Thursday, March 19, 2009

What does an IBM acquisition of Sun mean for Identity Management?

IBM employees: hands up those of you expecting to tell management to stick their redundancy packages where "the Sun don't shine"?

Sun employees: hands up those of you who walked into a meeting this morning and came out to be greeted by people with spray cans and paint tins eager to paint you IBM-blue, itching to call you a smurf?

In case you've been in a cave today, the rumour ("rumor" for my American friends) doing the rounds is that IBM is in talks to acquire Sun. I should stress that is a rumour, but I suppose everyone thinks the fact that the Wall Street Journal is one of the news outlets reporting on this rumour gives it some additional weight.

I wasn't going to bother writing anything given that nothing has actually happened and I'm not sure how this is a no-brainer move for IBM, but a few people have emailed asking what I think. So the easiest way to respond was to post this.

There's no shortage of coverage across news outlets, blogs and in Twitterville. Everyone's talking about the big picture. Larry Dignan (thinks it makes sense) and Dana Gardner (doesn't think it makes sense) have more insightful commentary than most stories I've read. Commentators generally mention data centers, servers (i.e. hardware), cloud computing, professional services, Java, IDEs (NetBeans vs. Eclipse - consensus opinion seems to think NetBeans will go the way of the Dodo), Unix (AIX vs. Solaris) and open source. Many of them are saying that it makes sense in a macro-company kind of way. I however, will be focusing on a specific something else where I don't think it makes any sense at all. Then again, in the grander scheme of things there's usually some sort of sacrifice when these things happen, especially today when the flavour of the microsecond is all things cloud-related and not un-sexy-enterprise-off-the-shelf-run-it-in-your-own-data-center software.

My point is that very few reports have touched on something that should be on your mind if you work in enterprise software: what's going to happen to the software stack? There are overlaps EVERYWHERE! There are too many products to talk about in detail but IBM cannot simply throw Sun's stack away because of the backlash they're going to get from customers and the community at large.

If IBM does acquire Sun, they sure as heck aren't doing it for the software (except for perhaps additional "control" over Java). And they sure as hell aren't doing it because Tivoli's run out of role management vendors to acquire and liked VAAU (which became Sun Role Manager) so much they went to Sam Palmisano and told him to buy Sun as punishment for getting to VAAU before them. Does this mean they'll just throw Sun's software division away? Of course not! That would be stupid on IBM's part (and despite what I've written about in the past, I don't think IBM are stupid). They will more than likely run everything separately initially, figure out what bits and pieces fill missing holes in the IBM software portfolio and then "blue-rinse" (rebrand) them. The overlapping pieces will be absorbed into the IBM blue-ether and have useful components re-used within existing IBM software and the perceived useless bits discarded. It's IBM's modus operandi (just look at what they did with their DB2-related acquisitions). It's also what Oracle does, so at least someone else thinks it makes sense.

And here's where I'm going to head down the rabbit hole, because this is all based on a rumour. In other words, it's speculation and anything said is simply mental masturbation.

The least affected IBM software brand will be Lotus. Rational should be relatively unscathed. The other three IBM software brands (Tivoli, WebSphere, Information Management aka DB2) however, will notice a few changes. None will be affected more than WebSphere, but Tivoli comes a close second in the upheaval stakes. This is where the IBM's Identity and Access Management (IAM) suite sits, which is what I'm going to focus on now.

The first win for IBM will be in the marketing stakes. I don't mean this in terms of positive karma or PR, but more in terms of the marketing talent at Sun. This is because Sun has been better at marketing, community building and listening to customers than IBM has within the IAM space. Now, assuming IBM doesn't fire the whole IAM marketing team they'll be inheriting a very strong team of people (yeah I know their engineers aren't too shabby either). In my opinion, Sun understood the evolution in marketing that's been occurring much earlier than IBM and hence are ahead in the game from this standpoint. Actually, pretty much every other big IAM vendor understood this before IBM. In IBM's defence, they are starting to pick up their game and are running with it wholeheartedly.

On to the products. I thought of doing a full comparison by listing each company's full list of IAM products, but then I started writing down IBM's list from the website (in case I missed anything by relying on my memory) and it gave me a headache (Side note to IBM: WTF?! The list has gotten much more complicated and longer. And to add to the confusion, you even list "products" that are actually solutions made from combining different underlying products. If you are able to give an ex-employee who used to architect, implement and sell this stuff for you a headache when going to your website, what do you think customers are going to think? Or maybe I just don't have the mental capacity to read introductory product information about IBM software). Conversely, Sun's list is much easier to follow (although whoever runs the website should probably place Access Manager and Federation Manager in a separate list noting that they've been combined to form OpenSSO). Here's the core Sun IAM list with commentary:
  • Sun Directory Server - IBM has Tivoli Directory Server.
  • Sun Identity Compliance Manager - IBM does not have a direct equivalent.
  • Sun Identity Manager - IBM has Tivoli Identity Manager.
  • Sun OpenSSO Enterprise - IBM has Tivoli Federated Identity Manager and Tivoli Access Manager for e-business (which is actually used as a component within the Federated Identity Manager product, but I won't complicate things here).
  • Sun Role Manager - IBM does not have a direct equivalent.
Thanks to Sun's simpler list, there's a relatively clear picture to work with. I should note that IBM has quite a few more IAM products that I've listed (IBM lists them as part of the Security Management suite), but I'll ignore them because a potential acquisition of Sun should not affect them too much.

