Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘Microsoft’

The CIA and the Encrypted Enterprise

Friday, October 29th, 2010

The international horse show wasn’t the only event in Washington DC this week; I participated in the Virtualization, Cloud, and Green Computing event in our nation’s capital. One of the guest speakers was Ira “Gus” Hunt, CTO at the CIA. If you haven’t seen Gus speak, you are missing something. He is very strong on the technical side and extremely energetic and entertaining.

Gus focused on cloud computing activities at the CIA (I’ll blog about this soon), but I was intrigued by one of his slide bullets that referred to something he called the “encrypted enterprise.” From the CIA’s perspective, all data is sensitive whether it resides on an enterprise disk system, lives in a database column, crosses an Ethernet switch, or gets backed up on a USB drive. Because of this, Hunt wants to create an “encrypted enterprise” where data is encrypted at all layers of the technology stack.

The CIA is ahead here, but ESG hears a similar goal from lots of other highly regulated firms. When will this happen? Unfortunately, it may take a few years to weave this together as there are several hurdles to overcome including:

  1. An encryption architecture. Before organizations encrypt all their data, they have to understand where the data needs to be decrypted. For example, remote office data could be encrypted when it is sent to the corporate data center, but it needs to be decrypted before it can be processed for large batch jobs like daily sales and inventory updates. There is a balancing act between data security and business processes here demanding a distributed, intelligent encryption architecture that maps encryption/decryption with business and IT workflow.
  2. Key management. Most encryption products come with their own integrated key management system. Many of these aren’t very sophisticated and an enterprise with hundreds of key management systems can’t scale. What’s needed is a distributed secure key management service across the network. Think of something that looks and behaves like DNS with security built in from the start. The Key Management Interoperability Protocol (KMIP) effort may get us there in the future as it is supported by a who’s who of technology vendors including EMC/RSA, HP, IBM, and Symantec, but it is just getting started.
  3. Technical experience. How should I encrypt my sensitive Oracle database? I could use Oracle tools to encrypt database columns. I could encrypt an entire file system using Windows EFS or tools from vendors like PGP. I could buy an encrypting disk array from IBM, or I could combine EMC PowerPath software with Emulex encrypting Host-based Adapters (HBAs). Which is best? It depends on performance needs, hardware resources, and financial concerns like asset amortization. Since there is no “one-size-fits-all” solution here, the entire enterprise market is learning on the fly.

A lot of the technical limitations are being worked on at this point, so the biggest impediment may be based upon people and not technology. We simply don’t have a lot of experience here, so we need to proceed with research, thought, and caution. To get to Gus Hunt’s vision of the “encrypted enterprise,” we need things like reference architectures, best practices, and maturity models as soon as possible. Look for service providers like CSC, HP, IBM, and SAIC to offer “encrypted enterprise” services within the next 24 months.

Get Ready for Multiple Virtualization Platforms

Tuesday, October 26th, 2010

My colleague Mark Bowker and I are at a Virtualization, Cloud Computing, and Green IT conference in Washington DC this week. In one of the panels we hosted, an IT executive from a cabinet-level agency mentioned that the agency was qualifying Microsoft Hyper-V even though it already has an enterprise license in place with VMware. When asked why the agency was doing this, he responded, “we are a Windows shop and have a great relationship with Microsoft. VMware has been great but we simply believe that the world is moving to heterogeneous virtualization platforms and we want to be ready for this.”

This IT executive is not alone. In a recent ESG Research study, 55% of the organizations’ surveyed say that their primary virtualization solution is VMware (VMware Server, ESx, ESxi, etc.). This relationship with VMware doesn’t preclude them from using other hypervisors however. In fact, 34% of survey respondents are using 2 virtualization solutions and 36% are using three or more. This was a survey of 463 North American-based IT professionals working at organizations with more than 500 employees.

My take-aways are as follows:

  1. Users should plan for multiple virtualization platforms. Standardization is great but it is likely that some applications and workloads will work best on one hypervisor versus another. This will demand training and management of disparate environments so standard processes and tools will be crucial.
  2. Training is key. Vendors need to realize that users need help with training and skills development before they buy the next virtualization widget.
  3. Vendors should develop broad partnering strategies. Two years ago, dedicating all virtualization resources to VMware was probably a good bet but this is no longer the case. Need proof? Cisco recently struck up a relationship with Citrix even though it has lots of resources invested in VMware and its 3 amigos relationship that also includes .

