Thursday, July 28, 2011

Standards Effort Points to Automation Via Common Markup Language O-ACEML for Improved IT Compliance, Security

Transcript of a BriefingsDirect podcast from The Open Group Conference on the new Open Automated Compliance Expert Markup Language and how it can save companies time and money.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Today, we present a sponsored podcast discussion in conjunction with The Open Group Conference in Austin, Texas, the week of July 18, 2011.

We’re going to examine the Open Automated Compliance Expert Markup Language (O-ACEML), a new standard creation and effort that helps enterprises automate security compliance across their systems in a consistent and cost-saving manner.

O-ACEML helps to achieve compliance with applicable regulations but also achieves major cost savings. From the compliance audit viewpoint, auditors can carry out similarly consistent and more capable audits in less time.

Here to help us understand O-ACEML and managing automated security compliance issues and how the standard is evolving are our guests. We’re here with Jim Hietala, Vice President of Security at The Open Group. Welcome back, Jim.

Jim Hietala: Thanks, Dana. Glad to be with you.

Gardner: We’re also here with Shawn Mullen, a Power Software Security Architect at IBM. Welcome to the show, Shawn.

Shawn Mullen: Thank you.

Gardner: Let’s start by looking at why this is an issue. Why do O-ACEML at all? I assume that security being such a hot topic, as well as ways in which organizations grapple with the regulations, and compliance issues are also very hot, this has now become an issue that needs some standardization.

Let me throw this out to both of you. Why are we doing this at all and what are the problems that we need to solve with O-ACEML?

Hietala: One of the things you've seen in last 10 or 12 years, since the compliance regulations have really come to the fore, is that the more regulation there is, more specific requirements are put down, and the more challenging it is for organizations to manage. Their IT infrastructure needs to be in compliance with whatever regulations impact them, and the cost of doing so becomes a significant thing.

So, anything that could be done to help automate, to drive out cost, and maybe make organizations more effective in complying with the regulations that affect them -- whether it’s PCI, HIPAA, or whatever -- there's lot of benefit to large IT organizations in doing that. That’s really what drove us to look at adopting a standard in this area.

Gardner: Jim, just for those folks who are coming in as fresh, are we talking about IT security equipment and the compliance around that, or is it about the process of how you do security, or both? What are the boundaries around this effort and what it focuses on?

Manual process

Hietala: It’s both. It’s enabling the compliance of IT devices specifically around security constraints and the security configuration settings and to some extent, the process. If you look at how people did compliance or managed to compliance without a standard like this, without automation, it tended to be a manual process of setting configuration settings and auditors manually checking on settings. O-ACEML goes to the heart of trying to automate that process and drive some cost out of an equation.

Gardner: Shawn Mullen, how do you see this in terms of the need? What are the trends or environment that necessitate in this?

Mullen: I agree with Jim. This has been going on a while, and we’re seeing it on both classes of customers. On the high-end, we would go from customer-to-customer and they would have their own hardening scripts, their own view of what should be hardened. It may conflict with what compliance organization wanted as far as the settings. This was a standard way of taking what the compliance organization wanted, and also it has an easy way to author it, to change it.

If your own corporate security requirements are more stringent, you can easily change the ACEML configuration, so that is satisfies your more stringent corporate compliance or security policy, as well as satisfying the regulatory compliance organization in an easy way to monitor it, to report, and see it.

In addition, on the low end, the small businesses don’t have the expertise to know how to configure their systems. Quite frankly, they don’t want to be security experts. Here is an easy way to print an XML file to harden their systems as it needs to be hardened to meet compliance or just the regular good security practices.

Gardner: One of the things that's jumped out at me as I’ve looked into this, is the rapid improvement in terms of a cost or return on investment (ROI), almost to the league of a no-brainer category. Help me understand why is it so expensive and inefficient now, when it comes to security equipment audits and regulatory compliance. What might this then therefore bring in terms of improvement?

If you have these hundreds, or in large organizations thousands, of systems and you have to manually configure them, it becomes a very daunting task.



Mullen: One of the things that we're seeing in the industry is server consolidation. If you have these hundreds, or in large organizations thousands, of systems and you have to manually configure them, it becomes a very daunting task. Because of that, it's a one-time shot at doing this, and then the monitoring is even more difficult. With ACEML, it's a way of authoring your security policy as it meets compliance or for your own security policy in pushing that out.

This allows you to have a single XML and push it onto heterogeneous platforms. Everything is configured securely and consistently and it gives you a very easy way to get the tooling to monitor those systems, so they are configured correctly today. You're checking them weekly or daily to ensure that they remain in that desired state.

Gardner: So it's important not only to automate, but be inclusive and comprehensive in the way you do that or you are back to manual process at least for a significant portion, but that might then not be at your compliance issues. Is that how it works?

Mullen: We had a very interesting presentation here at The Open Group Conference yesterday. I’ll let Jim provide some of the details on that, but customers are finding the best way they can lower their compliance or their cost of meeting compliance is through automation. If you can automate any part of that compliance process, that’s going to save you time and money. If you can get rid of the manual effort with automation, it greatly reduces your cost.

Gardner: Shawn, do we have any sense in the market what the current costs are, even for something that was as well-known as Sarbanes-Oxley? How impressive, or unfortunately intimidating, are some of these costs?

Cost of compliance

Mullen: There was a very good study yesterday. The average cost of an organization to be compliant is $3 million. That's annual cost. What was also interesting was that the cost of being non-compliant, as they called it, was $9 million.

Hietala: The figures that Shawn was referencing come out of the study by the Ponemon Institute. Larry Ponemon does lots of studies around security risk compliance cost. He authors an annual data breach study that's pretty widely quoted in the security industry that gets to the cost of data breaches on average for companies.

In the numbers that were presented yesterday, he recently studied 46 very large companies, looking at their cost to be in compliance with the relevant regulations. It's like $3.5 million a year, and over $9 million for companies that weren't compliant, which suggests that companies that are actually actively managing towards compliance are probably little more efficient than those that aren't.

What O-ACEML has the opportunity to do for those companies that are in compliance is help drive that $3.5 million down to something much less than that by automating and taking manual labor out of process.

Gardner: So it's a seemingly very worthwhile effort. How do we get to where we are now, Jim, with the standard and where do we need to go? What's the level of maturity with this?

We want to encourage adoption by as broad a set of vendors as we can, and we think that having more adoption by the industry, will help make this more available so that end-users can take advantage of it.



Hietala: It's relatively new. It was just published 60 days ago by The Open Group. The actual specification is on The Open Group website. It's downloadable, and we would encourage both, system vendors and platform vendors, as well as folks in the security management space or maybe the IT-GRC space, to check it out, take a look at it, and think about adopting it as a way to exchange compliance configuration information with platforms.

We want to encourage adoption by as broad a set of vendors as we can, and we think that having more adoption by the industry, will help make this more available so that end-users can take advantage of it.

Gardner: Back to you Shawn. Now that we've determined that we're in the process of creating this, perhaps, you could set the stage for how it works. What takes place with ACEML? People are familiar with markup languages, but how does this now come to bear on this problem around compliance, automation, and security?

Mullen: Let's take a single rule, and we'll use a simple case like the minimum password length. In PCI the minimum password length, for example, is seven. Sarbanes-Oxley, which relies on COBiT password length would be eight.

But with an O-ACEML XML, it's very easy to author a rule, and there are three segments to it. The first segment is, it's very human understandable, where you would put something like "password length equals seven." You can add a descriptive text with it, and that's all you have to author.

Actionable command

When that is pushed down on to the platform or the system that's O-ACEML aware, it's able to take that simple ACEML word or directive and map that into an actionable command relevant to that system. When it finds the map into the actionable command ,it writes it back into the XML. So that's completing the second phase of the rule. It executes that command either to implement the setting or to check the setting.

The result of the command is then written back into the XML. So now the XML for particular rule has the first part, the authored high-level directive as a compliance organization, how that particular system mapped into a command, and the result of executing that command either in a setting or checking format.