What's abundantly clear here is that Sun Role Manager and Sun Identity Compliance Manager (don't confuse this with Tivoli Compliance Insight Manager because the IBM product addresses different requirements) look to be safe from the chopping block. IBM will simply take the 2 products (aside: my understanding is that Compliance Manager is actually derived from Role Manager - Sun people, please correct me if I'm wrong) and "blue-rinse" them. Their names will likely stay the same with "Sun" being replaced with "IBM Tivoli". Either that or IBM will combine them and call it "Tivoli Identity, Access and Role Compliance Manager" or some long-a**ed name that forms yet another T-acronym. At least you can kind of pronounce TIARCM, albeit getting tongue twisted in the process.

As for the other Sun IAM products, their futures are at risk if this rumour proves to be true. IBM's spent shed-loads of money acquiring, "blue-rinsing" and subsequently developing their equivalent products. It's VERY unlikely that IBM will throw that investment away only to repeat the exercise again with Sun's stack. In other words, I have a feeling that in the longer term, Sun Directory Server, Sun Identity Manager and Sun OpenSSO Enterprise are seriously in danger of being "sunsetted" (yeah, I cringed too when I typed it). Interestingly enough, many people are of the opinion that Sun's Identity Manager is a superior product to Tivoli Identity Manager. Conversely, the reverse is true when comparing Federation/Access Management products. Opinions such as these are of course subjective and depend on the requirements at hand and people's personal preferences. The truth is that they are all pretty solid, mature products in their own right so there's no easy answer in making a decision to pick Sun's version over IBM's or vice versa. I see 3 logical possibilities here:
  1. IBM "sunsets" the relevant overlapping Sun IAM products, which will mean that they'll continue to support existing customers but gradually migrate them over to the Tivoli versions.
  2. IBM markets the Sun IAM products as open source alternatives to their enterprise incarnations.
  3. IBM re-hashes the rather unsuccessful "Express" line of products.
Option 1 will be the least popular alternative in the eyes of customers. But it means BIG services opportunities for IBM and IBM's channel of business partners which provide consulting/implementation services. From an IBM perspective, they would be making the sacrifice early on for the greater good of the company and taking the PR and initial professional services (in having to give away free services for the migration to prevent angry mobs from gathering) hit that comes with it (like they had to do when they acquired Encentuate). This is the "rip the band aid off quickly" approach, but it also means lots of job cuts with the sales and marketing teams being first out the door.

Option 2 is the easy way out, but is also the most expensive. Sun already markets their product line as being open. The heavy-lifting part of the marketing's been done and all IBM has to do is see it through while changing the product names. Unfortunately, this is expensive from an ongoing operational and development standpoint. They may choose to absorb the cost as a "good karma tax", so this option could very well fly. The upheaval to existing Sun teams and customers would also be mitigated. This is the "don't rock the boat" option.

Option 3 is the "marketing blue-rinse" option. It's more or less a hybrid approach of options 1 and 2. IBM will be looking to cut the fat somewhat from a jobs perspective, but not as drastically as they would if they went with option 1. From a technical standpoint, this will be very similar to option 2. The difference is that they bring the products back in-house and promote them as the "light IAM options" for small to medium business. This was exactly the target market for their Express initiative and they may look to re-energise those efforts . Ironically, Tivoli Identity Manager Express was a response to the market perception that Sun Identity Manager is easier to deploy and manage. If this happens, I don't think the Sun products will survive beyond a year or 2. IBM's Express experiment has proven that customers that buy Tivoli still like to choose the heavier version "in case" they need the features and perceived superior stability. Remember, this is not to say the Sun products aren't stable or fully featured. I'm just saying that in this instance, that's what the marketing materials are going to imply and how the sales teams will be selling the products. If not, IBM would look pretty stupid for continuing development on 2 equally good products in parallel that serve the exact same purpose (in the eyes of the customer). If "Express" doesn't sell, this option is simply the less painful, more drawn out, more expensive version of option 1.

No matter which option IBM picks, one thing is certain. They're going to run a fine-tooth comb over the Sun product set, pilfer all the useful bits and roll them in to the existing Tivoli product set. This is good for Tivoli customers but it'll take time for the functionality to start appearing given the speed that IBM moves at.

I don't think competitors like Oracle, CA and Novell will be quaking in their boots though. From an IAM standpoint, any acquisition only increases IBM's market share. It doesn't really give them a big advantage when it comes to product features or functionality. Then again, significantly increased market share is nothing to be sneezed at.