Yeah, I know, everyone would like one standard IT solution to meet all their needs. It hasn’t happened in the past and it won’t happen with virtualization either. The sooner that IT professionals and the industry recognize this the better.

Cloud Computing? We Still Haven’t Mastered Server Virtualization!

Tuesday, October 19th, 2010

According to ESG Research, only 7% of the large mid-market (i.e., 500-1000 employees) and enterprise (i.e., 1,000 employees or more) are not using server virtualization technology and have no plans to do so. Alternatively, 61% are using server virtualization technology extensively in test/development AND production environments.

Okay, so server virtualization technology is everywhere, but how are large organizations using it? Many technology vendors would have you believe that enterprises are using server virtualization as the on-ramp to cloud computing. The industry crows about server virtualization’s use for IT automation and self-service, as VMs are rapidly provisioned, dynamically re-configured, and moved constantly from physical server to physical server for load balancing and resource optimization.

It’s a great vision, it just isn’t happening today. Most organizations use server virtualization for web applications and file and print services but far fewer have taken on transaction-oriented applications or databases. Many firms still struggle with performance issues when trying to align physical networks, storage devices, and servers with virtualization technology. As for VM mobility (i.e., vMotion), only 30% of the organizations surveyed by ESG use VM mobility on a regular basis. Why eschew VM mobility? It turns out that 24% of organizations say they have no need to use VM mobility functionality at this time.

The ESG data does suggest that server virtualization represents paradigm shift driving huge changes in IT organizations, processes, and technologies, but these transitions will take time to work their way out. Many enterprises will get to a state of more dyanamic data center transformation–around 2013 or so.

Take my word for it, the IT rhetoric around server virtualization is visionary hype rather than actual reality. I’ve got tons of data to back this up. There are more average Joe IT shops out there than whiz-bang organizations like , , and Microsoft and there always will be.

Microsoft’s Mobile Phone Opportunity

Wednesday, October 13th, 2010

Microsoft and partners announced a series of new mobile phones yesterday. The new phones are based upon Windows 7 which replaces the more antiquated Windows Mobile OS.

This announcement places Microsoft in an unfamiliar spot, the “hot seat.” Everyone is pressing Microsoft on how its Windows 7 phones will compete with iPhone and Google Android. When Microsoft CEO Steve Ballmer visited NBC’s “Today” show, host Matt Lauer mentioned the iPhone several times. Ballmer continually re-directed him back to the product.

One overused IT cliche is to declare that a company or product is “dead.” I’m sure that many pundits are saying this about Microsoft, trumpeting that Windows Phones are simply too little too late. I disagree for several reasons. Yes, Apple and have become the sexy consumer phones, but Microsoft still has a huge enterprise installed base. According to a recent ESG Research survey, 62% of enterprises already offer formal support for Microsoft mobile phones. Only Blackberry enjoys a higher support status. Combined with its Windows prowess, Microsoft has an opportunity to:

  1. Continue to tweak mobile applications. The fact is that we are just learning what type of applications, functionality, and usability people need for mobile devices. Microsoft has the ability to modify franchise applications like Office, Outlook, and Sharepoint to work best on Windows Mobile. If Microsoft can make this difference meaningful, business users will follow. Microsoft can also point its army of external developers at Windows phones to develop enterprise-focused applications. Finally, Microsoft can use Hyper-V to virtualize PCs on mobile devices better than anyone else.
  2. Use client licensing as a hook. Microsoft often gets enterprise customers to buy lots of applications with pricing bundles. If mobile applications come as part of its Enterprise Client Access License (ECAL), it has an immediate leg up on others.
  3. Focus on management, security, and compliance. Mobile devices can increase risk, endpoint management costs, and regulatory compliance complexity. According to ESG Research, 74% of enterprise organizations believe that mobile devices make complying with industry or government data security and/or privacy regulations more challenging. Microsoft can help bridge this gap by positioning Windows Phones along with existing Windows administration, operations, and security tools.

