright, so what I heard from you is that there is certainly a benefit of subscription, but there are also certain niches within IT that are specialized and that are hot right now, like BI and warehousing, that adds such a competitive advantage that they are probably going to continue to invest there.

Let’s look at this not necessarily just through the selling but on the buy side, those people who are in IT shops. Let's go to Dave Linthicum. You have been in the situation of specifying and buying. About 70-80 percent of these budgets are already locked into maintenance, not a lot of discretionary spending. What kind of pressure do you think they are going to feel?

Linthicum: They are going to feel a lot of pressure with anything that can be cut in the short-term. It's really going to be more that there is so much stress in there, instead of just definite cutting, just tactical pulling of expenses. They are looking to morph the way in which they consume IT. I just did a survey yesterday. I basically talked about the economic downturn and their plans to implement strategic technology into their enterprise. And everybody came back with, it's going to increase in interest but decrease in cost.

In other words, people are going to move into more efficient technologies. They are going to look at a little bit more at cloud computing and other ways to save money and start moving aggressively in those directions.

I think IT and some of the IT leadership were just waiting for an excuse to drive in this unfamiliar, risky area. If their budgets are sliced, they still have the responsibility for doing very intense IT business processing, and they are looking for new innovative ways to do that. That's inclusive of cloud computing and services-oriented architecture (SOA).

I don’t know if you looked at the SOA market just in terms of services, but it seems to be exploding right now. I’m not sure about the adoption of technology and the selling of technology. That may be an after effect, after all of these SOAs start taking more strategic positions within these enterprises. It's definitely a game changer right now. I’m not sure if it's positive or negative, but it's changing the game.

Gardner: When we look at how these organizations, these enterprises will move to, as you say risky, unproven, or just innovative new ways. What aspects of IT do you think they are going to be more willing to offload to a cloud first? Clearly, there is going to be too much risk in some areas and acceptable risk in others. Where do you think we are first going to start to see business activities and IT functional sets and applications offloaded -- just because it's so much cheaper to do it that way?

Linthicum: I think it's initially going to be the office-automation technologies, moving to more of the lighter-weight processes, and then moving to more of the heavy-weight processes.

Gardner: Can you be more specific on an application-by-application basis?

Linthicum: Yeah. Instead of having a huge Microsoft infrastructure just for e-mail and calendar-sharing in groupware, and those sorts of things, moving to things that are in the cloud. This is obviously Google, but there is also a ton of other guys that are offering some pretty good technology -- information-sharing using similar infrastructure. They’ll start outsourcing that, versus maintaining all these data centers that are just dealing with e-mail and communication between people within the company.

Gardner: Sure, there are plenty of hosted exchange too. Even if you don’t want to move from Microsoft, you can go off-premises.

Linthicum: You can go off-premises with lots of stuff and the cost is always cheaper, and also it allows you to upgrade and innovate into new technological areas you haven’t driven before.

Next, would be tactical, software-as-a-service (SaaS) applications. Take some of the HR processing, which is driven by some kind of in-house system in the data center, and outsource that to the dozen or so SaaS vendors who are offering HR processing. That's kind of a light-weight business process.

Then, the next generation is even more risky, and I don’t see a ton of guys doing that initially. It involves some of the core business processes, and getting into an SOA kind of an initiative. Re-automating those, but also outsourcing a tremendous number that haven’t been done before for the primary reason of cost saving.

Gardner: I think I’m hearing from Dave here that not only we are now going to make baby steps towards significant innovation, but the economic pressure that's going to come down on CIOs and IT departments forces them more towards that transformational level of change. So, that could include a lot more SOA, a lot more virtualization, internal on-premises cloud infrastructures, and so on.

Jim or Tony, how do you feel about the possibility that more economic pressure is actually a catalyst towards transformation rather than iterative change?

Kobielus: You mentioned my name first so I’ll respond first and I’ll be brief, so Mr. Tony can go right after me. I see definitely the economic downturn is going to expand the footprint, as it were, for the cloud in data warehousing, where data warehouses are becoming ever larger in the hundreds of terabytes and now into the petabyte.

I’m seeing an upsurge in the number of start-ups and data warehousing vendors that now have cloud based offerings. For example Vertica and Oracle now support databases that can run in the Amazon EC2. There are other vendors, like 1010data, that are very much pure plays in the fact that they only operate in the cloud and they are very highly scalable, share nothing, and parallel process.

There are, of course, SaaS-based offerings on a subscription basis. In other words, where there is a capital expenditure crunch or a budget crunch, and users can’t afford to pay the millions of dollars to bring one of these petabyte-scale data warehouses in house, they are going to go outside to the likes of a 1010data or using Amazon EC2 to aggregate, persist these huge datasets.

They can do very complex analyses and also run a greater degree of their data mining and predictive analytics algorithms in that very cloud. It just saves them money, and it's not a huge capital expenditure. It's a pay-as-you-go kind of thing. I think that's going to be the trend and those vendors who are already out there could be the major beneficiaries of this current economic crunch.

Gardner: So, that might mean if you are going to go to market, you want to have a cloud avenue for your go-to-market activities in addition to on-premises, or even say an open-source support model, right?.

Kobielus: Yes, for sure.

Gardner: Tony, what's your take on the possibility of harsh economic times as actually a catalyst towards the increased transformation?

Baer: Well, I am going to pair a couple of words that would otherwise seem like an oxymoron, which is tactical transformation. In times like these, obviously you have changing economic conditions, changing in a very unpredictable manner. On the other hand, the financial crunch and the credit crunch is going to restrict the amount of resources you have at your disposal. So, you’re basically going to look very opportunistically. You are going to look at, let's say, the low-hanging fruit that will give you the greatest gain in savings or a way to respond to the market in a more agile manner.

That will be very much in the way that Dave and Jim mentioned, which is that you will be taking advantage of specific services in the cloud. You won’t necessarily do a global top down or enterprise-architectural SOA transformation, if you haven't done SOA already. But, opportunistically, if you are trying to take advantage of some of these cloud-based services to start doing mining on a more massive scale, at the same time trying to lower your risk, it will require certain applications or data source that you may have. You may need to conduct a transformation, where you will implement, more flexible architectures, data SOA architecture.

