Roundtable with Oracle President Charles Phillips

I mentioned Oracle not so long ago and the fact that they are starting to reach out to the blogging community. They've now extended those efforts properly to the UK.

Last week, I was contacted by Oracle about my availability for a meeting today with Charles Phillips, Oracle's President who has been visiting customers around Europe this week. The theme of the meeting was to be Web 2.0 and linking this into Enterprise 2.0, specifically with regards to how Oracle is addressing these areas.

I initially thought it was an open event in a large auditorium full of people and assumed I would simply be in the audience - more or less the type we're used to when someone gives a keynote speech at a conference. I later found out that it was a small event that was being held in a meeting format where the attendees had to be invited. I was a little apprehensive at first because I'm not a writer/journalist by trade, but thought it would be interesting to meet the man in person, hear what he had to say and ask a question or 2 of my own.

It turned out to be a meeting around a table with a mixture of invited participants and a handful of Oracle attendees including Chief Marketing Officer Judith Sim and Charles Phillips of course. Oracle's rationale behind selecting the invitees was basically that we were all regular bloggers about a topic of interest (related to Oracle's business somehow) and based locally in or around the UK. Whether we were media types, analysts or consultants, it did not really matter.

The only real bit of news that came out of the meeting was that Oracle are taking the Enterprise 2.0 initiative forward by implementing an "Enterprise 2.0 sales force" to take their solutions to market and more importantly, to educate their customers.

The format was "open". Oracle stressed that they wanted it to be a discussion and they hoped to have many more in future. To his credit, Charles didn't preach to us. He simply gave a brief 2 minute introduction about why he wanted to speak to us, what he's been doing all week and then opened the floor to questions for discussion.

Charles started by saying that he understands PR as we know it is no longer working and he doesn't need it. If he wants to get at his customers, he can go directly to them very easily. He also mentioned that the purpose of his European visit was to get a feel for customer needs and how they were leveraging Oracle technology. Essentially, many are looking to simplify computing environments and of course Oracle are only too happy to help. He also noted that as a result of all the acquisitions they've made over the past few years, Oracle technology is now firmly embedded in many more organisations and is becoming a strategic platform (which means more CEO meetings as opposed to the past where they only got as far as the CIO).

I won't go through everyone's questions and Charles' answers because they weren't particularly focused or even related (I'll get to that later) and if I detail everything, this post will sound even more like the meeting minutes it is starting to resemble :-)

The topics that came up were:

• Customer Relationship Management (CRM).
• Supply Chain Management (SCM).
• Cultural differences especially in the Asian region and how Oracle looks to handle this without "pushing technology down their throats".
• Extending the Enterprise 2.0 initiatives and reaching out to the wider developer community. Judith Sim mentioned Oracle Mix as a good example of how they are currently doing it and will continue to use that avenue.
  
• Salesforce CEO Marc Benioff's Web 3.0 announcement.
• Convincing middle management about the value Enterprise 2.0 can offer.
• Linking business processes and Enterprise 2.0 concepts.
  
• Security/Identity 2.0 and Oracle's position on how it fits with Enterprise 2.0 (I asked him this in a rather long winded way).
  

In trying to help us understand how Oracle views Enterprise 2.0, Charles gave the following examples:

• Finding the right expert internally within an organisation to help with something you are doing - Charles talked about how Oracle encourages their employees to tag themselves as being "experts" in certain areas. In addition to this, others get to vote on whether you are really an expert in the areas you claim. It's the whole notion of reputation...very Identity 2.0. I was tempted to ask him about where he thought reputation fit into their Identity strategy but thought it might have been too specific and targeted a question and not appropriate for the topic we were discussing at the time (collaboration).
  
• Sharing of information between sales people within CRM systems - Teams of people typically share material informally through various methods including word of mouth or email. Oracle wants to move this informal information sharing into the CRM system to facilitate more collaborative interaction between the sales teams and help identify useful material using things such as tagging and voting so they can more easily find materials and not have to re-invent the wheel. Doing this also gives management more visibility with regards to what is working, what is useful and how to potentially improve things.
  
• Expense approval processes - Currently, the typical process involves the approval step being left to the judgement of the individual. For example, if someone expenses a flight from New York to San Francisco, the approver will look at the cost and make a "best guess" as to whether it looks reasonable. Oracle's view of how this should evolve is to allow the approver real time and historical information to help them make a more informed decision instead of guessing.
  