Now we have all of the artifacts we need to ensure that the system is configured correctly, and to generate audit reports. So when the auditor comes in we can say, "This is exactly how any particular system is configured and we know it to be consistent, because we can point to any particular system, get the O-ACEML XML and see all the artifacts and generate reports from that."

Gardner: Maybe to give a sense of how this works, we can also look at a before-and-after scenario. Maybe you could describe how things are done now, the before or current status approach or standard operating procedure, and then what would be the case after someone would implement and mature O-ACEML implementation.

Mullen: There are similar tools to this, but they don't all operate exactly the same way. I'll use an example of BigFix. If I had a particular system, they would offer a way for you to write your own scripts. You would basically be doing what you would do at the end point, but you would be doing it at the BigFix central console. You would write scripts to do the checking. You would be doing all of this work for each of your different platforms, because everyone is a little bit different.

We see with small businesses and even some of the larger corporations that they're maintaining their own scripts. They're doing everything manually.



Then you could use BigFix to push the scripts down. They would run, and hopefully you wrote your scripts correctly. You would get results back. What we want to do with ACEML is when you just put the high-level directive down to the system, it understands ACEML and it knows the proper way to do the checking.

What's interesting about ACEML, and this is one of our differences from, for example, the security content automation protocol (SCAP), is that instead of the vendor saying, "This is how we do it. It has a repository of how the checking goes and everything like that," you let the end point make the determination. The end point is aware of what OS it is and it's aware of what version it is.

For example, with IBM UNIX, which is AIX, you would say "password check at this different level." We've increased our password strength, we've done a lot of security enhancements around that. If you push the ACEML to a newer level of AIX, it would do the checking slightly differently. So, it really relies on the platform, the device itself, to understand ACEML and understand how best to do its checking.

We see with small businesses and even some of the larger corporations that they're maintaining their own scripts. They're doing everything manually. They're logging on to a system and running some of those scripts. Or, they're not running scripts at all, but are manually making all of these settings.

It's an extremely long and burdensome process,when you start considering that there are hundreds of thousands of these systems. There are different OSs. You have to find experts for your Linux systems or your HP-UX or AIX. You have to have all those different talents and skills in these different areas, and again the process is quite lengthy.

Gardner: Jim Hietala, it sounds like we are focusing on servers to begin with, but I imagine that this could be extended to network devices, other endpoints, other infrastructure. What's the potential universe of applicability here?

Different classes

Hietala: The way to think about it is the universe of IT devices that are in scope for these various compliance regulations. If you think about PCI DSS, it defines pretty tightly what your cardholder data environment consists of. In terms of O-ACEML, it could be networking devices, servers, storage equipment, or any sort of IT device. Broadly speaking, it could apply to lots of different classes of computing devices.

Gardner: Back to you Shawn,. You mentioned the AIX environment. Could you explain a beginning approach that you’ve had with IBM Compliance Expert, or ICE, that might give us a clue as to how well this could work, when applied even more broadly? How does that heritage in ICE develop, and what would that tell us about what we could expect with O-ACEML?

Mullen: We’ve had ICE and this AIX Compliance Expert, using the XML, for a number of years now. It's been broadly used by a lot of our customers, not only to secure AIX but to secure the virtualization environment in a particular a virtual I/O server. So we use it for that.

One of the things that ACEML brings is that it has some of the lessons we learned from doing our own proprietary XML. It also brings some lessons we learned when looking at other XML for compliance like XCCDF. One of the things we put in there was a remediation element.

For example, the PCI says that your password length should be seven. COBiT says your password length should be eight. It has the XML, so you can blend multiple compliance requirements with a single policy, choosing the more secure setting, so that both compliance organizations, or other three compliance organizations, gets set properly to meet all of those, and apply it to a singular system.

One of the things that we're hoping vendors will gravitate toward is the ability to have a central console controlling their IT environment or configuring and monitoring their IT environment.



One of the things that we're hoping vendors will gravitate toward is the ability to have a central console controlling their IT environment or configuring and monitoring their IT environment. It just has to push out a single XML file. It doesn’t have to push out a special XML for Linux versus AIX versus a network device. It can push out that ACEML file to all of the devices. It's a singular descriptive XML, and each device, in turn, knows how to map it to its own particular platform in security configuring.

Gardner: Jim Hietala, it sounds as if the low-hanging fruit here would be the compliance and automation benefit, but it also sounds as if this is comprehensive. It's targeted at a very large set of the devices and equipment in the IT infrastructure. This could become a way of propagating new security policies, protocols, approaches, even standards, down the line. Is that part of the vision here -- to be able to offer a means by which an automated propagation of future security changes could easily take place?

Hietala: Absolutely, and it goes beyond just the compliance regulations that are inflicted on us or put on us by government organizations to defining a best practice instead of security policies in the organization. Then, using this as a mechanism to push those out to your environment and to ensure that they are being followed and implemented on all the devices in their IT environment.

So, it definitely goes beyond just managing compliance to these external regulations, but to doing a better job of implementing the ideal security configuration settings across your environment.

Gardner: And because this is being done in an open environment like The Open Group, and because it's inclusive of any folks or vendors or suppliers who want to take part, it sounds as if this could also cross the chasm between an enterprise, IT set, and a consumer or mobile or external third-party provider set.

Is it also a possibility that we’re going beyond heterogeneity, when it comes to different platforms, but perhaps crossing boundaries into different segments of IT and what we're seeing with the “consumerization” of IT now? I'll ask this to either of you or both of you.

Moving to the cloud

Hietala: I'll make a quick comment and then turn it over to Shawn. Definitely, if you think about how this sort of a standard might apply towards services that are built in somebody’s cloud, you could see using this as a way to both set configuration settings and check on the status of configuration settings and instances of machines that are running in a cloud environment. Shawn, maybe you want to expand on that?

Mullen: It's interesting that you brought this up, because this is the exact conversation we had earlier today in one of the plenary sessions. They were talking about moving your IT out into the cloud. One of the issues, aside from just the security, was how do you prove that you are meeting these compliance requirements?

ACEML is a way to reach into the cloud to find your particular system and bring back a report that you can present to your auditor. Even though you don’t own the system --it's not in the data center here in the next office, it's off in the cloud somewhere -- you can bring back all the artifacts necessary to prove to the auditor that you are meeting the regulatory requirements.

Gardner: Jim, how do folks take further steps to either gather more information? Obviously, this would probably of interest to enterprises as well as the suppliers, vendors for professional services organizations. What are the next steps? Where can they go to get some information? What should they do to become involved?

Hietala: The standard specification is up on our website. You can go to the "Publications" tab on our website, and do a search for O-ACEML, and you should find the actual technical standard document. Then, you can get involved directly in the security forum by joining The Open Group . As the standard evolves, and as we do more with it, we certainly want more members involved in helping to guide the progress of it over time.

It removes the burden of these different compliance groups from being security experts and it let’s them just use ACEML and the default settings that The Open Group came up with.



Gardner: Thoughts from you, Shawn, on that same getting involved question?

Mullen: That’s a perfect way to start. We do want to invite different compliance organization, everybody from the electrical power grid -- they have their own view of security -- to ISO, to payment card industry. For the electrical power grid standard, for example -- and ISO is the same way -- what ACEML helps them with is they don’t need to understand how Linux does it, how AIX does it. They don’t need to have that deep understanding.

In fact, the way ISO describes it in their PDF around password settings, it basically says, use good password settings, and it doesn’t go into any depth beyond that. The way we architected and designed O-ACEML is that you can just say, "I want good password settings," and it will default to what we decided. What we focused in on collectively as an international standard in The Open Group was, that good password hygiene means you change your password every six months. It should at least carry this many characters, there should be a non-alpha/numeric.

It removes the burden of these different compliance groups from being security experts and it let’s them just use ACEML and the default settings that The Open Group came up with.