Microsoft shouldn’t try to compete with consumer-focused iPhone or Android. Rather it should combine some sexy consumer features with rock-solid business functionality. Apple and Google have momentum, Blackberry is vulnerable. If Microsoft establishes this position as “good enough” for consumers but superior for the enterprise, it wins where it counts–with software revenue.

Networking and Virtualization Vendors Should Join the Open vSwitch Effort

Thursday, September 16th, 2010

My colleague Mark Bowker and I are knee-deep in new research data on server virtualization. Within this mountain of data, we are discovering some existing and impending networking issues related to network switching.

Today, many server virtualization projects are led by server administrators, with little or no participation from the networking team. As you may imagine, this means that the server team configures all virtual switches to the best of its ability, without considering how physical switches are already configured. As things scale, the server team realizes the error of its ways and quickly calls the networking group in to help out. This is where things really break down. Before doing anything, the networking folks have to learn the virtualization platform, understand how the physical and virtual networks should interoperate, and then roll up their sleeves and start gluing everything together.

This is a painful learning curve but I believe that future issues will be far more difficult. As organizations increase the number of VMs deployed, networking configurations get more difficult — especially when VMs move around. Users regularly complain about the number of VLANs they have to configure, provision, and manage. This situation will grow worse and worse as VMs become the standard unit of IT.

In my mind, it makes no sense for virtualization vendors like Citrix, Microsoft, Oracle, and VMware to recreate the richness of physical L2 switches in the virtual world. So what can be done? Well one alternative is to eliminate virtual switches entirely and do all switching at the physical layer via the Virtual Ethernet Port Aggregator (VEPA) standard being developed in the IEEE.

I believe this will happen but in the meantime there is another alternative being discussed this week at the Citrix Industry Analyst Event — Open vSwitch. As described on the Apache web site, “Open vSwitch is a multilayer virtual switch licensed under the open source Apache 2.0 license. The goal is to build a production quality switch for VM environments that supports standard management interfaces (e.g., NetFlow, RSPAN, ERSPAN, CLI), and is open to programmatic extension and control.”

Here’s why this makes sense to me:

  1. Given a pool of collective resources, a collaborative open effort would provide more advanced switching functionality sooner rather than later.
  2. An open alternative would expose APIs that could be easily integrated with leading switch management tools from Brocade, Cisco, Extreme, Force 10, HP, Juniper, etc.
  3. Vendors would not have to integrate with each hypervisor independently. This would improve code quality and again speed time-to-market.

At the very least, Citrix, Microsoft, and Oracle should back this as a way to push back on VMware’s marketshare lead.

I’ve been around long enough to know the strengths and limitations of open source and standards but I think that with the right support, this one could have legs. I know that vendors have their own businesses to look after but isn’t another end goal to create products that the market wants? I think Open vSwitch would fit this bill.

Friday, September 3rd, 2010

Anyone remotely interested in identity management should definitely download a copy of the National Strategy for Trusted Identities in Cyberspace (NSTIC) document. It can be found at this link: .

A a very high level, the strategy calls for the formation of a standards-based interoperable identity ecosystem to establish trusted relationships between users, organizations, devices, and network services. The proposed identity ecosystem is composed of 3 layers: An execution layer for conducting transactions, a management layer for identity policy management and enforcement, and a governance layer that establishes and oversees the rules over the entire ecosystem.

There is way more detail that is far beyond this blog but suffice it to say the document is well thought out and pretty comprehensive in terms of its vision. This is exactly the kind of identity future we need to make cloud computing a reality. Kudos to Federal Cyber coordinator Howard Schmidt and his staff for kicking this off.

I will post my feedback on the official website, but a few of my suggestions are as follows:

  1. Build on top of existing standards. The feds should rally those working on things like Project Higgins, Shibboleth, Liberty, Web Services, Microsoft Geneva, OpenID, etc. Getting all these folks marching in the same direction early will be critical.
  2. Get the enterprise IAM vendors on board. No one has more to gain — or lose — than identity leaders like CA, IBM, Microsoft, Novell, and Oracle. Their participation will help rally the private sector.
  3. Encourage the development of PKI services. PKI is an enabling technology for an identity ecosystem but most organizations eschew PKI as too complex. The solution may be PKI as a cloud service that provides PKI trust without the on-site complexity. This is why Symantec bought the assets of Verisign. The Feds should push Symantec and others to embed certificates in more places, applications, and devices.