The word collaboration came up quite a fair bit during the meeting. It is obvious Oracle sees the ability for people to collaborate efficiently, easily and in real time as being key to making Enterprise 2.0 successful.

As for my question, I started by taking note of Oracle's very fast growth to now being one of the leaders in the security space, particularly the Identity and Access Management arena through their flurry of acquisitions (Charles responded by saying "I'm glad you noticed"). I also noted that they announced their strategy for Service-Oriented Security (which I mentioned here) and how it clearly feeds into their Enterprise 2.0 strategy from a middleware perspective. My question was around how Oracle would move forward with the following things:

1. Making sure that the whole security layer becomes more pervasive in their application and middleware portfolio.
2. Using the Enterprise 2.0 initiative to help organisations realise a better and more complete enterprise security model especially around data privacy and governance without having to spend years implementing the so called "off the shelf" solutions.
   
3. How they would look to drive their leadership position forward and become more active in the Identity and Security community with some of the Identity 2.0 initiatives, noting that he had mentioned the concept of reputation (which is a very new and misunderstood area in Digital Identity) when giving his example on collaboration and voting on whether someone was indeed an expert.
   

Charles sort of answered my question. He answered all 3 at once by saying he thinks they already have a great set of solutions and an "Identity stack" to allow for the whole pervasive notion and good integration with their other software products. In his opinion, Oracle just hasn't done enough evangelising. He thinks Oracle will help customers by bringing to market best practices and expertise they have internally and that a lot of this will be driven through education and the Enterprise 2.0 sales force (the "Enterprise 2.0 sales force + education" answer was prevalent in most of his answers to everyone's questions).

I followed up by asking if he thought a lot of the work would or needed to be done internally or whether there were more acquisitions on the horizon. I'm not sure if I said those words specifically, but that's what I meant. He reiterated that he thought they already had most of what they need and it was a matter of driving the initiatives forward with what they currently have.

His answers to my questions were a little bit generic and I could easily imagine other large Enterprise Identity and Access Management vendors like IBM, Sun or CA coming up with that answer. In fact, it was the type of answer I would have given in my IBM days when customers asked similar things (albeit in a different context to Enterprise 2.0). To be fair, I may have been too specific about Identity and he just didn't have the right product marketing people around him to answer my questions in more detail.

In my opinion, Oracle haven't quite worked out what to do with security in the context of Enterprise 2.0. They are clinging on to their notion of "Service-Oriented Security" for now as being their Enterprise 2.0 security layer. The initial focus looks to be on the whole notion of collaboration and Oracle WebCenter. For those of you familiar with the IBM world, think IBM Lotus Web 2.0. I don't know enough about each of the technologies to comment on which I think is better, but IBM and Oracle are going head to head yet again in trying to be the leader in this space.

Some of the other attendees have posted their reactions to the meeting. Here are the ones I've found (I'll add more as I find them so stay tuned):

• Dennis Howlett's ZDNet blog entry (which made the ZDNet front page for a few hours) - He lists the questions he asked and was generally positive.
• One of Dennis Howlett's twitter statuses during the meeting - I wonder if he included me in the "no idea about Enterprise 2.0 category". In the group's defence, we are all from different backgrounds and have different interests. Just because we didn't approach the whole Enterprise 2.0 thing from his angle doesn't mean we don't know anything about it. Sure there's still a lot of educating to be done because Enterprise 2.0 is still largely open to interpretation. We simply got a taste of what Oracle thinks it is. IBM probably has a different view, as will other vendors. Heck, the industry hasn't even agreed on what Web 2.0 means yet! So Dennis, give the group a break.
• Matthew Aslett - Good overview of the collaboration technologies mentioned and how they fit in with the Enterprise 2.0 initiative.
• Neil Ward-Dutton - Review of the meeting and some views on Oracle's "reaching out to bloggers" initiative.
  

The list of attendees suggests to me that Oracle wanted to get people from different backgrounds and interest groups so they could get a good spectrum of ideas and varied approaches. We certainly got varied opinions and questions. Unfortunately, the whole discussion lacked a little focus and everyone seemed to be trying to link their questions in with others to give everything some continuity and fluidity (which may also explain Dennis Howlett's opinion that we were all asking "v.soft questions"). It was difficult to get everyone in a room to REALLY sink their teeth into whatever the discussion happened to be because a specific question being addressed at any particular point in time may not have been an area everyone knew a lot about. Everyone had their own interests and agendas and it showed in the questions that were asked. The discussion was probably also a victim of the fact that Enterprise 2.0 is a new area and open to much interpretation. Perhaps some sort of very loosely defined structure or pre-meeting brief around Oracle's Enterprise 2.0 plans would have facilitated more thought and discussion because the attendees would be able to do a little bit of preparation. It's a tough one because it's a bit of a contradiction to put structure around what is meant to be an unstructured session.

