Tuesday, April 22, 2008

A little more on RSA Conference 2008

The two Identity Management related things that seemed to generate the most noise at this year's RSA Conference were:
I've already blogged about both these things (follow the links). There was also apparently quite a lot happening in the user centric identity space.

I wasn't physically there, so I'll have to defer to others for a roundup. You can start with the RSA Conference's blog and then move on to Matt Flynn (here and here) and Gunnar Peterson (here, here and here). UPDATE: Here's what security guru Bruce Schneier had to say.

Also, can someone tell me how I managed to get on the RSA Conference's Blogroll? Screenshot below in the event they realise I'm not worthy and remove the link :-)

Oracle reaches out to the blogging community

Oh, and they made a rather significant announcement at the RSA Conference too. Both are tied together. Allow me to explain.

I was first contacted by a representative of Oracle's PR department about an invitation to attend an exclusive blogger luncheon with Oracle executives on April 10 in San Francisco around their impending RSA announcement. During the luncheon, Hasan Rizvi (Vice President of Identity Management and Security Products at Oracle) was to provide attendees with an exclusive preview of Oracle's keynote announcement at the RSA Conference.

My first thought was "Oooooooo, free lunch". Then it hit me. It was in San Francisco and I live in London. "D'oh". So I had to politely decline, despite being tempted to ask if Oracle would pay for my air ticket and accommodation.

That's not the end of the story though. They subsequently followed up by inviting me to an alternate event. A blogger exclusive call the morning of that same day (April 10) to be held by Amit Jasuja (Vice President of development for Oracle's Identity Management and Security products) with the caveat that information shared on the call was to be embargoed until noon PT that day. Those who read this blog regularly know that there's no risk of me talking about anything so soon after finding out about it because I just don't have the time nor the urgency to behave like a journalist...or Robert Scoble.

The announcement itself is not the main purpose of this post. I'm not a fan of regurgitating information that's available, so I'll just point you at what I've found so far (admittedly the links are very Oracle centric in terms of content, but most others out there have just been regurgitating the press release and not adding to it):
I will say a couple of things regarding the announcement (briefly). It didn't surprise me one bit. In fact, all it did was formalise what they've been evangelising and selling anyway. Oracle's been charging very aggressively into 2 particular areas over the past year or two. SOA, and security. Of course, they went out and bought most of their technologies. But there is no stronger indication that they believe in the SOA strategy than their acquisition of BEA Systems in January this year. Their security technologies have been built out very nicely through their acquisitions and it's also nice to see that they're starting to build out the emerging areas of fine grained authorisation (aka entitlement management), role management (through their acquisition of Bridgestream) and governance solutions. The suite is starting to round out nicely and they look to be running faster than their main competitors (IBM, Sun, CA) at the moment. Their marketing and PR departments are certainly earning their money.

Now I'll get to what I actually wanted to say. I applaud Oracle for reaching out to the blogging community because:
  • They've certainly understood the whole blogging thing for a lot longer than the other big vendors out there (just look at the large list of people working in key Oracle positions that actually blog about their technology).
  • They understand there's more than issuing a press release and hoping something happens that justifies the marketing costs.
  • They understand that it's about creating discussion and awareness. Multi-way discussions are much more interesting and have the added bonus that something well written and insightful can have a viral effect.
  • They know a lot of key decision makers read blogs.
  • An opinion written by a non-Oracle employee holds a lot more credibility (assuming the author is credible themselves) than something written by an internal Oracle person who has to "toe the line". And if something written turns out to be less than positive, that's fine too because Oracle's bloggers can respond to it in a very interactive and hopefully constructive manner that makes Oracle's products better in the long run (if product management listen).
  • Press releases are just boring and don't offer anything people couldn't otherwise find by looking on a company's website.
I agreed to attend the call fully aware of their agenda and am playing into Oracle's hands by talking about it. That's completely fine by me, because I'm just giving my honest opinion and they haven't influenced my comments in any way.

They did mention that this was the first time they had reached out formally to bloggers and they would like to continue doing so moving forward. Being the first time also meant that they didn't quite know how to conduct the call and generate some interactivity. Amit Jasuja basically gave a more detailed version of the press release and presented the rationale behind a lot of it. When it came time for questions, no one asked anything. I tried very hard to think of one, but I just couldn't. Not quite what they were hoping I'm guessing. They needed more stimulant material to get people's creative juices flowing. Also, it was an audio only call. Perhaps in future they could have some visual aspects. I'm not advocating slides, but at least that would be better than an audio only presentation. Hopefully they'll get better at these calls as they do more of them. But it was a nice first attempt at extending the olive branch to the community. They also followed up a few days after the call to see if I had any questions, which was a nice touch. In case you were wondering, I still had no questions :-)

The other large juggernauts of the software industry in the security space need to take note. Oracle's marketing is very good. If their products keep getting better and they keep rounding out their portfolio, they're going to be very tough to stop.