We want to reach out to those groups and show them the benefits of publishing some of their security standards in O-ACEML. Beyond that, we'll work with them to have that standard up, and hopefully they can publish it on their website, or maybe we can publish it on The Open Group website.

Next milestones

Gardner: Well, great. We’ve been learning more about the Open Automated Compliance Expert Markup Language, more commonly known as O-ACEML. And we’ve been seeing how it can help assure compliance along with some applicable regulations across different types of equipment, but has the opportunity to perhaps provide more security across different domains, be that cloud or on-premises or even partner networks. while also achieving major cost savings. We’ve been learning how to get to started on this and what the maturity timeline is.

Jim Hietala, what would be the next milestone? What should people expect next in terms of how this is being rolled out?

Hietala: You'll see more from us in terms of adoption of the standard. We’re looking already at case studies and so forth to really describe in terms that everyone can understand what benefits organizations are seeing from using O-ACEML. Given the environment we’re in today, we’re seeing about security breaches and hacktivism and so forth everyday in the newspapers.

I think we can expect to see more regulation and more frequent revisions of regulations and standards affecting IT organizations and their security, which really makes it imperative for engineers in IT environment in such a way that you can accommodate those changes, as they are brought to your organization, do so in an effective way, and at the least cost. Those are really the kinds of things that O-ACEML has targeted, and I think there is a lot of benefit to organizations to using it.

Gardner: Shawn, one more question to you as a follow-up to what Jim said, not only that should we expect more regulations, but we’ll see them coming from different governments, different strata of governments, so state, local, federal perhaps. For multinational organization, this could be a very complex undertaking, so I'm curious as to whether O-ACEML could also help when it comes to managing multiple regulations across multiple jurisdictions for larger organizations.

Those are really the kinds of things that O-ACEML has targeted, and I think there is a lot of benefit to organizations to using it.



Mullen: That was the goal when we came up with O-ACEML. Anybody could author it, and again, if a single system fell under the purview of multiple compliance requirements, we could plan that together and that system would be a multiple one.

It’s an international standard, we want it to be used by multiple compliance organizations. And compliance is a good thing. It’s just good IT governance. It will save companies money in the long run, as we saw with these statistics. The goal is to lower the cost of being compliant, so you get good IT governance, just with a lower cost.

Gardner: Thanks. This sponsored podcast is coming to you in conjunction with The Open Group Conference in Austin, Texas, in the week of July 18, 2011. Thanks to both our guests. Jim Hietala, the Vice President of Security at The Open Group. Thank you, Jim.

Hietala: Thank you, Dana.

Gardner: And also Shawn Mullen, Power Software Security Architect at IBM. Thank you, Shawn.

Mullen: Thank you, Dana.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Transcript of a BriefingsDirect podcast from The Open Group Conference on the new Open Automated Compliance Expert Markup Language and how it can save companies time and money. Copyright Interarbor Solutions, LLC, 2005-2011. All rights reserved.

You man also be interested in:

Wednesday, July 27, 2011

Industry Moves to Fill Gap for Building Trusted Supply Chain Technology Accreditation

Transcript of a BriefingsDirect podcast from The Open Group Conference on The Open Group Trusted Technology Forum and setting standards for security and reliability.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Today, we present a sponsored podcast discussion in conjunction with The Open Group Conference in Austin, Texas, the week of July 18, 2011.

We've assembled a distinguished panel to update us on The Open Group Trusted Technology Forum, also known as the OTTF, and an accreditation process to help technology acquirers and buyers safely conduct global procurement and supply chain commerce. [Disclosure: The Open Group is a Sponsor of BriefingsDirect podcasts.]

We'll examine how the security risk for many companies and organizations has only grown, even as these companies form essential partnerships and integral supplier relationships. So, how can all the players in a technology ecosystem gain assurances that the other participants are adhering to best practices and taking the proper precautions?

Here to help us better understand how established standard best practices and an associated accreditation approach can help make supply chains stronger and safer is our panel.

We're here with Dave Lounsbury, the Chief Technical Officer at The Open Group. Welcome back, Dave.

Dave Lounsbury: Hello Dana. How are you?

Gardner: Great. We are also here with Steve Lipner, Senior Director of Security Engineering Strategy in the Trustworthy Computing Security at Microsoft. Welcome back, Steve.

Steve Lipner: Hi, Dana. Glad to be here.

Gardner: We're here also with Joshua Brickman, Director of the Federal Certification Program Office at CA Technologies. Welcome, Joshua.

Joshua Brickman: Thanks for having me.

Gardner: And, we're here too with Andras Szakal. He's the Vice President and CTO of IBM’s Federal Software Group. Welcome back, Andras.

Andras Szakal: Thank you very much, Dana. I appreciate it.

Gardner: Dave, let's start with you. We've heard so much lately about "hacktivism," break-ins, and people being compromised. These are some very prominent big companies, both public and private. How important is it that we start to engage more with things like the OTTF?

No backup plan

Lounsbury: Dana, a great quote coming out of this week’s conference was that we have moved the entire world’s economy to being dependent on the Internet, without a backup plan. Anyone who looks at the world economy will see, not only are we dependent on it for exchange of value in many cases, but even information about how our daily lives are run, traffic, health information, and things like that.

It's becoming increasingly vitally important that we understand all the aspects of what it means to have trust in the chain of components that deliver that connectivity to us, not just as technologists, but as people who live in the world.

Gardner: Steve Lipner, your thoughts on how this problem seems to be only getting worse?

Lipner: Well, the attackers are becoming more determined and more visible across the Internet ecosystem. Vendors have stepped up to improve the security of their product offerings, but customers are concerned. A lot of what we're doing in The Open Group and in the OTTF is about trying to give them additional confidence of what vendors are doing, as well as inform vendors what they should be doing.

Gardner: Joshua Brickman, this is obviously a big topic and a very large and complex area. From your perspective, what is it that the OTTF is good at? What is it focused on? What should we be looking to it for in terms of benefit in this overall security issue?

Brickman: One of the things that I really like about this group is that you have all of the leaders, everybody who is important in this space, working together with one common goal.

Today, we had a discussion where one of the things we were thinking about is, whether there's a 100 percent fail-safe solution to cyber? And there really isn't. There is just a bar that you can set, and the question is how much do you want to make the attackers spend, before they can get over that bar? What we're going to try to do is establish that level, and working together, I feel very encouraged that we are getting there, so far.

Gardner: Andras, we are not just trying to set the bar, but we're also trying to enforce, or at least have clarity into, what other players in an ecosystem are doing. So that accreditation process seems to be essential.

Szakal: We're going to develop a standard, or are in the process of developing a specification and ultimately an accreditation program, that will validate suppliers and providers against that standard.

It's focused on building trust into a technology provider organization through this accreditation program, facilitated through either one of several different delivery mechanisms that we are working on. We're looking for this to become a global program, with global partners, as we move forward.

Gardner: It seems as if almost anyone is a potential target, and when someone decides to target you, you do seem to suffer. We've seen things with Booz Allen, RSA, and consumer organizations like Sony. Is this something that almost everyone needs to be more focused on? Are we at the point now where there is no such thing as turning back, Dave Lounsbury?

Global effort

Lounsbury: I think there is, and we have talked about this before. Any electronic or information system now is really built on components and software that are delivered from all around the globe. We have software that’s developed in one continent, hardware that’s developed in another, integrated in a third, and used globally.

So, we really do need to have the kinds of global standards and engagement that Andras has referred to, so that there is that one bar for all to clear in order to be considered as a provider of trusted components.

Gardner: As we've seen, there is a weak link in any chain, and the hackers or the cyber criminals or the state sponsored organizations will look for those weak links. That’s really where we need to focus.

Lounsbury: I would agree with that. In fact, some of the other outcomes of this week’s conference have been the change in these attacks, from just nuisance attacks, to ones that are focused on monetization of cyber crimes and exfiltration of data. So the spectrum of threats is increasing a lot. More sophisticated attackers are looking for narrower and narrower attack vectors each time. So we really do need to look across the spectrum of how this IT technology gets produced in order to address it.