I'm not trying to detract from the event. All things considered, it was a worthwhile activity and a very good first attempt here in the UK. Essentially, I think what Oracle were trying to achieve was a real world manifestation of what happens in the Blogosphere: real time open discussion based on varied opinions with a theme at the centre. It was a good effort from the Oracle PR team and I think everyone in attendance appreciated the gesture. One of the other attendees remarked to me that he was VERY surprised at being invited to such an event because Oracle in the past has been particularly formal about public relations. They are obviously doing a lot of work to change that perception and the more of these types of event they do, the better they will be for it. How very "Public Relations 2.0" of them (cringe if you want at that comment but I couldn't resist).

P.S. There are some photos of the meeting and in the single photo that I'm in, I look like I'm asleep! I obviously wasn't otherwise I would have had a lot of trouble writing this post. They must have caught me in mid-blink! No, I'm not going to post it on here :-)

A little more on RSA Conference 2008

The two Identity Management related things that seemed to generate the most noise at this year's RSA Conference were:

• Hitachi's acquisition of M-Tech
• Oracle's SOA Security announcement
  

I've already blogged about both these things (follow the links). There was also apparently quite a lot happening in the user centric identity space.

I wasn't physically there, so I'll have to defer to others for a roundup. You can start with the RSA Conference's blog and then move on to Matt Flynn (here and here) and Gunnar Peterson (here, here and here). UPDATE: Here's what security guru Bruce Schneier had to say.

Also, can someone tell me how I managed to get on the RSA Conference's Blogroll? Screenshot below in the event they realise I'm not worthy and remove the link :-)

Oracle reaches out to the blogging community

Oh, and they made a rather significant announcement at the RSA Conference too. Both are tied together. Allow me to explain.

I was first contacted by a representative of Oracle's PR department about an invitation to attend an exclusive blogger luncheon with Oracle executives on April 10 in San Francisco around their impending RSA announcement. During the luncheon, Hasan Rizvi (Vice President of Identity Management and Security Products at Oracle) was to provide attendees with an exclusive preview of Oracle's keynote announcement at the RSA Conference.

My first thought was "Oooooooo, free lunch". Then it hit me. It was in San Francisco and I live in London. "D'oh". So I had to politely decline, despite being tempted to ask if Oracle would pay for my air ticket and accommodation.

That's not the end of the story though. They subsequently followed up by inviting me to an alternate event. A blogger exclusive call the morning of that same day (April 10) to be held by Amit Jasuja (Vice President of development for Oracle's Identity Management and Security products) with the caveat that information shared on the call was to be embargoed until noon PT that day. Those who read this blog regularly know that there's no risk of me talking about anything so soon after finding out about it because I just don't have the time nor the urgency to behave like a journalist...or Robert Scoble.

The announcement itself is not the main purpose of this post. I'm not a fan of regurgitating information that's available, so I'll just point you at what I've found so far (admittedly the links are very Oracle centric in terms of content, but most others out there have just been regurgitating the press release and not adding to it):

• Oracle's press release
  
• Oracle's Nishant Kaushik on the announcement
• Oracle's David Chappell on the announcement
• Oracle's Thomas Kurian's keynote at RSA
• Oracle's whitepaper to accompany the announcement
  
• Dave Kearn's article at NetworkWorld

I will say a couple of things regarding the announcement (briefly). It didn't surprise me one bit. In fact, all it did was formalise what they've been evangelising and selling anyway. Oracle's been charging very aggressively into 2 particular areas over the past year or two. SOA, and security. Of course, they went out and bought most of their technologies. But there is no stronger indication that they believe in the SOA strategy than their acquisition of BEA Systems in January this year. Their security technologies have been built out very nicely through their acquisitions and it's also nice to see that they're starting to build out the emerging areas of fine grained authorisation (aka entitlement management), role management (through their acquisition of Bridgestream) and governance solutions. The suite is starting to round out nicely and they look to be running faster than their main competitors (IBM, Sun, CA) at the moment. Their marketing and PR departments are certainly earning their money.