P.S. You may notice that the Oracle call I attended was almost 2 weeks ago. It's taken me this long to write about it because I've just moved apartments in London. What that means is that I've been very busy with the move and I don't have Internet connectivity in the new place yet. It's apparently going to take 3 weeks for my ISP to get my connection enabled again (even though I gave them advance warning and my new phone line was active for over a week prior to the move). When I asked why I had to pay for the 3 weeks of ABSOLUTELY NO SERVICE, they just said it wasn't their fault. I don't understand why ISPs in the UK are soooooooooooooooo bad at providing decent customer service. But that's another whole issue that I probably shouldn't get started on. I'm writing this from my hotel room in Prague (I have business meetings here over the next few days).

Wednesday, April 09, 2008

Identity enabled appliances from Hitachi?

Hitachi just made an acquisition in the Identity space (actually it was not a full acquisition, just majority shares - weird). Yes, the same Hitachi that makes consumer products including some of the appliances you use around your home.

They bought M-Tech Information Technology, Inc and renamed it Hitachi ID Systems, Inc. Welcome to single sign-on to everything once you step into the house and your fridge not allowing you that extra snack at midnight because it knows you're on a diet.

Ok, seriously...

I'm not completely sure how this makes a lot of sense...but there may be logic to the madness and only the executives in Japan know the real reason and strategy moving forward. However, it doesn't stop the rest of us from speculating.

I don't actually think Hitachi is out to become an Identity Management vendor in the traditional sense. If they try to go toe-to-toe with the likes of IBM, Oracle, Sun and CA they will lose. M-Tech's product set at a high level only includes password synchronisation and provisioning capabilities. They are missing all the other things in the standard Enterprise Identity and Access Management suite, the most obvious being Access Management. Maybe Hitachi have a few other acquisitions up their sleeves to fill the gaps. If they really want to play this game, they are going to have to do it to make people stand up and take them seriously.

As the Burton Group have already alluded to in their analysis, Hitachi bring with it the sales and marketing clout that M-Tech did not have (which is pretty much always the case when a large corporation acquires a much smaller one). It also brings 2 technologies to the table that are the most obvious candidates to integrate with the M-Tech solution. Their RFID and Finger Vein technologies. I would assume they want to use the provisioning aspects to manage the identities flowing around and also integrate these approaches with password management for a more complete, automated physical/digital authentication solution.

Hitachi will do well to lead with the areas where they are strong and provide the software capabilities as a differentiator. They can use the additional capabilities and management efficiencies as a competitive advantage over their current competitors. As I already said, they will lose if they lead with the M-Tech technology in the hope of selling RFID and Finger Vein readers because very few large organisations will bite due to the incomplete solution they'll end up with from an Enterprise Identity and Access Management standpoint.

Perhaps Hitachi are positioning themselves to be a player in the software space (they already have bits and pieces of software that do various things) or even to get into doing IT related services. If so, then their strategy moving forward could be to look a little more like Fujitsu.

I'm just guessing of course. In the short to medium term, they've probably just acquired M-Tech to shore up their capabilities and provide a competitive advantage. Or maybe an identity aware household is part of the grand plan. All I can say is, my fridge better not stop me from getting my midnight snack or there's going to be trouble!

Tuesday, April 08, 2008

HSBC didn't learn from HMRC

HSBC here in the UK just lost a data disc full of customer details. It wasn't a goof-up of HMRC proportions because 370,000 customer details seem like nothing compared to the 25 million HMRC lost into the postal system. But in light of all the recent incidents, you would have thought they would at least be a little bit more careful about sending things out in the post! From what I can gather, you should only be worried if you have taken out an insurance policy that is somehow connected with HSBC or have insurance related information within HSBC's systems.

A lot of the points I made in commenting about the HMRC incident still apply here so I won't rehash any of it. I'm just very surprised that the bank didn't dive into user security awareness training initiatives to attempt to mitigate the risks in place. I wonder if they also changed some of the procedures and processes around how information is handled.

Or maybe they did both, which brings me to the next point. Assuming they've done a little bit of educating and process re-engineering, the next logical step is to start putting the tools in place to help with the user education (there's nothing better than real-time education of users - how many times have you sat in a security awareness class and come out not remembering a single thing) and information control. Tools which can also protect the information flowing around and even automatically encrypt the information moving to removable media, like a frigging disc that's about to be sent out in the post just in case the person doing it was asleep in class (like the rest of us).

The right approach in my opinion is actually a combination of varying approaches running in parallel. Start small with each aspect and let them evolve and intermingle. For example, you can put in the simple controls using a tool while also conducting user awareness programs and changing information handling processes. It's all iterative.

Of course, whatever they currently have in place isn't working. They claim to have password protection on the disc, but even they admit that it wasn't good enough and that they should have at least encrypted the information.

I know for a fact that this area of security hasn't really been a focus for the bank over the past year. They've been more concerned about PCI...and we know that as long as you are PCI compliant, your customer details are safe right?! Think again (see Rich Mogull's analysis of the Hannaford data loss incident - Hannaford were apparently PCI compliant).

Maybe their priorities will change now? I doubt it...but one can hope.