Gardner: Steve Lipner, it certainly seems that the technology supply chain is essential. If there is weakness there, then it's difficult for the people who deploy those technologies to cover their bases. It seems that focusing on the technology providers, the ecosystems that support them, is a really necessary first step to taking this to a larger, either public or private, buyer side value.

Lipner: The tagline we have used for The Open Group TTF is "Build with Integrity, Buy with Confidence." We certainly understand that customers want to have confidence in the hardware and software of the IT products that they buy. We believe that it’s up to the suppliers, working together with other members of the IT community, to identify best practices and then articulate them, so that organizations up and down the supply chain will know what they ought to be doing to ensure that customer confidence.

Gardner: Let's take a step back and get a little bit of a sense of where this process that you are all involved with is. I know you're all on working groups and in other ways involved in moving this forward, but it's been about six months now since The OTTF was developed initially, and there was a white paper to explain that.

Perhaps, one of you will volunteer to give us sort of a state of affairs where things are,. Then, we'd also like to hear an update about what's been going on here in Austin. Anyone?

Szakal: Well, as the chair, I have the responsibility of keeping track of our milestones, so I'll take that one.

A, we completed the white paper earlier this year, in the first quarter. The white paper was visionary in nature, and it was obviously designed to help our constituents understand the goals of the OTTF.

However, in order to actually make this a normative specification and design a program, around which you would have conformance and be able to measure suppliers’ conformity to that specification, we have to develop a specification with normative language.

First draft

We're finishing that up as we speak and we are going to have a first draft here within the next month. We're looking to have that entire specification go through company review in the fourth quarter of this year.

Simultaneously, we'll be working on the accreditation policy and conformance criteria and evidence requirements necessary to actually have an accreditation program, while continuing to liaise with other evaluation schemes that are interested in partnering with us. In a global international environment, that’s very important, because there exist more than one of these regimes that we will have to exist, coexist, and partner with.

Over the next year, we'll have completed the accreditation program and have begun testing of the process, probably having to make some adjustments along the way. We're looking at sometime within the first half of 2012 for having a completed program to begin ramping up.

Gardner: Is there an update on the public sector's, or in the U.S., the federal government’s, role in this? Are they active? Are they leading? How would you characterize the public role or where you would like to see that go?

Szakal: The forum itself continues to liaise with the government and all of our constituents. As you know, we have several government members that are part of the TTF and they are just as important as any of the other members. We continue to provide update to many of the governments that we are working with globally to ensure they understand the goals of the TTF and how they can provide value synergistically with what we are doing, as we would to them.

PWe continue to provide update to many of the governments that we are working with globally to ensure they understand the goals of the TTF.



Gardner: I'll throw this back out to the panel? How about the activities this week at the conference? What have been the progress or insights that you can point to from that?

Brickman: We've been meeting for the first couple of days and we have made tremendous progress on wrapping up our framework and getting it ready for the first review.

We've also been meeting with several government officials. I can’t say who they are, but what’s been good about it is that they're very positive on the work that we're doing, they support what we are doing and want to continue this discussion.

It’s very much a partnership, and we do feel like it’s not just an industry-led project, where we have participation from folks who could very much be the consumers of this initiative.

Gardner: Clearly, there are a lot of stakeholders around the world, across both the public and private domains.

Dave Lounsbury, what’s possible? What would we gain if this is done correctly? How would we tangibly look to improvements? I know that’s hard with security. It’s hard to point out what doesn’t happen, which is usually the result of proper planning, but how would you characterize the value of doing this all correctly say a year or two from now?

Awareness of security

Lounsbury: One of the trends we'll see is that people are increasingly going to be making decisions about what technology to produce and who to partner with, based on more awareness of security.

A very clear possible outcome is that there will be a set of simple guidelines and ones that can be implemented by a broad spectrum of vendors, where a consumer can look and say, "These folks have followed good practices. They have baked secure engineering, secure design, and secure supply chain processes into their thing, and therefore I am more comfortable in dealing with them as a partner."

Of course, what the means is that, not only do you end up with more confidence in your supply chain and the components for getting to that supply chain, but also it takes a little bit of work off your plate. You don’t have to invest as much in evaluating your vendors, because you can use commonly available and widely understood sort of best practices.

From the vendor perspective, it’s helpful because we're already seeing places where a company, like a financial services company, will go to a vendor and say, "We need to evaluate you. Here’s our checklist." Of course, the vendor would have to deal with many different checklists in order to close the business, and this will give them some common starting point.

Of course, everybody is going to customize and build on top of what that minimum bar is, depending on what kind of business they're in. But at least it gives everybody a common starting point, a common reference point, some common vocabulary for how they are going to talk about how they do those assessments and make those purchasing decisions.

This is a living type of an activity that you never really finish. There’s always something new to be done.



Gardner: Steve Lipner, do you think that this is going to find its way into a lot of RFPs, beginning a sales process, looking to have a major checkbox around these issues? Is that sort of how you see this unfolding?

Lipner: If we achieve the sort of success that we are aiming for and anticipating, you'll see requirements for the TTF, not only in RFPs, but also potentially in government policy documents around the world, basically aiming to increase the trust of broad collections of products that countries and companies use.

Gardner: Joshua Brickman, I have to imagine that this is a living type of an activity that you never really finish. There’s always something new to be done, a type of threat that’s evolving that needs to be reacted to. Would the TTF over time take on a larger role? Do you see it expanding into larger set of requirements, even as it adjusts to the contemporary landscape?

Brickman: That’s possible. I think that we are going to try to get something achievable out there in a timeframe that’s useful and see what sticks.

One of the things that will happen is that as companies start to go out and test this, as with any other standard, the 1.0 standard will evolve to something that will become more germane, and as Steve said, will hopefully be adopted worldwide.

Agile and useful

I
t’s absolutely possible. It could grow. I don’t think anybody wants it to become a behemoth. We want it to be agile, useful, and certainly something readable and achievable for companies that are not multinational billion dollar companies, but also companies that are just out there trying to sell their piece of the pie into the space. That’s ultimately the goal of all of us, to make sure that this is a reasonable achievement.

Lounsbury: Dana, I'd like to expand on what Joshua just said. This is another thing that has come out of our meetings this week. We've heard a number of times that governments, of course, feel the need to protect their infrastructure and their economies, but also have a realization that because of the rapid evolution of technology and the rapid evolution of security threats that it’s hard for them to keep up. It’s not really the right vehicle.

There really is a strong preference. The U.S. strategy on this is to let industry take the lead. One of the reasons for that is the fact that industry can evolve, in fact must evolve, at the pace of the commercial marketplace. Otherwise, they wouldn’t be in business.

So, we really do want to get that first stake in the ground and get this working, as Joshua said. But there is some expectation that, over time, the industry will drive the evolution of security practices and security policies, like the ones OTTF is developing at the pace of commercial market, so that governments won’t have to do that kind of regulation which may not keep up.

Gardner: Andras, any thoughts from your perspective on this ability to keep up in terms of market forces? How do you see the dynamic nature of this being able to be proactive instead of reactive?

One of our goals is to ensure that the viability of the specification itself, the best practices, are updated periodically.



Szakal: One of our goals is to ensure that the viability of the specification itself, the best practices, are updated periodically. We're talking about potentially yearly. And to include new techniques and the application of potentially new technologies to ensure that providers are implementing the best practices for development engineering, secure engineering, and supply chain integrity.

It's going to be very important for us to continue to evolve these best practices over a period of time and not allow them to fall into a state of static disrepair.

I'm very enthusiastic, because many of the members are very much in agreement that this is something that needs to be happening in order to actually raise the bar on the industry, as we move forward, and help the entire industry adopt the practices and then move forward in our journey to secure our critical infrastructure.