Now I'll get to what I actually wanted to say. I applaud Oracle for reaching out to the blogging community because:

• They've certainly understood the whole blogging thing for a lot longer than the other big vendors out there (just look at the large list of people working in key Oracle positions that actually blog about their technology).
• They understand there's more than issuing a press release and hoping something happens that justifies the marketing costs.
• They understand that it's about creating discussion and awareness. Multi-way discussions are much more interesting and have the added bonus that something well written and insightful can have a viral effect.
  
• They know a lot of key decision makers read blogs.
• An opinion written by a non-Oracle employee holds a lot more credibility (assuming the author is credible themselves) than something written by an internal Oracle person who has to "toe the line". And if something written turns out to be less than positive, that's fine too because Oracle's bloggers can respond to it in a very interactive and hopefully constructive manner that makes Oracle's products better in the long run (if product management listen).
  
• Press releases are just boring and don't offer anything people couldn't otherwise find by looking on a company's website.

I agreed to attend the call fully aware of their agenda and am playing into Oracle's hands by talking about it. That's completely fine by me, because I'm just giving my honest opinion and they haven't influenced my comments in any way.

They did mention that this was the first time they had reached out formally to bloggers and they would like to continue doing so moving forward. Being the first time also meant that they didn't quite know how to conduct the call and generate some interactivity. Amit Jasuja basically gave a more detailed version of the press release and presented the rationale behind a lot of it. When it came time for questions, no one asked anything. I tried very hard to think of one, but I just couldn't. Not quite what they were hoping I'm guessing. They needed more stimulant material to get people's creative juices flowing. Also, it was an audio only call. Perhaps in future they could have some visual aspects. I'm not advocating slides, but at least that would be better than an audio only presentation. Hopefully they'll get better at these calls as they do more of them. But it was a nice first attempt at extending the olive branch to the community. They also followed up a few days after the call to see if I had any questions, which was a nice touch. In case you were wondering, I still had no questions :-)

The other large juggernauts of the software industry in the security space need to take note. Oracle's marketing is very good. If their products keep getting better and they keep rounding out their portfolio, they're going to be very tough to stop.

P.S. You may notice that the Oracle call I attended was almost 2 weeks ago. It's taken me this long to write about it because I've just moved apartments in London. What that means is that I've been very busy with the move and I don't have Internet connectivity in the new place yet. It's apparently going to take 3 weeks for my ISP to get my connection enabled again (even though I gave them advance warning and my new phone line was active for over a week prior to the move). When I asked why I had to pay for the 3 weeks of ABSOLUTELY NO SERVICE, they just said it wasn't their fault. I don't understand why ISPs in the UK are soooooooooooooooo bad at providing decent customer service. But that's another whole issue that I probably shouldn't get started on. I'm writing this from my hotel room in Prague (I have business meetings here over the next few days).

Identity enabled appliances from Hitachi?

Hitachi just made an acquisition in the Identity space (actually it was not a full acquisition, just majority shares - weird). Yes, the same Hitachi that makes consumer products including some of the appliances you use around your home.

They bought M-Tech Information Technology, Inc and renamed it Hitachi ID Systems, Inc. Welcome to single sign-on to everything once you step into the house and your fridge not allowing you that extra snack at midnight because it knows you're on a diet.

Ok, seriously...

I'm not completely sure how this makes a lot of sense...but there may be logic to the madness and only the executives in Japan know the real reason and strategy moving forward. However, it doesn't stop the rest of us from speculating.

I don't actually think Hitachi is out to become an Identity Management vendor in the traditional sense. If they try to go toe-to-toe with the likes of IBM, Oracle, Sun and CA they will lose. M-Tech's product set at a high level only includes password synchronisation and provisioning capabilities. They are missing all the other things in the standard Enterprise Identity and Access Management suite, the most obvious being Access Management. Maybe Hitachi have a few other acquisitions up their sleeves to fill the gaps. If they really want to play this game, they are going to have to do it to make people stand up and take them seriously.

As the Burton Group have already alluded to in their analysis, Hitachi bring with it the sales and marketing clout that M-Tech did not have (which is pretty much always the case when a large corporation acquires a much smaller one). It also brings 2 technologies to the table that are the most obvious candidates to integrate with the M-Tech solution. Their RFID and Finger Vein technologies. I would assume they want to use the provisioning aspects to manage the identities flowing around and also integrate these approaches with password management for a more complete, automated physical/digital authentication solution.