But you will do it opportunistically in these tactical areas, where you can take advantage of services in the cloud that give you the advantages of the transformation to solve the problem you need to deal with, and at the same time, minimizing your risk.

Gardner: So, they are going to be looking for innovation without a big CAPEX, and if they can do that at the same time they are shutting down their own high-cost, high-labor applications in data centers that will be particularly attractive.

Baer: Or put it another way, “Capital, what capital?”

Gardner: Remember, not all companies are like banks. They have cash on hand, or they have ability to raise capital in a variety of different ways, rather than just going to a bank. So, we don't need to lump all these different types of enterprises into just the financial crisis problem.

Baer: Agreed. It's not to say that capital is totally shut-off, but the fact is that it's going to be rationed and a lot more carefully. I was just reading the advice that all these VCs are reading, and what they are saying is that if you have capital, find ways of stretching it.

Gardner: Save more cash, hold your cash basically. Speaking of verticals, let's look at this now through the lens of verticals, which verticals will do well and which will not.

My first take on this is that the government vertical is actually going to explode and might even start going down this road towards transformation in a much more significant way. Now, we can't read the tea leaves entirely on the economy, but politically we do start to see quite a momentum around the Democratic ticket and potentially a substantial majority for Democrats in Congress. They have put down platforms that include significant investments in such things as energy, healthcare, and of course they are going to need to transform how the government and the financial sector work together to calm the markets down.

On the other hand some, verticals that don't look good include retail and manufacturing. The auto industry is getting whacked. So, as IT spending is sliced and diced according to vertical, do we get a net-net up, down, or flat, when we look across verticals. I want to take a look at that. Dave Linthicum.

Linthicum: Yeah, it’s great living in Washington DC, let me tell you, because I think no matter where this thing goes, there is going to be full employment. The housing prices have actually crept up.

I think that you’re absolutely right. People are going to look to government to solve some of these issues and bureaucratic changes are going to be built here in different divisions, and people are going to have oversight of the financial industry.

If the Democratic administration comes in, there is going to be more civilian spending, and there is going to be probably a little shift from the spending in the Department of Defense on the military side.

So, this area is going to be explosive yet again, based on some things that are occurring and based on the government taking power in particular industries that they think they can be helpful in taking power. You can argue whether that's a good thing or a bad thing, but you are definitely going to see a lot of job shifts as things shift to that vertical.

The retail space is going to suffer tremendously. They already have very narrow razor-thin margins. I think we are going to see a lot of the larger retailers suffer and perhaps go away. I think healthcare is going to remain fairly static, and I think some of their costs maybe reduced. As they start moving into more of a socialized medicine, if the Democrats take it there, there is going to be some big shifts there.

Believe it or not, even though you are moving into a healthcare-for-everyone kind of an environment, you are going to see that actually cost probably will go up, as a bureaucracy is put in place to maintain and administer that.

Finance is obviously going to be killed for a long time, especially the banking industry. That's going to be an area that isn't going to recover very quickly from what's going on right now, but I think that manufacturing ultimately will recover and we are going to see some good growth in the year 2009-2010.

Gardner: Why do you see manufacturing as doing okay?

Linthicum: Because, the need for products worldwide is down right now, because people don't have the capital or access to the credit to make that happen. However, they are going to continue to have to replace airplanes, factory equipment, those sorts of things. It's just going to be a pent-up demand, and I think that's going to basically get unleashed in 2009-2010.

You’re going to see the large durable goods, large manufacturing kind of systems. People are going to just spend money on that area and that's going to be a worldwide driven thing. It's not going to be just driven from the United States.

Gardner: Great. Jim Kobielus, you mentioned earlier that you saw financial organizations buying data warehousing services and solutions as sort of still growing, if not at the same rate. I'd like to have your take on the financial sector alone Sure, there’s lots of turmoil, lots of contraction, but that doesn't necessarily mean you can shut off your IT systems. Mergers and acquisitions, consolidation sometimes can have a short-to-medium increase in IT requirement.

Kobielus: Right, and one of the things, Dana, that occurred to me is that the financial vertical and the government vertical are becoming overlapped. There is a degree of nationalization already that's taking place. The government is taking back Fannie Mae and Freddie Mac. I think they have taken over AIG, but all around the world, you hear governments, especially in Europe saying, “Hey, we need to re-nationalize or, to some degree, exert tighter control over the financial vertica., I think this is everywhere in the world.

What we’re already seeing is that the government vertical, as they have indicated, will continue to grow, because it's going to exercise much greater oversight and equity positions within the financial vertical. I think the early part of this decade is a prelude to what we’re going to see in even greater abundance in the next 10 years.

After the whole Enron fiasco, with Sarbanes-Oxley and so forth, we saw the growth of this market and this technology called governance, risk management, and compliance (GRC) to exert tighter control over the financials of private enterprise, and bring greater transparency.

I think we are going to see now, the government exert ever tighter GRC reigns over the financial sector, to a degree unprecedented, because we now have government actually owning or controlling a number of the key firms in that space. So, the whole GRC sector is in an embryonic stage. There are a number of vendors like SAP and Oracle who have taken sort of a leading-edge position in that area. That will expand greatly, and we are going to see more of these risk dashboards and controls being implemented in the context of BI and the data warehousing investments that enterprises have already made.

In terms of the horizontals, the GRC sector will come into its own, and it will be primarily the driver. There will be the financials, and then it will be around the world. All governments will enforce the use of this kind of technology.

Gardner: Right, and at a higher abstraction, that really means governance, and as much as internal governance it's perhaps governance from the extended enterprise sense, where there is going to be governance that crosses organizational boundaries. That's not going to be done with folks holding clipboards. That's going to be largely automated.

It’s going to have to be enforced through policies and rules and governance engines, it sounds an awful lot like SOA, but we are not going to apply the infrastructure we have developed for SOA. Just like services, we can apply it across a multitude of different business processes and activities in order to satisfy what you are talking about.