There will be lots of other needs as well. The document recommends identity and trust up and down the technology stack but it doesn’t talk about the expense or complexity of implementing more global use of IPSEC, BGPSEC, and DNSSEC. There is also the need for rapid maturity in encryption, key management, and certificate management. Good news for RSA, PGP, nCipher (Thales), IBM, HP, Venafi, and others.

The key to me is building a federated, plug-and-play, distributed identity ecosystem that doesn’t rely on any central authority or massive identity repository. This is an ambitious goal but one that can be achieved — over time — if the Feds get the right players on board and push everyone in the same direction.

Making Sense of Intel and McAfee: What this Acquisition is and is not.

Monday, August 23rd, 2010

It’s been a few days since Intel‘s surprising McAfee acquisition announcement. This weekend, I took time to read what others were saying about the merger and there seems to be a lot of posturing and confusion out there. Here is a short list of some of the misconceptions:

  1. Intel is buying McAfee for mobile security. This may have strategic merit, but mobile security can’t possibly be a major motivation. Why? The whole mobile security market is extremely fragmented and worth a few $100 million today. McAfee recently acquired its way into mobile security, so internal efforts are a work-in-progress. Rather than spend $7.7 billion on McAfee, Intel could have grabbed a vendor like Good Technology or Mobile Active Defense for a fraction of what it paid for McAfee. By comparison, Juniper just picked up SMobile for $70 million.
  2. Intel will bundle McAfee security functionality into vPro. Intel vPro has some security functionality for cryptography and secure communications, but nothing else. Why not integrate McAfee desktop security and even Safeboot encryption? Intel actually tried this for years with lots of partners and then buried the effort as if it never happened. I have to imagine that development was too difficult and too costly to proceed. I don’t think the McAfee acquisition changes anything.
  3. Intel wants to create hardware/software bundles for consumers. Some people think this will center around distribution alone, while others believe that Intel will create a vPro-like chip for consumer PCs. Neither of these things will happen. Consumer vPro won’t happen because it is too hard to do. Bundling won’t happen because of anti-trust. If bundling was possible, Microsoft would have done it two years ago.

Many of the smartest financial and industry analysts can’t make heads or tails out of this deal and I can understand their confusion. There really are no obvious synergies between the two technologies. Nevertheless, I believe that the security market is in transition where new products will need a whole new level of scale, intelligence, integration, and enterprise-class sophistication. The “new” security market will start abruptly and grow to over $1 billion extremely quickly. Intel wants a piece of this transition as well as portfolio diversification. It’s that simple.

The DNSSEC Opportunity

Friday, August 13th, 2010

DNSSEC is nothing new. The initial RFC was written in 1997 and the first specification was published in 1999. In spite of these efforts, secure DNS languished during the early 2000s as it wasn’t a requirement for most organizations.

Things have changed, however. DNS security has been called to question many times through cache poisoning attacks and the infamous Kaminsky vulnerability. To address these security weaknesses, DNSSEC efforts are underway. The DNS root servers have all been signed, as have the .gov and .edu Top Level Domains (TLDs). The other TLDs will be signed soon. These efforts will eventually establish a root/chain of trust for all sub-level DNS servers.

Yes, DNSSEC will take years before it is fully deployed, but the foundation is nearly in place. The U.S. federal government is leading the transition to DNSSEC, which means that federal system integrators and leading technology vendors will follow suit. In terms of the market at large, ESG believes that the transition to DNSSEC means:

  1. Lots of DNS server turnover. Most DNS server implementations are pretty basic, anchored by either Windows DNS or BIND. These will need to be upgraded or replaced. Windows 2008 DNS and BIND 9.0 support DNSSEC.
  2. The DNSSEC appliance market should grow. Many organizations understand the value of DNS appliances, but never had a compelling reason to swap out software-based DNS for an appliance alternative. DNSSEC creates this opportunity. Good news for appliance vendors like Bluecat, BT, and Infoblox.
  3. Managed DNSSEC services become a viable alternative. DNSSEC may improve security, but it also demands certificate and key management, adding cryptographic complexity to DNS operations. Rather than learn new skills, many organizations will decide to punt and outsource DNSSEC to cloud providers like Neustar and Verisign.