Hitachi will do well to lead with the areas where they are strong and provide the software capabilities as a differentiator. They can use the additional capabilities and management efficiencies as a competitive advantage over their current competitors. As I already said, they will lose if they lead with the M-Tech technology in the hope of selling RFID and Finger Vein readers because very few large organisations will bite due to the incomplete solution they'll end up with from an Enterprise Identity and Access Management standpoint.

Perhaps Hitachi are positioning themselves to be a player in the software space (they already have bits and pieces of software that do various things) or even to get into doing IT related services. If so, then their strategy moving forward could be to look a little more like Fujitsu.

I'm just guessing of course. In the short to medium term, they've probably just acquired M-Tech to shore up their capabilities and provide a competitive advantage. Or maybe an identity aware household is part of the grand plan. All I can say is, my fridge better not stop me from getting my midnight snack or there's going to be trouble!

HSBC didn't learn from HMRC

HSBC here in the UK just lost a data disc full of customer details. It wasn't a goof-up of HMRC proportions because 370,000 customer details seem like nothing compared to the 25 million HMRC lost into the postal system. But in light of all the recent incidents, you would have thought they would at least be a little bit more careful about sending things out in the post! From what I can gather, you should only be worried if you have taken out an insurance policy that is somehow connected with HSBC or have insurance related information within HSBC's systems.

A lot of the points I made in commenting about the HMRC incident still apply here so I won't rehash any of it. I'm just very surprised that the bank didn't dive into user security awareness training initiatives to attempt to mitigate the risks in place. I wonder if they also changed some of the procedures and processes around how information is handled.

Or maybe they did both, which brings me to the next point. Assuming they've done a little bit of educating and process re-engineering, the next logical step is to start putting the tools in place to help with the user education (there's nothing better than real-time education of users - how many times have you sat in a security awareness class and come out not remembering a single thing) and information control. Tools which can also protect the information flowing around and even automatically encrypt the information moving to removable media, like a frigging disc that's about to be sent out in the post just in case the person doing it was asleep in class (like the rest of us).

The right approach in my opinion is actually a combination of varying approaches running in parallel. Start small with each aspect and let them evolve and intermingle. For example, you can put in the simple controls using a tool while also conducting user awareness programs and changing information handling processes. It's all iterative.

Of course, whatever they currently have in place isn't working. They claim to have password protection on the disc, but even they admit that it wasn't good enough and that they should have at least encrypted the information.

I know for a fact that this area of security hasn't really been a focus for the bank over the past year. They've been more concerned about PCI...and we know that as long as you are PCI compliant, your customer details are safe right?! Think again (see Rich Mogull's analysis of the Hannaford data loss incident - Hannaford were apparently PCI compliant).

Maybe their priorities will change now? I doubt it...but one can hope.

Passlogix responds to the IBM situation

There's been many a discussion around the IBM acquisition of Encentuate and what it means. I wrote about it here, here, here and here. I've also received a few emails discussing the issue (mostly with my IBM mates). I've presented the IBM view and an unofficial (albeit tongue in cheek) Oracle view (thanks to Nishant Kaushik). The obvious missing link here is Passlogix's view.

Earlier this week, I received an email from a senior member of Passlogix's management team to open up a discussion and also to clarify their position. One of the topics of conversation centred around one of my posts and specifically my statement:

If you "upgrade" from ITAM ESSO to Passlogix v-GO or Oracle's OEM version of v-GO, you will have to buy the product again. Your IBM licenses will not carry over, unless Passlogix and/or Oracle get very aggressive and agree to "upgrade" your deployment and waive the software costs

The next few paragraphs in orange summarise my understanding (not a direct quote, so it includes some of my commentary) of Passlogix's position.

Passlogix's response is that they are working with every customer running IBM Tivoli Access Manager for Enterprise Single Sign-On (ITAM ESSO) 6.0 (the current version and OEM of Passlogix v-GO) to give them options moving forward and to help give them a choice. They will also honour the existing maintenance contracts that IBM has in place, and if the customer chooses to have Passlogix support them directly, there will be no additional charges to do so.

Passlogix also completely agree with my point that upgrading from ITAM ESSO 6.0 (Passlogix v-GO OEM) to ITAM ESSO 7.0 ("blue rinsed" Encentuate) will be a real pain in the behind because it's a "rip and replace". They make mention of the fact that v-Go is an "infrastructure free/event driven technology" and Encentuate is "server based/script driven". I can't confirm that Encentuate is indeed server based and script driven because I have never seen it in action. If it is, then it will be very painful migrating between the 2 approaches. As an aside, I should point out that it's not surprising that they agree! It helps them keep existing customers. I'm sure every single Passlogix employee is being told to say this. Unfortunately for IBM, I'm right. So IBM, you're going to need to work VERY hard to make it worthwhile for a customer to move to ITAM ESSO 7.0.