Baer: This reminds of something I heard from Microsoft this week. I was in Seattle at their BI conference, and they were talking about how Microsoft internally is using their own BI tools and stack. They described a number of roles -- like marketing, sales, and finance -- and how they use BI. Then, I asked the person, “Okay, your CEO, Steve Ballmer, obviously uses BI, but does he have a risk dashboard or a compliance dashboard or tools?”

Clearly, Microsoft is under a number of legal and regulatory mandates, compliance and so forth, and the people from Microsoft couldn’t answer that question immediately. They weren't really quite sure what's on Steve's dashboard.

In three years time, every CEO in the world will have a GRC dashboard that tells them on any given day the hoops they need to jump through to satisfy the regulators, I think that's coming fairly soon.

Gardner: Not just regulators, but the market doesn’t want to be caught unaware, as we apparently have been with this meltdown. In the future, they are going to want to know not just what they have to do to comply, but what the unknown risks are in terms of how the markets themselves are behaving.

Let's go to Tony Baer. Tony, what's your take on the opportunity for governance infrastructure to move beyond SOA, and is the new environment for business a growth area for SOA governance infrastructure?

Baer: Yeah, big time. I was talking before about these opportunistic areas. In the case of governance, I don't know if I would call it “opportunistic,” but it is an area in which you do not have an option as to whether you comply or not. Therefore, the only economic way to provide all the information and to do all the audits without having to rip apart all of your existing back-end infrastructure is through a service's layer on top of all that.

Maybe I can come up with a cheap buzzword here, a buzz-line or a tag-line, such as “Son of SOX,” for what's going to become a changing regulatory environment. You’ll need a governance layer that can contend with changes in this moving target.

Obviously, the only feasible way, from an architectural standpoint, to deal with that is do a flexible architecture, and that's essentially what a SOA is.

I very much agree with Dave and with Jim in terms of what are likely to be the growth sectors, but there are a couple of extra points I want to plug in there. This ties in with this question. The financial industry itself will not be a growth sector over the next few years, it will be very much a consolidating sector, but guess what, as you consolidate, you need to invest in consolidation.

Imagine all these huge mergers going on. Wells Fargo just finally got the agreement to acquire Wachovia, but of course there will be a some litigation from Citibank. Also, Bank of America acquired Merrill and there’s the whole reorganization of Wall Street, from investment banks into banking institutions.

The fact is, there is going to be a lot of transformation going on, and it's not transformation to support a growing business. It's transformation to support a changing business. There will be a lot of investment there, in addition to whatever investment will be necessary to deal with the new governance risks in compliance requirements.

Another area -- and I wanted to slip this in because it's nothing intuitive -- but if you look back at past history during economic downturns, and I hate to use the 'D' word but back in the depression, and I hope we are not heading into one, what area boomed during that era? Hollywood, the film industry. People were going out to the movies for cheap thrills.

In today's environment, the equivalent of that is, if you already have an Xbox 360 out there, you are going to be buying more games. Those are cheap thrills. It's going to be cheaper than going out and buying a new HDTV or going out to Six Flags.

Gardner: That's interesting. We haven't talked about one sector, and that is the Entertainment/Web 2.0/Internet. We’ve seen some downturn in advertising, including Internet advertising, but is there an opportunity for buying $3 movie and downloading it, a $2 song, a $3 game. How might our Internet /Media/Entertainment economy fare and will it be sliced and diced between those who depend on advertising and those who are not?

Baer: Very much so. The only downward pressure on this would be downward pressure on households to cut expenses and, if they consider that broadband is a discretionary expense, that would be the ceiling there. My sense though is that today to participate in the modern economy, broadband is becoming a necessity.

Gardner: Yeah, it's a utility. It’s like water, electricity. It's one of the last things that will go, right?

Gardner: My mother is 93, and I finally got her to get broadband. So we won’t give it up.

Kobielus: I have to jump in here and be dangerous one more time. I have another degree in Journalism and I was primarily a student of the mass media. If you look at the depression of the 1930s, historians and people who lived through the period talk about, what kept them company, in the dust bowl or wherever when they didn't have a job. It was the radio, which had been introduced in the previous decade.

Now, if gosh forbid, we have something similar coming up in the teens of this decade, what is the new radio? It's the Web. And so, who are the new entertainers? Well, actually in many ways it will be each other. I mean, through the whole Web 2.0 user-generated content paradigm. If you think about it, that's cheap entertainment, because it's generated for free and there is an unlimited supply of it available over some pipe that you've got coming into your home.

Gardner: I'd like to point out that this podcast is coming to you completely free. Continue.

Kobielus: And we are free to say what we want on this podcast.

Gardner: Does anybody else have some thoughts out there on the impact on Internet and startups? What's the impact with startups? We have seen this slide deck from Sequoia Capital saying “batten down the hatches, no discretionary spending, hoard your cash. Is this the VCs overreacting, because it's their pool of money that's its stake, or aare there actually opportunities beyond what they are saying in these dire predictions?

Linthicum: There are huge opportunities out there. If you saw my column I did in SOA World Magazine, I think this is a great time to do a startup.

Number one, VCs be damned at this point. You don't need their money at all, just some angel investors to invest in some very minute infrastructure. With cloud computing out there and the number of things you can do from a marketing, application developer's, and outsourcing perspective, you can basically get a technology company up and running -- and profitable -- probably for the least real cost we've seen in years. It's a great time for people who are innovative, able, and resourceful to get out there and start technology companies.

There are two types of companies out there right now. There seemed to be the big behemoths that are very slow and cumbersome and strategically challenged, even though they are making a lot of money and grabbing a large share of the market. Then, there are the old maids and basically a lot of small startups that just haven't been able to get acquired to do their exits.

Now is a great time for small innovative new startups to get out there and help create new spaces, such as Web 2.0, and I think there are a number of SOA problems that needs solving as well. I'd love to see some startups get out there and take those problems on.