Gardner: Given that this has the potential of being a fairly rapidly evolving standard that may start really appearing in RFPs and be impactful for real world business success, how should enterprises get involved from the buy side? How should suppliers get involved from the sell side, given that this is seemingly a market driven, private enterprise driven activity?

I'll throw this out to the crowd. What's the responsibility from the buyers and the sellers to keep this active and to keep themselves up-to-date?

Lounsbury: Let me take the first stab at this. The reason we've been able to make the progress we have is that we've got the expertise in security from all of these major corporations and government agencies participating in the TTF. The best way to maintain that currency and maintain that drive is for people who have a problem, if you're on the buy side or expertise from either side, to come in and participate.

Hands-on awareness

You have got the hands-on awareness of the market, and bringing that in and adding that knowledge of what is needed to the specification and helping move its evolution along is absolutely the best thing to do.

That’s our steady state, and of course the way to get started on that is to go and look at the materials. The white paper is out there. I expect we will be doing snapshots of early versions of this that would be available, so people can take a look at those. Or, come to an Open Group Conference and learn about what we are doing.

Gardner: Anyone else have a reaction to that? I'm curious. Given that we are looking to the private sector and market forces to be the drivers of this, will they also be the drivers in terms of enforcement? Is this voluntary? One would hope that market forces reward those who seek accreditation and demonstrate adhesion to the standard, and that those who don't would suffer. Or is there a potential for more teeth and more enforcement? Again, I'll throw this out to the panel at large.

Szakal: As vendors, we'd would like to see minimal regulation and that's simply the nature of the beast. In order for us to conduct our business and lower the cost of market entry, I think that's important.

I think it's important that we provide leadership within the industry to ensure that we're following the best practices to ensure the integrity of the products that we provide. It's through that industry leadership that we will avoid potential damaging regulations across different regional environments.

It's important that we provide leadership within the industry to ensure that we're following the best practices to ensure the integrity of the products that we provide.



We certainly wouldn't want to see different regulations pop-up in different places globally. It makes for very messy technology insertion opportunity for us. We're hoping that by actually getting engaged and providing some self-regulation, we won't see additional government or international regulation.

Lipner: One of the things that my experience has taught me is that customers are very aware these days of security, product integrity, and the importance of suppliers paying attention to those issues. Having a robust program like the TTF and the certifications that it envisions will give customers confidence, and they will pay attention to that. That will change their behavior in the market even without formal regulations.

Gardner: Joshua Brickman, any thoughts on the self-regulation benefits? If that doesn’t work, is it self-correcting? Is there a natural approach that if this doesn’t work at first, that a couple of highly publicized incidents and corporations that suffer for not regulating themselves properly, would ride that ship, so to speak?

Brickman: First of all, industry setting the standard is an idea that has been thrown around a while, and I think that it's great to see us finally doing it in this area, because we know our stuff the best.

But as far as an incident indicating that it's not working, I don’t think so. We're going to try to set up a standard, whereby we're providing public information about what our products do and what we do as far as best practices. At the end of the day the acquiring agency, or whatever, is going to have to make decisions, and they're going to make intelligent decisions, based upon looking at folks that choose to go through this and folks that choose not to go through it.Bold
It will continue

The bad news that continues to come out is going to continue to happen. The only thing that they'll be able to do is to look to the companies that are the experts in this to try to help them with that, and they are going to get some of that with the companies that go through these evaluations. There's no question about it.

At the end of the day, this accreditation program is going to shake out the products and companies that really do follow best practices for secure engineering and supply chain best practices.

Gardner: What should we expect next? As we heard, there has been a lot of activity here in Austin at the conference. We've got that white paper. We're working towards more mature definitions and approaching certification and accreditation types of activities. What's next? What milestone should we look to? Andras, this is for you.

Szakal: Around November, we're going to be going through company review of the specification and we'll be publishing that in the fourth quarter.

We'll also be liaising with our government and international partners during that time and we'll also be looking forward to several upcoming conferences within The Open Group where we conduct those activities. We're going to solicit some of our partners to be speaking during those events on our behalf.

The only thing that they'll be able to do is to look to the companies that are the experts in this to try to help them.



As we move into 2012, we'll be working on the accreditation program, specifically the conformance criteria and the accreditation policy, and liaising again with some of our international partners on this particular issue. Hopefully we will, if all things go well and according to plan, come out of 2012 with a viable program.

Gardner: Dave Lounsbury, any further thoughts about next steps, what people should be looking for, or even where they should go for more information?

Lounsbury: Andras has covered it well. Of course, you can always learn more by going to www.opengroup.org and looking on our website for information about the OTTF. You can find drafts of all the documents that have been made public so far, and there will be our white paper and, of course, more information about how to become involved.

Gardner: Very good. We've been getting an update about The Open Group Trusted Technology Forum, OTTF, and seeing how this can have a major impact from a private sector perspective and perhaps head off issues about lack of trust and lack of clarity in a complex evolving technology ecosystem environment.

I'd like to thank our guests. We've been joined by Dave Lounsbury, Chief Technical Officer at The Open Group. Thank you, sir.

Lounsbury: Thank you, Dana.

Gardner: Steve Lipner, the Senior Director of Security Engineering Strategy in the Trustworthy Computing Security Group at Microsoft. Thank you, Steve.

Lipner: Thanks, Dana.

Gardner: Joshua Brickman, who is the Director of the Federal Certification Program Office in CA Technologies, has also joined us. Thank you.

Brickman: I enjoyed it very much.

Gardner: And Andras Szakal, Vice President and CTO of IBM’s Federal Software Group. Thank you, sir.

Szakal: It's my pleasure. Thank you very much, Dana.

Gardner: This discussion has come to you as a sponsored podcast in conjunction with The Open Group Conference in Austin, Texas. We are here the week of July 18, 2011. I want to thank our listeners as well.

This is Dana Gardner, Principal Analyst at Interarbor Solutions. Don’t forget to come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Transcript of a BriefingsDirect podcast from The Open Group Conference on The Open Group Trusted Technology Forum and setting standards for security and reliability. Copyright Interarbor Solutions, LLC, 2005-2011. All rights reserved.

You may also be interested in:

Tuesday, July 19, 2011

Cloud and SaaS Force a Rethinking of Integration and Middleware as Services for Services

Transcript of a BriefingsDirect podcast of the role of cloud and SaaS in the changing landscape of application integration.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: Workday.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect. Today, we present a sponsored podcast discussion on how major trends around cloud, mobile, and software as a service (SaaS) are dramatically changing the requirements and benefits of application integration.

In many respects, the emphasis now on building hybrid business processes from a variety of far-flung sources forces a rethinking of integration and middleware. Integration capabilities themselves often need to be services in order to support a growing universe of internal and external constituent business process component services.

Here to explore the new era of integration-as-a-service and what it means for the future is David Clarke, Director of Integration at SaaS ERP provider Workday, and who is based in Dublin. Welcome, David. [Disclosure: Workday is a sponsor of BriefingsDirect podcasts.]

David Clarke: Hi, Dana. Good to be here.

Gardner: As I said, the past is necessarily prologue when it comes to integration. Why have the platforms, applications, and data of the past forced a certain approach to integration, and why is that ill-suited to what we are expecting and seeing more of every day with cloud and SaaS?

Clarke: One thing is that historically applications were built, structured, and architected in very different ways. When you tried to knit those things together, there was quite a diverse set of requirements, which needed to be addressed. And, there was a very wide variation in their architectures. So that implied a very general-purpose middleware that had to cope with many different and very diverse scenarios. That was one factor.

A second factor was that the middleware and the integration tended to come as an afterthought. So, it couldn't really influence or inform the way that the application platforms themselves were designed.

Those two things together made it more difficult than it needed to be. Then, what we're starting to see -- and what we are certainly hopeful of seeing in this generation built around cloud -- is that those two things aren’t necessarily the case. So, we can benefit more from having integration designed in upfront, and having a more consistent overall architecture, so that it’s essentially easier for it to plug into.