One last thing that Passlogix would like to remind us is that if you're the type of organisation that MUST evaluate technology before you can implement it, you'll also have to put up with that pain (as will IBM) before you can migrate to ITAM ESSO 7.0.

IBM will obviously tell you that you do not need to evaluate anything and that it should be treated as an upgrade. How you choose to view it is completely your call. Just be aware that these are the 2 differing views and whichever you pick will have implications for your migration or upgrade plan.

At this point in time, here are your choices:

1. Upgrade to ITAM ESSO 7.0 when it comes out - No additional software license, maintenance or support costs (unless your maintenance contract is expiring). Lots of services pain. Who pays for the services? If IBM doesn't wear most of it, they aren't trying hard enough.
2. Move to Passlogix - No additional software license, maintenance or support costs (unless your maintenance contract is expiring). Services pain will probably be minimal if any. If you have other IBM Tivoli Security products deployed however, keep in mind that future integration points will probably be released for ITAM ESSO 7.0 ("blue rinsed" Encentuate) before Passlogix get a chance to write their integration pieces by virtue of the fact IBM will generally build their integration pieces between internal products first (not always, but this is almost always true within the same IBM product suite). I'm pretty sure Passlogix will continue to support integration between v-GO and the IBM Tivoli products, but they will just be slower in getting them released. There's not a lot Passlogix can do about it of course because they will only be able to build integration pieces into IBM products by working with IBM (unless they wait for APIs to be published, which will make it even slower).
3. Move to Oracle - They'll charge you for the software, maintenance and support (does someone from Oracle want to email me to tell me that you won't?). Services pain will probably be minimal if any. If you have other IBM Tivoli Security products deployed however, this is not a smart choice unless you are ready to throw IBM out and replace your whole Identity and Access Management infrastructure with Oracle.
   

More on this WAM thing

My last post generated more interest than I initially expected. I guess it's one of those dormant issues that people have come to accept because it's just how the large vendors sell their Web Access Management (WAM) products (i.e. software).

I asked a few questions in a couple of sections and P2 Security's CTO, Jeff Gresham has responded by way of a comment. For those of you reading this via the RSS Feed and don't feel like clicking through, I'll repost it here:

"Ian,

We appreciate your interest in our maXecurity product line.

The technology team at P2 Security has been deploying conventional Web Access Management solutions at medium to large enterprises for the better part of a decade. It was our experience with deployment, maintenance and compliance issues that motivated us to develop our appliance-based maXecurity solution.

With maXecurity, we have adopted a "fewer moving parts" philosophy, and have collapsed the conventional three layer architecture (web agents or proxies + policy servers + policy store) to a two layer architecture (proxy appliances + policy store). We see this as a distinct advantage in terms of hardware cost, as well as deployment and maintenance effort, all of which translate to a lower total cost of ownership for our customers. Since a maXecurity solution includes hardware, customers are not required to acquire and deploy any additional hardware or software for a policy server layer. Also, no OS-level system administrators are required to maintain Unix- or Windows-based policy servers. Between hardware and IT staff, we have observed large enterprises (with 100s of thousands of users and hundreds of protected web applications) spending millions of dollars per year on WAM policy servers. By eliminating the policy server layer, these costs can be avoided, with the resulting savings allowing customers to achieve ROI in a matter of months.

With regard to your question: "...how [do] they manage security policies when someone decides to buy more than 1 appliance," maXecurity appliances are grouped into clusters that share the same policy configuration. All policy information is maintained in a centralized LDAP policy store. Policy changes are made from any appliance, written to the policy store, and all other appliances in the same cluster will detect the changes in the policy store and enforce them locally. Any combination of maXecurity Basic (500 users), maXecurity Pro (5000 users) and maXecurity Enterprise (50000 users) appliances can make up a cluster, allowing a maXecurity infrastructure to scale from the smallest to the largest enterprise.

I hope that I've addressed your questions regarding our maXecurity product line.

Jeff Gresham
Chief Technology Officer
P2 Security LLC"

There is some truth to what he says. Of course, it doesn't mean it is any easier to manage from an overall standpoint. I maintain that it is still a point solution for those that have a specific need to address their Web Access Management problems.