If the rumour proves to be based on solid information and something does happen, the real winners (other than IBM) will be existing IBM customers. The biggest losers? Existing Sun employees and customers, at least from a software perspective.

Friday, March 13, 2009

IBM gets more end-pointy

To be specific, I should say IBM ISS. This time, they're getting in bed with with BigFix (the press release is here). Here's the first paragraph of the release:
"Today, IBM announced a first-of-a-kind endpoint security offering, IBM Proventia Endpoint Secure Control (ESC), that is designed to enable enterprises to escape from the constraints of vendor lock-in and to enhance endpoint security, compliance and operations at a lower cost. This new endpoint security offering is delivered by IBM Internet Security Systems (IBM ISS) leveraging IBM's depth in security experience and technology from BigFix, Inc. for endpoint security management."

It sounds like it's some sort of OEM agreement with BigFix to offer up security-focused, endpoint systems management. Essentially, it's to allow for organisations to manage all the bits and bobs of software that end up having to be deployed on endpoints (laptops, desktops etc.) and become a nightmare to manage over time. IBM harps on about "vendor lock-in" and stress that having ESC/BigFix in place makes it much easier to swap out software and replace it with new stuff (McAfee AV with Symantec's, for example). Sounds nice in theory and marketing slides. Not so simple in reality, even with a shiny new toy.

I won't get into the minefield relating to it being a good idea to have some sort of common security policy management or decision point across everything (which is what Symantec and McAfee are trying to do across their bag of toys) that this doesn't address, but I'm sure IBM are working on that. By the way IBM ISS, the boys at Tivoli might have some stuff that you could use? You should try talking to them...which brings me to my next point.

I can't help but notice that there's some level of overlap with what IBM Tivoli provides in the way of their systems management software, but this is IBM so it doesn't surprise me that the left hand doesn't seem to be talking to the right hand. It's business as usual and somewhere within IBM, a bunch of people in Tivoli are going to be wondering why IBM ISS keeps trying to compete with them. To be fair, the IBM Tivoli stuff isn't as endpoint-focused when it comes to security and isn't as security-focused when it comes to endpoints (this is confusing unless you know the Tivoli products - you IBM Tivoli people know what I'm talking about don't you). The press release does make a reference to Tivoli:
"The new tool will complement IBM Tivoli's operational desktop management offerings with robust endpoint operational security solutions, allowing customers the ability to address end point security. IBM Proventia ESC will also provide key endpoint security audit data to IBM Tivoli Security Information and Event Manager (TSIEM), further strengthening TSIEM's enterprise-wide compliance reporting capabilities."
But that statement sounds to me like it was thrown in to "keep Tivoli happy". TSIEM could get its endpoint security audit data from any other competitive endpoint source. It doesn't need ESC specifically! Of course, the marketing department will throw in comments like it'll be better integrated and have "out of the box connectors" but we know how true these things are. Unless development is managed by the same brand, this is extremely difficult to achieve in an adequate amount of time. My money's on the fact that the implementation partner is going to have to be the one that picks up the pieces if/when the integration at a client's site is required.

Strategically however, this move makes sense. If your memories go back to late 2007 (yeah I know that's quite some time ago), you may remember IBM ISS dipping its toe into data security by offering managed services using a combination of Verdasys, Fidelis and PGP software. I'm not sure they got very much traction out of that initiative, but this is a continuation of an increasing focus on the endpoint by IBM ISS, and they want to manage it all too:
"'The killer application in endpoint security is management,' said Dan Powers, vice president of business development at IBM Internet Security Systems."
I don't really agree that management is "the killer app" in the endpoint game, but it's certainly a key piece. The likes of Sophos, Symantec, McAfee, Checkpoint have all been progressively coming out with their own versions of "one agent to rule them all" and wrapping a management layer around it all. I suppose IBM ISS didn't want to get left behind because when it comes to data security, if you ignore the endpoint you've lost the game.

Monday, March 02, 2009

Did IBM actually listen to me?

Or was it a coincidence? I'm not sure because I never did hear back from anyone within IBM in response to my open letter.

The letter I speak of was a rant where I openly asked IBM why they thought it was appropriate to list member email addresses on their newly created communities site by default and not allow for an opt-out. What they really should have done was to set all details as private by default and allow people to opt-in with regards to their details being made public. The fact there was not even an opt-out in relation to email addresses being displayed was unacceptable in my opinion.

I've been away for the past week snowboarding in the French Alps (I just had to throw that bit of detail in - curse me if you must) so I've been a little bit out of it. In trying to "plug" myself back into society, I decided to have a look at the IBM communities site for a laugh. I even contemplated posting my rant to the forum due to their lack of any response. But to my surprise, I noticed something different: email addresses are no longer displayed!

I don't seem to see any changes in being able to set privacy controls, so the interface is exactly the same. But some educated individual's either decided that public emails were a bad idea or they read my rant and did something about it. Makes you all warm and fuzzy doesn't it.

In other news, I'm still getting a shed-load of spam to the email address that IBM made public. Thanks IBM.