One third variable might be that customers historically also discounted or underestimated the likely impact or complexity of doing integration. They tended to come to them as an afterthought and then struggled with them. This time around, to some extent, they've been burned by previous generations. So they're more wary, and are additionally including integration more in their upfront planning.

Gardner: We're not necessarily talking about throwing the baby out with the bath water here. We're still going to be doing integrations in the traditional way. It's just that we need to add another category, and it seems that there is a benefit in that. We can use many of the tools, many of the underlying technologies that supported traditional middleware, and extend that into this services environment.

Clarke: Correct. There’s nothing fundamentally new, in some sense. I've worked in several generations of integration and middleware technology, and each one is a refinement of the past, and you're standing on the shoulders of giants, to badly paraphrase Newton.

Packaged and presented

A
lot of the underlying technology you're using for integration, a lot of the underlying concepts, are not that new. It's just the way that they're being packaged and presented. In some cases, it's the protocols that we're using, and certainly some of the use models. But the ways you're accessing them and consuming them are different. So, it is in that sense [this is] evolutionary.

Gardner: What has probably changed the most are the requirements. The problem set that we're addressing has changed. How has it changed? Perhaps this would be an opportunity for you as well to explain what Workday is, what it does, and how you came to be a part of the Workday team.

Clarke: Historically, integration technology was sold as a stand-alone and on-premise offering. Companies would buy or build applications, and then, as their business processes evolved, they found a need to integrate them and connect them together. So, they would license middleware and use that to achieve that.

There have been a couple of generations of middleware technology companies that have helped customers do this. They shared some of the characteristics around certain generations of technology.

So you had companies like TIBCO Software in the early days, folks from the financial sectors. Then you had companies like BEA Systems focused on the Java generation of middleware and application servers. And then, you had more XML and web services-centric companies.

As a middleware vendor, you're trying to solve essentially any and every problem.



You had those three generations, but what was common to them all was that they were quite divorced from the application experience. And that was my background in pure middleware, building and selling that technology.

A strength and a weakness of that was that it was very general purpose. As a middleware vendor, you're trying to solve essentially any and every problem. To draw on the Eclipse Foundation's motto: middleware is a general-purpose platform that can do everything or nothing. In many cases, people ended up spending a lot of money on this general-purpose middleware and essentially achieving nothing, which was frustrating.

Workday is an applications company. We're an on-demand apps company and we build and serve human capital management (HCM), financials, and enterprise resource planning (ERP) application suites.

Cape Clear, which was my former company, was acquired by Workday about three years ago. We were partners, but as Workday’s business expanded significantly, they saw that providing a compelling and a differentiated integration experience in the context of this new cloud architecture was going to be something that was very important to them. So they acquired Cape Clear and we became part of the overall Workday organization.

The first surprise to me was that I had always worked for companies where it was difficult essentially to explain what we did. You couldn't really go to your grandmother and describe middleware technology, whereas you could at least go and explain financial systems or HCM systems.

Overarching context

That then flowed all the way down through to how we positioned, thought about, described, and marketed the technology. It has certainly been my experience that it's a lot easier to describe, position, plan, and explain integration technology when you have this overarching context of an application domain.

That's been very instructive and has interesting implications in the future for the nature, or indeed the existence, of a stand-alone in the middleware market. That might be an interesting topic we could talk about later.

The other observation is that the consistency of these use cases make our jobs somewhat easier. What's also been interesting is the nature of the load and the scale profiles that we're seeing.

A lot of middleware applications that we used to see were technically complex to achieve, but were often relatively low volume or relatively low scale. But, in large-scale companies, when you're dealing with their core systems of record around financials and HCM, you're looking at very large data sets, with very significant scalability requirements, and very significant performance constraints. That has interesting implications for how you think about and implement your middleware solutions.

Gardner: So there seem to be two fundamental things going on here. One, is taking integration to the on-demand or SaaS domain, but second, there is also this embedding integration functionality into the application.

One of the perpetual holy grails of the middleware industry, when it was a stand-alone undertaking was to find a way to express and expose middleware and integration concepts in a way that they could be used by mere mortals.



People, when they use Workday -- whether they are human resources professionals or employees in these organizations, whether they're partners or suppliers to these enterprises that are using Workday -- they're not thinking about integration. They're thinking about human resources, benefits, payroll, and insurance.

Tell me how this shift to on-demand, as well as embedding into the application, changes the requirements. How does someone like yourself who is crafting the middleware integration capabilities need to shift their thinking in order to go “to the cloud,” but also become part-and-parcel with the application?

Clarke: One of the perpetual holy grails of the middleware industry, when it was a stand-alone undertaking, was to find a way to express and expose middleware and integration concepts in a way that they could be used by mere mortals, by business analysts, by people who weren't necessarily very deep technologists with deep technology expertise.

In my experience, the middleware industry never achieved that. So, they didn't really ever find a metaphor or a use model that enabled less skilled, but nonetheless technically savvy, people to use their products.

As you observe in the applications game, you absolutely have to get there, because fundamentally what you're doing here is you are enabling companies and individuals to solve business problems and application problems. The integration arises as a necessity of that or as a consequence of that. In and of itself, it isn't useful.

Designing applications

The most specific thing that we've seen is how we build, manipulate, and use extremely sophisticated integration technology. We spend a lot of our time thinking about how to design that into the application, so that it can be experienced and consumed by users of the application who don’t know anything about XML, Java, web protocols, or anything like that.

To give you one very simple example, the most common use case of all probably is people getting data, perhaps from our system, doing something with it -- a simple transformation -- and then delivering it or putting it somewhere else, perhaps into our system.

That model of "get, transform, and put" is intuitively straightforward, but historically that has always been realized in a complicated way in the middleware stack. We've built a very simple tool inside of our application, and it's now the most heavily used integration component in our system.

Business analysts can very easily and visually define what they are getting and putting it in terms of the business concepts and the business objects they understand. They can define very simple transformations, for example, going from a payroll input to a check, or going from a report of absences by departments to a payroll input.

They're consuming and using integration technologies in a very natural way in the context of their day-to-day working in the web layer in these systems. They're not programmers. They're not developers. They're not thinking about it that way.

It's quite empowering for the teams that we have had working on this technology to see if it's usable in that way by the business analysts here. It's the closest I've seen people get to capturing this unicorn of enabling integration technology to be actually used by business people.

It's the closest I've seen people get to capturing this unicorn of enabling integration technology to be actually used by business people.



Gardner: While you have put quite a bit of emphasis on the tool side in order to make this something that mere mortals can adjust and operate, you've also done a lot of heavy lifting on the connections side. You recognized that in order to be successful with an integration platform, you had to find the means in which to integrate to a vast variety of different types of technologies, services, data, and so forth. Tell me what you've done, not only on the usability, but on the applicability across a growing universe of connection points.

Clarke: That’s another interesting area. As you say, there are thousands or millions of different types of endpoints out there. This being software, it can map any data format to any other data format, but that’s a trivial and uninformative statement, because it doesn’t help you get a specific job done.

Essentially what we've been trying to do is identify categories of target systems and target processes that we need to integrate with and try to optimize and focus our efforts on that.

For example, pretty much the majority of our customers have a need to integrate to and from benefit systems for 401(k), healthcare, dental, visual plans, and so forth. It's an extremely common use case. But, there is still a wide diversity of benefits providers and a wide variety of formats that they use.

We've studied the multiple hundreds of those benefits providers that we've experienced by working with our customers and we've abstracted out the most common format scenarios, data structures, and so forth, and we have built that into our integration layer.

Configure your data set

You can very easily and rapidly and without programming configure your specific data set, so that it can be mapped into and out of your specific set of benefits providers, without needing to write any code or build a custom integration.

We've done that domain analysis in a variety of areas, including but not limited to benefits. We've done it for payroll and for certain kinds of financial categories as well. That's what's enabling us to do this in a scalable and repeatable way, because we don’t want to just give people a raw set of tools and say, "Here, use these to map anything to anything else." It's just not a good experience for the users.