Gardner: So, unintended consequence of the VCs contracting might be laying off a bunch of engineers and entrepreneurs. They'll go out there and say, “Okay, what am I going to do, sit in my garage and cry or am I going to look for platform-as-a-service (PaaS) providers and cloud providers that will allow me to develop a whole new set of applications on the cheap that I could put on my credit card. Then, I only pay for infrastructure as I need it and as I can create a business model?

Linthicum: Yeah, one of the things I would love to see come out of this whole mess that we are in right now is some of the Sarbanes-Oxley stuff contracting a bit. Quite frankly, a lot of the startups out there are unable to do any kind of exit other than acquisitions. You have no chance to take anything public. It's economically not viable for you to do so, because of the cost of maintaining the regulations around the whole publicly traded company opportunity.

I would love to see the government reopen that market a bit and make it much easier for startups that are profitable, that have a good track record and good technology to get access to the public marketplaces. Right now, they have to keep going back to the venture capital community. In many instances, those guys are strategically challenged. They are not focused on a particular industry, they are basically just focused on investment. That's going to be difficult to going forward.

Gardner: So in the ‘30s, we had the Works Progress Administration (WPA), which got people out there with shovels -- and my grandfather was one of them -- moving stuff around in the city in order to create works. Perhaps with an Internet Public Assistance Program, we can let the government be the seed and even steer them towards solutions of the government’s needs.

Now, the government wants to hire investment bankers to solve the problem that investment bankers created, but perhaps there is an opportunity for technologists to be brought in to solve some of these problems too.

Linthicum: Absolutely. What if a couple of the billions of dollars we are pumping back into the banks just went off to assist organizations and start-up companies around the technology space. I think there would be a huge boom in the area, and it would create jobs and be profitable fairly quickly.

I think some of them would probably go away, but overall, I think that it would have a positive effect on the economy. If you think about 1999, we were doing so well, because of the innovations around the Internet technology and other things that were booming. I think we are able to do that again, but we are just putting so many regulations, so much bureaucracy out there, that it makes it very difficult for the upstarts to get going.

Gardner: One little subset on this media discussion would be the press. Jim Kobielus, press has been under a tremendous amount of pressure lately. How are folks like Sam Zell going to fare on their traditional media, as advertising dries up, going to the Internet, seeing appreciable advertising business uptake there. It seems to me they are in the dead-end situation.

Kobielus: There is an ongoing crunch in the whole media sector that continues to ripple and ripple. It forces people out of being full-time journalists. So, it's not a happy thing. There was a Doonesbury cartoon recently in which Rick Redfern had been forcibly retired from the Washington Post. He was told, “Go and be a blogger!” He said, “Yeah, I will be one of a trillion bloggers out there.” “Well, you have a special differentiation. You are ex-Washington Post.”

Everybody is going to be from the journalism space, and even publishers are going to be “ex-journalists.” They have to find some next stage in their career, and I think a lot of smart people are going to become, as Dave indicates, entrepreneurs, but who will be self-funded from whatever remaining savings they have. It's not going to be a happy thing until the credit crunch eases.

Gardner: We only have a few more minutes. Let's look at some other potentially unintended consequences of all this.

If technology company stocks plummet some more, we might see some interesting things there. Somebody floated the idea that Sun Microsystems might just take its cash and buy itself out when its stock is trading at $5 -- and that was a stock that had a reverse four-way split. So it's down like a buck and change from what it was a few years ago.

Also RIM, still a strong company, a potentially for a takeover, is looking back to the buy side. What sort of interesting unintended consequences might we see among the vendors. Any thoughts?

Kobielus: I have no thoughts. Guys?

Linthicum: Just from your first point, I think you’re going to see some guys who are going to buy themselves off from the market for now, and I can't blame them.

If I were CEO of a publicly traded company, and my stock price was below my market capital, with cash in the bank -- where some of them are -- I’d get off the market quick, because it's a good deal.

Gardner: Absolutely.

Kobielus: I think we've talked in a previous podcast about the upsurge of private investing, of companies going private. I think the difference this time will be that if companies are going to go private, they are going to have to basically bootstrap it. They are not to be able to get a Silver Lake or anybody like that in the short-term.

Gardner: So a takeaway might be, if you can ride this out for two or three years, there is a buying opportunity, even buying yourself.

Kobielus: Right, if you get cheap enough. The other dividend of all that is once you go private, of course, you don't have to worry about all the GRC.

Gardner: One other subject that we haven't talked about is the analysis business. Is this an opportunity for people that need to know more about what's going on, and are folks like us going to be okay? Any thoughts?

Baer: Folks like us. Yeah. I think everybody is becoming an analyst. There is a whole blogosphere. Everybody in the blogosphere, to some degree, is an analyst. So, we’re going to be okay in the sense that we can still do analysis to our hearts delight for free, if we so choose.

In terms making a living on it, I think more-and-more analysts need to be half analyst, half consultant, doing projects for those who will pay us to actually show up and attend to only their needs and help them out with projects and also to make sense of what's going on in the space.

In any good time or bad time, analysts are essentially like reporters or journalists. We not only are in the industry, but we are in a sense above the industry, surveying what's going on and reporting to everybody else what we can see in terms of broad patterns and trends.

So I think there is a greater requirement on analyst to come in and offer reassurances or to tell people, “Okay, this strategy that you have been taking is not going to pan out. You better jump ship and try something different.”

Gardner: So changes are growth engines.

Kobielus: Yeah, and from that standpoint, it basically supplements the fact that there is going to be a decline in the journalist population, essentially a migration towards the extremes, which is on one hand journalism and this is not a development.

I’m very happy to see is that, as the financial base and the business model for journalism businesses is evaporating at this point, you are seeing more-and-more citizen journalists taking up more of the load. People are reading more blogs. They are not buying newspapers.

On the other end, it will create an appetite, and it will create a demand for people who are above the level of citizen blogger to say, “I have some professional credentials, and I can provide you some value-added analysis on your positions, so that you can essentially improve the competitiveness of your business.”

Gardner: Traditional and trade media will contract, which opens up a vacuum that can be filled by the expert-blogger function.

Kobielus: Right, expert blogger, but also the fact is that you get what you pay for. If you are a business and you are trying to improve your chance of surviving the market, you are going to work with key experts, key thought leaders out there, and you will pay for that.

It's not to say this is an infinite market for analysts. The business model for analyst firms is going through some stresses. Especially when you take a look at blogging. A lot of analyst firms have really not adapted to the blogosphere very well, or the more rapid flow of information.

So, even though I think they will continue to be a need for analysis and for paid analysis. The analyst industry or the analyst-firm industry needs to adapt to the new world of faster more instantaneous communications.

Gardner: Well, great. We've had a well-rounded discussion about the situation. We found some bright spots and some counter-cyclical possible growth areas within this sad situation we find ourselves in. But, as we exit I want to go around the panel and on a 1-to-10 scale, with 10 being flush, financial nirvana, and 1 being a dead-pool bankruptcy, where on a scale of 1 to 10 at a median level will the software business be in a year from now, let's start with you, Jim Kobielus.

Kobielus: I give it 5, straight down in the middle. I am trying not to lean towards either the manic or the depressive ends of the spectrum here. I think that some will do quite well and some will not. It's just a matter of taking a deep breath and recognizing that the economy goes through cycles, and the economy occasionally goes through panics -- the banking panics of the early 1900s and the late 1800s. We are sort of in the middle of one right now, which is an interesting phenomenon. I say interesting in the old Chinese sense of may you live through interesting times.

This has been a harsh decade. We started off with a tech-crunch and we are going to end with a tech-crunch, and a financial crunch, and it's going to take some time to sort it through, so just breathe easy.

Gardner: Tony Baer, 1 to 10, software industry.

Baer: Well, I'll give it 4, only because there are different headwinds on this go around. On the positive side, as Dave was mentioning before, the fact is that the barriers to entry are so much lower. So, if you can take advantage of the cloud, you can start in your own garage, and essentially marshal resources for very little cost. Basically, if you can sustain yourself and live close to the ground for the next two or three years, you and many others who are taking advantage of platform-as-a-service will have a whole new generation of solutions that will be ready for the next uptake.

Gardner: Dave Linthicum.

Linthicum: I am going to say 7.5. There are huge opportunities for the innovative and resourceful few out there in the market space. I think that technology shift, moving to higher regulations, you’ve got this “mother of all Sarbanes-Oxley” coming. Everybody is going to need folks in there to re-architect and re-automate and re-cast these businesses.

Then I think if there is going to be some upside in the future. Every cloud has a silver lining and those who are smart out there can certainly find the silver linings in this cloud. I think IT is going to stumble a bit, but a lot of more innovation is going to come into play, and people are going to use the cost-reduction capabilities, become a little bit more modernized and innovative in moving to cloud computing and SOA. All that stuff is going to accelerate tremendously in the next couple of years.

Gardner: I am going to go with 6.5. I agree that this is a transformation period, not just a contraction. I think this is going to necessitate a lot of the things that people have been working towards, but accelerate that, and force them to cut bait on the old stuff that doesn't work and adopt the new stuff that does. So, I’ m fairly bullish on IT, but with a lot of spottiness. There are going to be some pockets of certain failure and the ability in people to move among and between those is what's going to become essential.

I want to thank our panel for a very interesting discussion about the IT sector in this economic maelstrom.

We have been talking with Jim Kobielus, senior analyst of Forrester Research. Thanks, Jim.

Kobielus: Thank you. It was great!

Gardner: Tony Baer, senior analyst at Ovum. Thank you, sir.

Baer: Hey, thanks, Dana!

Gardner: Dave Linthicum, independent consultant with Linthicum Group. Thank you.

Linthicum: Thank you!

Gardner: I also want to thank our sponsor, the charter sponsor for the BriefingsDirect Analyst Insights Edition is Active Endpoints, makers of the ActiveVOS visual orchestration system. I am Dana Gardner, principal analyst at Interarbor Solutions. Thanks for listening, and come back next time.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsors: Active Endpoints, Hewlett-Packard.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Transcript of BriefingsDirect podcast on the outlook for IT in the face of the economic downturn. Copyright Interarbor Solutions, LLC, 2005-2008. All rights reserved.

BriefingsDirect Insights Analysts Examine HP-Oracle Exadata Release, Extreme BI, Virtualization and Cloud Computing Trends

Edited transcript of BriefingsDirect Analyst Insights Edition podcast, Vol. 30, on Exadata, extreme BI and cloud computing, recorded Sept. 26, 2008 from Oracle OpenWorld in San Francisco.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsors: Active Endpoints, Hewlett-Packard.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Dana Gardner: Hello, and welcome to the latest BriefingsDirect Analyst Insights Edition, Vol. 30. This periodic discussion and dissection of IT infrastructure related news and events, with a panel of industry analysts and guests, comes to you with the help of our sponsors, charter sponsor Active Endpoints, maker of the ActiveVOS visual orchestration system, and also Hewlett-Packard via the HP Live! Podcast Series.

I'm your Host and moderator Dana Gardner, principal analyst at Interarbor Solutions. Our panel this week consists of Joe McKendrick, an independent analyst and prolific blogger on SOA and BI topics. Hi, Joe!

Joe McKendrick: Hi, Dana, glad to be here.

Gardner: We are also joined by Brad Shimmin, a principal analyst at Current Analysis. Hey, Brad!

Brad Shimmin: Hi, Dana, thanks for having me.

Gardner: Jim Kobielus joins us. He's a blogger and senior analyst at Forrester Research. Hello, Jim!

Jim Kobielus: Hey, Dana, and Hi, everybody!

Gardner: And Dave Linthicum, blogger, independent consultant, joins us this week. Thanks for coming, Dave.

Dave Linthicum: Thanks, Dana, thanks for having me back.

Gardner: We are going to be talking about the news of the week of Sept. 22, 2008. We'll be looking at the HP-Oracle announcements and other news made here at Oracle OpenWorld. We'll be talking about cloud computing and the notion of "on-premises" or "private clouds," and how data portability might actually work among and between different clouds -- both "public," if you will, and "private." We'll look at recent virtualization news from VMware, HP, Red Hat and Citrix.