This migration will mostly fly under the radar, but it will be a lucrative opportunity for smart vendors with the right products and services at the right time.

Blackberry, Windows still own the enterprise but . . .

Friday, August 6th, 2010

Consumer buzz tends to center on two mobile phones: Apple iPhone and Android. As far as the enterprise is concerned however, these two phones remain down the list.

ESG Research conducted a survey of 174 IT professionals from enterprise organizations (i.e., greater than 1,000 employees) and asked them which mobile device platforms their organizations support. Here is what they said:

Phone:                     Support today:                     Will support in the future:

Blackberry                     74%                                             11%
Windows Mobile              62%                                              9%
iPhone                          43%                                             18%
Palm WebOS                  24%                                             17%
Google Android                 8%                                             16%
Symbian                          7%                                             14%

A few facts about the survey. First, it was conducted at the very end of 2009 so it doesn’t capture recent momentum or the impact of new products like iPad and iPhone 4. Additionally, this data comes from IT professionals in North America only.

My read of this data is as follows:

  1. Blackberry retains a strong position. Yes, other data indicates a migration trend away from Blackberry and phone swaps are much more common than corporate PC to Mac swap outs. Nevertheless, Blackberry infrastructure is embedded in the enterprise so new “cool” products could become the corporate choice.
  2. Microsoft is teetering. Windows Mobile has a big installed base but most enterprises are looking closely at other phones. Microsoft has tried to link Windows Mobile to Office, Outlook, and Exchange but users want the pizazz of iPhones, Palms, and Androids. Can Microsoft catch up or will it produce the mobile device equivalent of Zune when the market wants iPods?
  3. Don’t count out HP. Palm was on a downward spiral with consumers but it seems to be holding its own in the enterprise. Now that it is owned by enterprise-savvy HP, it could really impact this space.
  4. Google remains in the distance. Google support is thin but many organizations will include Android support in the future. Nevertheless, it has a lot of work to do if it is going to push others aside and gain share in the enterprise market.

Unlike consumers, enterprises want more than just cool devices — application development, device management, security, and integration into the existing infrastructure are all important considerations. Vendors need to find the right combination of consumer cool and corporate requirements support if they want to defend their position or gain share in the enterprise.

Enterprises Are Embracing Mobile Devices

Wednesday, August 4th, 2010

The latest iPhone commercials feature video calls and multiple couples sharing intimate moments. When describing , wireless carrier talks about, “the apps you crave.” Microsoft’s latest pitch is that Windows Mobile phones fold neatly into social networking.

There are a few common themes here. Each vendor is targeting consumers with whiz-bang functionality and lots of applications. Video capabilities are highlighted in all cases.

Given this focus, you would think that mobile devices = consumer devices but this is not the case. Enterprises are also running to and jumping on the mobile device bandwagon in a big way.

ESG Research surveyed 174 IT professionals about their organizations’ adoption and use of mobile devices. Here are a few data points that illustrate growing mobile device usage in the enterprise.

Question 1. What are your organization’s spending plans for mobile devices and mobile device support?

37% spending will increase significantly
45% spending will increase moderately
14% spending will stay flat
3% spending will decrease
1% don’t know

Question 2. How important are mobile devices to your organization’s business processes and productivity?

38% critical
48% important
11% somewhat important
1% not important today but will be important in the future
1% not important today or in the future
1% don’t know

Question 3: Does your organization develop, or plan to develop, specific applications for mobile devices?

28% already develop applications for mobile devices
34% plan to develop applications for mobile devices
26% no plans at this time but interested in developing apps.
11% no plans or interest in developing apps.
1% don’t know

In summary, enterprises are spending more on mobile devices and device support, they believe these devices are “critical” or “important” for the business, and most already develop mobile device applications or plan to do so.

Sounds to me like every IT vendor in the endpoint (PC, laptop, mobile device), network, security, management, and application markets should have a mobile device strategy. Those that either haven’t developed or articulated their strategies are way behind.

Search
© 2010 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site