Gardner: David, you mentioned that Cape Clear was acquired by Workday about three years ago, and Workday has been growing very rapidly. Have you been surprised by the adoption rate and pattern around SaaS, and now we're talking about cloud and hybrid cloud? Did this happen faster than you were expecting, because it certainly caught me by surprise.

Clarke: Totally. I remember when we originally became part of Workday several years ago, we were doing some sort of product planning and strategic thinking about how we were going to integrate the product lines and position them going forward. One of the things we had in our roadmap at the time was this idea of an appliance. So we said, "Look, we can envision the future, where all the integration is done in the cloud, but we frankly think it's like a long way off. We think that it's some years off."

For that reason, we articulated and embarked on a path of offering what we were calling an appliance, which essentially would have been an on-premise component to the integration stack or of the integration stack that would be deployed at customer sites. We thought the world wasn’t going to be ready soon enough to put the integration technology and stack in the cloud as well.

It just became clearer and clearer to us that there was an appetite and a willingness in our customer and prospect base to use this technology in the cloud.



Happily that turned out to have been incorrect. Over the course of the ensuing 12 months, it just became clearer and clearer to us that there was an appetite and a willingness in our customer and prospect base to use this technology in the cloud.

We never really went ahead with that appliance concept, it didn’t get productized. We never used it. We don’t need to use it. And now, as I have conversations with customers and with prospects, it just is not an issue.

In terms of it being any kind of philosophical or in principle difficulty or challenge, it has just gone away. It totally surprised me, as well, because I expected it to happen, but thought it would take a lot longer to get to where it has got to already.

Gardner: There is a certain irony, because we were all involved with service-oriented architecture (SOA) and kept waiting for that to get traction, and were a little bit distressed that it wasn’t catching on. Then, lo and behold, this concept of SaaS and cloud leapfrogs and catches on much faster than we thought. So, it is an interesting time.

When we go back to enterprises, we recognize that this “consumerization” of IT is taking place, where the end-users, the zeitgeist of expectations, is now at the point where they want IT in the enterprise to work as well and in the same manner as it does for their personal lives. How does that shift the thinking of an enterprise architect?

Clarke: Superficially, enterprise architects are under a lot of pressure to, as you say, to present technologies in ways that are more familiar to customers from their personal lives. The most specific example of that is the embrace of mobile technologies. This isn't a huge surprise. It's been a pretty consistent pattern over a number of years that workforce mobility is a major influence on product requirements.

Mobile devices

We've seen that very significant proportions of access to our system is via mobile devices. That informs our planning and our system architecture. We're invested heavily in mobile technologies -- iPad, Android, BlackBerry, and other clients. In my experience, that’s something that's new, with the customer enterprise architects. This is something they have to articulate, defend, and embrace.

Historically, they would have been more concerned with the core issues of scalability, reliability, and availability. Now, they've got more time to think about these things, because we as SaaS vendors have taken a lot of things that they used to do off of their plates.

Historically, a lot of time was spent by enterprise architects worrying about the scalability and reliability of the enterprise application deployments that they had, and now that’s gone away. They get a much higher service level agreement (SLA) than they ever managed to operate by themselves when they run their own systems.

So, while they have different and new things to think about because of the cloud and mobility, they also have more head space or latitude to do that, because we have taken some of the pain that they used to have away.

Gardner: I suppose that as implications pan out around these issues, there will be a shift in economics as well, whereby you would pay separately and perhaps on a capital and then operating basis for integration.

They also have more headspace or latitude to do that, because we have taken some of the pain that they used to have away from them.



If integration by companies like Workday becomes part-and-parcel of the application services -- and you pay for it on an operating basis only -- how do traditional business models and economics around middleware and integration survive? How do you see this transition working, not only for the functionality and the architecture, but in dollars and cents?

Clarke: I'd certainly hate to be out there trying to sell middleware offerings stand-alone right now, and clearly there have been visible consolidations in this space. I mentioned BEA earlier as being the standard bearer of the enterprise Java generation of middleware that’s been acquired by Oracle.

They are essentially part of the application stack, and I'm sure they still sell and license stand-alone middleware. Obviously, the Oracle solutions are all on-premise, so they're still doing on-premise stuff at that level. But, I would imagine that the economics of the BEA offering is folded very much into the economics of the Oracle application offering.

In the web services generation of middleware and integration, which essentially came after the enterprise Java tier, and then before the SOA tier, there was a pretty rapid commoditization. So, this phenomenon was already starting to happen, even before the cloud economics were fully in play.

Then, there was essentially an increased dependence or relevance of open source technologies -- Spring, JackBe, free stacks -- that enabled integration to happen. That commoditization was already starting to happen.

Open source pressure

So even before the advent of the cloud and the clear economic pressure that put on stand-alone integration, there was already a separate pressure that was originating from open source. Those two things together have, in my view, made it pretty difficult to sustain or to conceive a sustainable integration model.

A lot of the investment dollars that have gone into something like integration market are now going elsewhere in infrastructure. They're going into storage. They're going into availability. They're going certainly to cloud platforms. It would need to be a brave venture capitalist now who would write a check to a company coming in with a bright idea for a new on-premise middleware stack. So that business is gone.

Gardner: We're also seeing some investment around taking open source middleware and integration capabilities and extending them to the cloud. It's not as difficult for an open source company, because their monetization has been around maintenance and support, more of an operating expense. We certainly haven’t seen too much in the way of a general-purpose integration cloud from any of the traditional on-premises middleware vendors.

Do you think in 10 years, or maybe 5, we won’t even be thinking about integration? It will really be a service, a cloud service, and perhaps it will evolve to be a community approach. Those people who need to be connected to one another will either structurally move toward some standardization or, perhaps in a more ad hoc or organic way, provide the means by which they could more easily play well together?

Clarke: There are a couple of things that we see happening here. I'll make two main observations in this area.

There is an important difference between a general-purpose platform or integration platform and then a more specific one, which is centered around a particular application domain. Workday is about the latter.



First, at the risk of losing half our audience with the jargon, there is an important difference between a general-purpose platform or integration platform and then a more specific one, which is centered around a particular application domain. Workday is about the latter.

We're building a very powerful set of cloud technologies, including an integration cloud or an integration platform in the cloud, but it’s very focused on connecting essentially to and from Workday, and making that very easy from a variety of places and to a variety of places.

What we're not trying to create is a general-purpose platform, an associated marketplace, in the way that maybe somebody like Salesforce.com is doing with AppExchange or Google with App Engine for app development. In a sense, our scope is narrower in that way, and that’s just how we're choosing to prosecute the opportunity, because it’s harder to establish a very horizontal platform and it’s just difficult to do.

I referred earlier to the problem that middleware companies traditionally have of doing everything and nothing. When you have a purely horizontal platform that can offer any integration or any application, it’s difficult to see exactly which ones are going to be the ones that get it going.

The way we're doing this is therefore more specific. We have a similar set of technologies and so on, but we're really basing it very much around the use case that we see for Workday. It’s very grounded in benefits integrations, payroll integrations, financial integrations, payment integrations. And every one of our deployments has tens, dozens, hundreds of these integrations. We're constantly building very significant volume, very significant usage, and very significant experience.

Developing marketplace

I can see that developing into a marketplace in a limited way around some of those key areas and possibly broadening from there.

That's one of the interesting areas of distinction between the strategies of the platform vendors as to how expansive their vision is. Obviously expansive visions are interesting and creating horizontal platforms is interesting, but it’s more speculative, it’s riskier, and it takes a long time. We are more on the specific side of that.

You mentioned collaborating and how this area of business processes and people collaborating in the community. I referred earlier to this idea that we're focusing on these key use cases. What’s arising from those key use cases is a relatively small set of documents and document formats that are common to these problem areas.