An Exadata 'Shocker' ...

Let's start our show this week with Jim Kobielus. Jim, you and I are both here at the Oracle OpenWorld. We had an unusual announcement around optimization between hardware and software from Oracle, which has traditionally been a software-only company.

Oracle and HP introduced two Exadata products. I wonder if you could fill in our audience on what Oracle did this week.

Kobielus: Yes, this week Oracle announced the release, in partnership with HP, of a very high-end data warehousing appliance. They may not use the word "appliance," but that's in fact what it is. It's a configured and optimized bundle of hardware and software, with database storage, so it meets very high-end data warehousing requirements. It's called the HP Oracle Database Machine.

It encompasses and includes the HP Oracle Exadata Storage Server, which is a grid storage level server. One of the key differentiators on that storage approach is that it puts the query processing in the storage subsystem. As a result, it can greatly speed up the processing of very complex analytics. What Oracle and HP have essentially done is take a page from the Netezza book, because that is, of course, the feature of the Netezza performance system. [Netezza] has an appliance that they accelerate your data models through by putting this whole processing back close to storage. But the HP Oracle release does much more than simply taking the page out of that Netezza book.

What they did essentially is they also shot across Teradata's bow, because this is Oracle's petabytes-scale, data warehousing-solution platform. The HP Oracle Database Machine that they demonstrated at the show definitely screams. And it can scale -- Oracle says that it can scale with almost no limits, and that remains to be seen.

But it can definitely go to a much higher scale in terms of capacity than the current Oracle Optimized Warehouses that they have already begun to ship with HP and a variety of other hardware partners. The Oracle Optimized Warehouses max out at several hundred terabytes. And, as I said, the HP Oracle Database Machine can go well beyond that.

This is a shot both across Teradata's bow and across Netezza's. And Oracle Chairman and CEO Larry Ellison from the stage directly honed in on both of those competitors by name.

It was classic Ellison, a very well put together presentation. But quite frankly when you begin to analyze the various claims he made, they don't all hold up. Or rather, he is presenting a lot of the Oracle-specific differentiation. Yet they were very impressive.

Gardner: This is a significant departure for Oracle and HP on several different levels. On one hand, we have a combined hardware-software product from two different vendors. We also have a new parallelization process, with their architectural design, where the database and the storage are very close. The processing can take advantage of massively parallel processing. We also have the fat pipes in the form of InfiniBand connections.

So we have an architectural departure. We have a hardware-software departure, and we also have this interesting alliance between HP and Oracle, making and selling a product together. How does this all strike you, Brad Shimmin?

Shimmin: Well, I was shocked, shocked, absolutely simply shocked. This is because historically Oracle has strayed so far away from the appliance market. It's been surprising to me on a number of occasions when I have spoken with them about acquisitions. Actually they made one acquisition earlier this year, they acquired a company that had an appliance that was very successful, and they chose to simply kill it outright because they “did not want to play in the space.”

With that said, I am glad to see this happening. I really am, and I think that HP is a good partner with them because I don't feel that the two companies really bumped into one another in terms of Oracle's core constituency. So I think it's a good play all around, and I am glad to see Oracle finally getting into this. Now if only they would release parts of their middleware as an appliance, I would be very happy.

Kobielus: And, in fact, Brad, Larry Ellison indicated that they seem to have some plans for that. They really resisted details -- but they seem to have some plans to "appliance-ize," if that's the word, more and more the Oracle Fusion Middleware stack.

Shimmin: There are other quite prominent middleware stack players that are moving to appliances, as well. I can't mention their names but the use of appliances seems to be of great interest to more vendors.

Gardner: I have also been picking up on this interest in the appliance business. IBM has been into this with DataPower SOA Appliances for a while now, but IBM has not really extended use of appliances out as widely as I was expecting. I have also heard that TIBCO may be building an appliance for complex event processing (CEP). So, yes, I think we are going to see more of this.

Brad, I want to go back for one second to the HP-Oracle relationship. It almost seems now that Oracle has anointed HP at some level as a preferred hardware supplier on storage, if not also other aspects of hardware. What does that mean for EMC and some of the other storage hardware providers? They are no longer on an independent or third-party-friendly level with Oracle, right?

Shimmin: Absolutely. I think that all of those relationships will come under strain from this. There is no question about that. And it seems to me that this makes Oracle look a lot more like both IBM and Sun Microsystems and EMC, in terms of having some sort of competency in hardware. So I think there are going be a lot of far-ranging ripples from this relationship that will change the way the market functions.

Gardner: And how is all of this going to come to market? If you want to buy the Exadata warehouse you actually have to go through the Oracle sales force. Oracle is going to support it, and sell it, price it, and then HP is going to service the hardware. So in essence, HP is the supplier to Oracle, and Oracle is the principal vendor. Does that mean anything anybody out there?

Kobielus: It means that Oracle is taking much more of a marketing lead on the HP Oracle Database Machine than they have with any of the Oracle Optimized Warehouses. So Oracle is very much staking its data warehousing go-to-market strategy on this new product, and on this partnership with HP. That said, HP is providing all of the technical support on the new products. So it's not like Oracle is really becoming a hardware vendor, rather they are going to become very much a software vendor, but has staked their future on delivering the software on this one particular hardware partner's platform.

Gardner: Actually it allows Oracle to operate at a solutions level and so take quite a bit more of the margin across that total data warehouse solution, right? And that undercuts the data array providers significantly.

Okay, so let's talk about what we do this thing. We heard that the 1 terabyte-sized data sets and higher start to hit performance issues. And that then prevents companies from adding more queries on their warehouses, and also reduces the amount of additional data that they want to put into their warehouses.

So we could have hit a wall somewhere around 1 terabyte databases. This approach, this architecture in the Exadata hardware-software optimization claims to blow that away, that it can deal with the largest sets, of 10 terabytes and up, with very high performance. What does this mean for business intelligence (BI) analytics? What does this mean for bringing more types of data and content into the warehouse? What are the business outcome benefits?

Joe McKendrick, what are your thoughts on the BI perspective on this market development?

McKendrick: Well, it certainly moves the business intelligence arena forward. Looking at what the rationale is for having an appliance in this market -- versus what's has been happening for the previous decade with data warehousing -- it really says a lot about what's needed in the market.

Data warehouses, when you get into the multiple terabyte range, are simply too complex and have high cost of ownership. That's made BI a fairly expensive proposition for companies going this route, and the cost is tied into the maintenance, the updates for the warehouse software, the organizational effort, and the input required to make a large data warehouse go.

Now there is a trend emerging. I am sure Oracle has an eye on this as well. It's toward open source. We are seeing more open source in data warehouses too. This is open source at the warehouse level itself, at the database level itself. [Sun Microsystem's] MySQL for example has been pointing in this direction, PostgreSQL as well. [And there's Ingres.]

Gardner: Well, that's another distinct issue. Now with Oracle and HP cooperating, why shouldn't we expect Sun to come out with something quite similar, but with MySQL as the database, and their [Sparc/UltraSparc] processing, and their rack, cooling and InfiniBand, and of course, their storage?

McKendrick: I wouldn't be surprised, I wouldn't be surprised one bit if we see some kind of response from Sun fairly soon because Sun still makes its money from hardware.

Gardner: Right, now if Sun does that then IBM will certainly come out with something around DB2. We should expect that, right?

McKendrick: Yes, yes, definitely. And I think there is an emphasis on simplifying data warehousing, making data warehousing simple for the masses. Microsoft, love them or hate them, has been doing a lot of work in this area by increasing the simplicity of its data warehouse and making it available at more of a commodity level for the small to medium size business space.

I think we're going to see more in the open source data warehousing space, and Oracle is looking at that as well.

Gardner: Let's go to Jim Kobielus. Jim, [using Exadata] we can start taking 10 terabyte data sets and delivering analytics in near real-time and deliver query results out to various business applications on huge scale. We can also start looking at this as cloud infrastructure -- where we are going to be providing data as a service, BI as a service even. And then we have Sun, IBM, and perhaps Hitachi, and all these other guys that are jumping in with their own data warehouse appliances, and they start beating each other up on price, and the price comes down in the market. Are we then entering an era of affordable extreme BI?

Kobielus: For sure. Well, extreme BI, that's really BI and data warehousing with very large data sets, with very demanding real-time loading scenarios, with very extensive concurrent usage and so forth. We are already in that era. If you look at what's going on -- and actual deployment, enterprise deployments -- like 10 terabytes, those are in fact much of the data warehousing solutions in the market. That's the joy of data warehousing, enterprise departments are between 5 and 15 terabytes. They are being handled quite well through a lot of symmetric multi-processing (SMP). So these are around in the market.

Now our data warehousing and BI environments are in the hundreds of terabytes, and up to the petabytes range and beyond. A lot of these are in the cloud already. I can't name names yet. There are a few things right now that I can't show. But well-known Web 2.0 service providers are already above the petabytes scale in terms of the amount of data that's persisted, and in terms of their needs and their ability to do continuous concurrent loads into those humongous data warehouses in real-time. In these extreme data warehousing environments you may have millions upon millions of queries hitting that data warehouse all the time.

Gardner: But aren't we with Exadata taking this from the high-end, roll-your-own, computer-science gee-whiz level down to much more of an off-the-shelf, forklift upgrade level? Aren't we now getting to extreme BI at much more a commodity, or at least something that's much more germane across many more types organization?

Cloud computing gains traction ...

Kobielus: Oh, yeah, for sure. It's getting down into the affordable way to eventually bringing cloud data warehouses down into the range of the main market, as well as for large enterprises. ... The one thing -- one of the other important outcomes from my point of view this week at Oracle OpenWorld -- was the fact that Oracle, now in conjunction with Amazon's Elastic Compute Cloud, has an Oracle cloud -- the existing Amazon cloud can take Oracle database licenses.

They can move those licenses to a cloud, hosted by Amazon EC2. Using tools that Oracle is providing they can move their data to back it up or move databases entirely to be persistent in the cloud, in Amazon's S3 service. So this is very much a lead in. I strongly expect that the other enterprise database vendors over time, maybe in a year or two, we'll also offer similar deployments and flexibility for their data warehousing customers.

Gardner: Okay, let's go to Dave Linthicum on that. Dave, you're familiar with moving data around the cloud. It sounds like people will start getting comfortable with this from a risk and from a reliability/privacy/control issue level. And then it's a no-brainer to start moving fairly massive data sets, or for backups or extend-enterprise sharing or federation of data -- what have you, into cloud infrastructures.

How important from your perspective is what Oracle announced in conjunction with Amazon this week?

Linthicum: I think it's very important. I think that the economics -- that it's much cheaper to do cloud computing than on-premises stuff -- and you can prove that at each and every time, or run into an issue around cultural, and kind of total protection issues within the enterprises ... I think those are falling down as time goes on. Go back in a time machine five years ago, and start talking about running major enterprise applications delivered as SaaS, they would have laughed at you.

Today, everyone is using Salesforce.com, and just a bunch of other SaaS-delivered applications. So enterprises are getting their minds around cloud computing, understanding the concept of it. So moving information into the cloud is not really much of a leap. You already have customer information existing on Salesforce.com, or other SaaS providers out there.

I think that this is one step in the direction that, in essence, we're going back in time a bit, moving back into the time-sharing space. A lot of things are going to be pushed back out into the universe through economy's scale, and also through the value of communities. It just can be a much more cheap and cost effective way of doing it. I think it's going to be a huge push in the next two years.

Gardner: Does it seem reasonable that Oracle would test the waters on this, in terms of market acceptance, with Amazon? Once people get a little more familiar and comfortable with it, then Oracle comes out with its own cloud offerings?

Linthicum: Absolutely, I think that Oracle is going to have a cloud offering, IBM is going to have a cloud offering, Sun is going to have a cloud offering, and it's going to be the big talk in the big industry over the next two or three years. I think they are just going to get out there and fight it out.

I think you are going to have number of startups, too. They are going to have huge cloud offerings as well. They are going to compete with the big guys. And they can -- because it's very simple to put up infrastructure. It's fairly cost effective, and you can get out there and start battling it out with them. Quite frankly, I think, maybe the more agile, smaller companies may win that war.

Virtualization for private clouds ...

Gardner: In other recent news, Brad Shimmin, we have heard quite a bit of virtualization, and cloud compute discussions from VMware, from Citrix, and from HP. We saw some acquisition from Red Hat that brings them into the hypervisor space. Maybe you can help our listeners understand a little bit better the relationship between virtualization, management and platform vendors, and how this whole notion of private or enterprise clouds works.

Shimmin: It depends on the perspective we have, right? It depends on if we are talking about virtualizing the datacenter, virtualizing the desktop (VDI), or moving facets of the datacenter to the cloud. If you are trying to understand how, as we were just talking about, these smaller players are able to use things like Amazon EC2 to get into the market -- or if we are talking about moving the desktop to data center cloud -- what I want to understand as a customer is just what the SLAs and protections are from these provides, whether it's IBM or Amazon. And, by the way, another one we need to mention is Cisco, which will be using the WebEx platform as a SaaS platform and SaaS solution for the enterprise.

The point is that as a customer you don't just want to know what the [performance reliability figures] are, you want to know what sort of wrapper these vendors are putting around their solutions for things like security and policy management enforcements. It's not just the fact that they will be able to secure the data, but it's about being able to control and manage the data, and have visibility into the data; whether it's something that's sitting in some sort of virtualized instance in your own datacenter, or whether it's something that's sitting in some federated system that might be shared between Cisco and Amazon.

Gardner: I found it interesting that these vendors are basically tripping over themselves and rushing out to the market, way before these private clouds have even established themselves. Yet the vendors are declaring that they have the infrastructure and the approach to do it. It sort of reminds me of a platform, or even operating system, land grab -- that getting there first and establishing some of the effective standards and coming up with industry-common implementations gives them an opportunity to at some level or format create the de facto portability means.

This is a layer above virtualization. And virtualization is there to bring all the legacy stuff into play, but what do you do with the new applications? What do you do with the new services? Dave Linthicum, what are your thoughts on a meta-operating system in the cloud? Are we in a kind of a race to be first to that?

Linthicum: I think that's a ways off at this point. I think people are going to put aspects of the infrastructure up in the cloud first. And I think that the platform-as-a-service (PaaS) and the ability to provide a development infrastructure, storage infrastructure, some deployment infrastructure, and things like that -- that is all going to be a bit of mix and match. I think people are going to do little tactical projects to kind of dip their toe in the water to see if it is viable.

However as we go forward, I think that's the destination. If you look at how everything is going, I think everything is going to be pushed up into the cloud. People are basically going to have virtual platforms in the cloud, and that's how they are going to drive it. Just from a cost standpoint, everything we just discussed, the advantages are going to be for those who get there first.

I think that very much like the early adopters of the Web, back in the 1990s, this is going to be the same kind of a land grab, and the same kind of land rush that's going to occur. Ultimately you are going to find 60 percent to 80 percent of the business processes over the next 10 years are going to be outsourced.

Gardner: What about this issue of data, these massive data sets, and bringing some of that up into a cloud? Is it going to be just standards-based interoperability for my data set and your data set to play well with each other? To what level are we hung up by different cloud implementations, and therefore perhaps also different data implementations? Does that need to be solved?

Linthicum: Yes, I think it does. I think that you are going to find that integration does occur in the clouds, just like it does within the enterprise, from enterprise to enterprise. The reality is that people have information up there with different semantics, different data formats, and all of that stuff has to be transferred one to another.

I think that the idea of integration in the cloud, which I have been involved with personally over the last 10 years, may actually start to be used. I think that people are going to have to do transformation around control, filtering, all of these things as information moves between these partitions out in the universe. Ultimately integration is going to be easier. We know lot more than we did 15 years ago when I wrote the book, Enterprise Application Integration. But I think that it's still going to be needed and a necessary thing. So maybe integration in the cloud companies should start pushing forward.

Kobielus: I hear what you're saying. I think that's an important point to put forward, which is that these clouds, these data warehousing clouds -- data warehouses that are external to the firewalls, the multi-tenant environments -- are multi-domain, multi-entity data warehouses with strict separations between the various domains, which are often searching with particular customers. But like a supply chain application in the cloud, it is the probably the best place to put all that data so that companies and suppliers and the customers all have access to common pooled data in a common externally hosted environment.

What that raises then is that the data warehouses in the cloud, really become data federation in the cloud. So all these different data sets, the divergent schema and so forth, need to be normalized to a common semantic layer in the cloud provided by that cloud vendor. So then you are into the data federation vendors that had a huge footprint in the enterprise, those guys then need to provide their capabilities in the cloud for these types of supply chain and B2B applications.

I am talking with a couple companies, like Composite Software and some others, where they have well established data federation to manage virtualization layers. Those guys need to get cracking to put a lot of that into a cloud environment to enable this level of data integration and federation in that cloud environment going forward, and make it scalable.

Gardner: Well I think we will have to leave it there. We have been discussing announcements from Oracle OpenWorld, other news in the virtualization space, and how these relate to the future of "extreme BI," as well as what cloud infrastructures might look like from a variety of vendors in the future. I want to thank our panel for joining us for BriefingsDirect Analyst Insights Edition, Vol. 30.

I also want to thank our charter sponsor for supporting our podcast, Active Endpoints, maker of the ActiveVOS visual orchestration system, and Hewlett-Packard via the HP Live! Podcast Series. This is Dana Gardner, principal analyst at Interarbor Solutions, thanks for listening, and come back next time.

Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsors: Active Endpoints, Hewlett-Packard.

Transcript of BriefingsDirect podcast on Exadata, extreme BI and cloud computing. Copyright Interarbor Solutions, LLC, 2005-2008. All rights reserved.