Lately, I've been reading, or rereading, some of the RosettaNet stuff. RosettaNet has been around forever. It was originally created in the early '80s. As you know, it was essentially a set of documents, standard documents, interchange formats for the semiconductor or the technology manufacturing industry, and it has been very successful, not very prominent or popular, but very successful.

What we see is something similar to RosettaNet starting to happen in the application domain where, when you are dealing with payroll providers, there is a certain core set of data that gets sent around. We have integrated to many dozens of them and we have abstracted that into a core documentary that reflects the set of information and how it needs to be formatted and how it needs to be processed.

These are very good vectors for cooperation and for collaboration around integrations, and they're a good locus around which communities can develop standardized documents.



In fact, we now have a couple of payroll partners who are directly consuming that payroll format from us. So, in the same way that there are certain HR XML standards for benefits data, we can see other ones emerging in other areas of the application space.

These are very good vectors for cooperation and for collaboration around integrations, and they're a good locus around which communities can develop standardized documents, which is the basis for integration. That’s intriguing to me, because it all derives from that very specific set of use cases that I just never really saw as a general-purpose integration vendor.

Gardner: Getting back to adoption patterns and economics, it seems as if what you are proposing, and what Workday is supporting, is this application-level benefit. A business process, like a network, is perhaps more valuable as the number of participants in the process increases, and become able to participate with a fairly low level of complexity and friction.

It's sort of a derivative of Metcalfe's Law, but at the business process level, which is quite different than trying to corral an integration community around a specific platform with the intent of getting more people on that platform and having a long-term flow of license revenue as a result.

So, if we make this shift to a Metcalfe's law-type of "the more participants, the more valuable it is to all of those participants," shouldn’t we expect a little bit of a different world around integration in the next few years?

Business process

Clarke: That’s right, because of the distinction you mentioned. We don’t really see or envisage this very transactional marketplace, where you just have people buying a round of maps or integrations and installing them. We see it happening in the context of a business process.

For example, hiring. As somebody hires somebody into Workday, there are typically many integration points in that business process -- background checking, provisioning of security cards, and creation of email accounts. There is a whole set of integration points. We're increasingly looking to enable third parties to easily plug-in into those integration points in a small way, for provisioning an email account, or in a big way, like managing a whole payroll process.

It’s that idea of these integrations as being just touch points and jumping-off points from an overall business process, which is quite a different vision from writing cool, stand-alone apps that you can then find and store from inside of our platform marketplace.

It’s that idea of an extended business process where the partners and partner ISVs and customers can collaborate very easily, and not just at install time or provisioning time, but also when these processes are running and things go wrong, if things fail or errors arise.

You also need a very integrated exception handling process, so that customers can rapidly diagnose and correct these errors when they arise. Then, they have a feeling of being in a consistent environment and not like a feeling of having 20 or 30 totally unrelated applications executing that don’t collaborate and don’t know about each other and aren’t executing the context within the same business process. We're keen to make that experience seamless.

You also need a very integrated exception handling process, so that customers can rapidly diagnose and correct these errors when they arise.



Gardner: I can also see where there is a high incentive for the participants in a supply chain or a value chain of some sort to make integration work. So perhaps there is an incentive toward cooperation in ways that we hadn’t seen before. I am thinking of, at least in the human resources field, where it’s in my best interest as an insurance company or as a payroll benefits provider, for example, to work with the SaaS or cloud provider in this regard -- to the betterment of our mutual end users.

Do you already see that the perception of cooperation for integration is at a different plane? Where do you expect that to go?

Clarke: Totally, already. Increasingly -- pick an area, but let's say for learning management or something -- if we integrate, or if multiple people integrate to us or from us, then customers already are starting to expect that those integrations exist.

Now they're starting to ask about how good they are, what's the nature of them, what SLAs can they expect here? The customers are presuming that an integration, certainly between Workday and some other cloud-based service, either exists already or is very easy and doable.

But they're looking through that, because they're taking the integration technology level questions for granted. They're saying, "Given that I can make such an integration work, how is it really going to work, what's the SLA, what happens if things go wrong, what happens when things fail?"

What's really interesting to me is that customers are increasingly sophisticated about exploring the edge cases, which they have seen happen before and have heard about them before. They're coming to us upfront and saying, "What happens if I have issues when my payroll runs? Who do I go to? How do you manage that? How do you guys work with each other?"

Consistent information

We, therefore, are learning from our customers and we're going to our ISV and services partners, like our payroll partners, our learning management partners, our background checking partners and saying, "Here is the contract that our customers expect. Here is the service that they expect." They're going to ask us and we want to be able to say that this partner tests against every single update and every single revision of the Workday software. They will handle a seamless support process where you call one number and you get a consistent set of information.

Customers are really looking through the mere fact of a technical integration existing and asking about what is my experience going to be and actually using this day-to-day across 50 geographies and across population of 20,000 employees. I want that to be easy.

It’s a testament to the increasing sophistication of the integration technology that people can take that for granted. But as I say, it’s having these increasingly interesting and downstream effects in terms of what people are expecting from the business experience of using these integration systems in the context of a composite business process that extend beyond just one company.

Gardner: Moving toward closing up our conversation, David, you have raised the issue here about that one throat to choke, if you will. When you have a massive, complex, integration landscape, does it makes sense to focus on the application provider as that point of responsibility and authority? Or does it have to be federated?

Have you seen any models emerge, something that we probably could not have predicted but needs to happen on its own, in a real world setting that indicates how that issue of trust and authority might pan out?

Clarke: What we are gradually feeling our way toward here is that for us that’s the central concept of this federation of companies. We think obviously of Workday being in the middle of that. It depends on what your perspective is, but you have this federation of companies collaborating to provide the service ultimately, and the question is, where do they choke?

And it's not realistic to say that you can always come to Workday, because if we are integrating to a payroll system on behalf of somebody else, and we correctly start off and run the payroll or send the payroll requests, and then there is an error at the other end, the error is happening ultimately in the other payroll engine. We can't debug that. We can't look at what happened. We don't necessarily even know what the data is.

As we run any integration in our cloud, there is a very consistent set of diagnostics, reporting, metrics, error handling, error tracking that is generated and that's consistent.



We need a consistent experience for the customer and how that gets supported and diagnosed. Specifically, what it means for us today is that, as we run any integration in our cloud, there is a very consistent set of diagnostics, reporting, metrics, error handling, error tracking that is generated and that's consistent across the many types of integrations that we run.

Again, as our partners become more savvy at working with us, and they know more about that, they can then more consistently offer resolution and support to the customers in the context of the overall Workday support process.

For us, it’s really a way of building this extended and consistent network of support capability and of trust. Where customers have consistent experiences, they have consistent expectations around how and when they get support.

The most frustrating thing is when you are calling one company and they're telling you to call the other company, and there isn’t any consistency or it’s hard to get to the bottom of that. We're hopeful that enlightened integrations around business processes, between collaborating companies, as I have described, will help me to get some of that.

Gardner: It certainly sounds like in the coming years the determining factors of who will be the winner in cloud integration won't be necessarily the one with the biggest, baddest platform -- although that's certainly important. But the one that demonstrates the trust, the SLA response, and maintenance, and generally who becomes a good partner in a diverse and expanding ecosystem will win.

Clarke: That's right. The technology is important, but it's not enough. People just don't just want technology. They want well-intentioned and an honest collaboration between their vendors to help them do the stuff efficiently.

Gardner: Very good. Thanks. You've been listening to a sponsored BriefingsDirect podcast on how major trends around cloud, mobile, and SaaS are dramatically changing requirements and benefits of integration. For more information on Workday's integration as a service, go to http://www.workday.com/solutions/technology/integration_cloud.php.

I would like to thank our guest. We have been here with David Clarke, Director of Integration at Workday. Thanks so much, David.

Clarke: Thanks, Dana.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: Workday.

Transcript of a BriefingsDirect podcast of the role of cloud and SaaS in the changing landscape of application integration. Copyright Interarbor Solutions, LLC, 2005-2011. All rights reserved.

You may also be interested in: