Archive for the ‘Systems Management’ Category

Get a Free SaaS Identity Audit from Conformity

March 8, 2010

As we’ve frequently discussed here in this blog, SaaS identity ’silos’ are creating major headaches for companies moving to the cloud. In fact we’re finding that  in most organizations 5-20% of SaaS user identities have errors or mismatches that can result in major security and compliance risks.  Some of these issues include:

  • Orphaned user accounts
  • Duplicate user identities
  • Misaligned user data
  • Inappropriate user roles and permissions
  • Unauthorized ’super admins’

We’re excited to announce that for a limited time Conformity is offering a free SaaS Identity Assessment that will help organizations identify user identity gaps and mismatches with their SaaS deployments and corporate directories. With the assessment, Conformity SaaS identity experts will provide:

  • A summary report of major SaaS identity exceptions
  • Assessment of potential audit and compliance risks
  • Recommended best practices and policies for aligning SaaS user identities

Click on the link below to learn more about our free assessment, and let Conformity help you and your organization get ahead of the curve on SaaS audit and compliance issues.

Click here to learn more >>

What is “The Cloud” Really?

March 4, 2010

Once upon a time I read a very good marketing paper that began with the statement: “People buy quarter-inch drill bits, but they want quarter-inch holes”.  The biggest mistake most tech companies make in marketing their products is they talk about the features of their quarter-inch drill bits, not the quality of the quarter-inch holes that can be made, or how the features of that hole are relevant or important for how the hole is going to end up being used.”  Assuming you accept this, I make the following observations about how most companies in “the cloud management space” are making it harder for their markets to understand what they do rather than easier.

Specifically, the concern I have is that “managing the cloud” or “the cloud management market” or “managing cloud computing”
is going to look markedly different depending on where you sit.  In particular, I think there are actually four cloud management markets or segments, with overlapping requirements to be sure, but still different enough that any company, vendor, or IT organization trying to “manage the cloud” should think about positioning itself in that context.  I also believe much of the confusion (or FUD) around “the cloud” and “cloud management” is because people use similar terms to mean very different things, each valid in its own right, but very, very different.

  • Segment 1 – Existing IT organizations that have on-premise services and also either have or aspires to have cloud-based services as well (whether IaaS, PaaS, SaaS, etc).  This management market will have a particular set of benefits and challenges associated with how the entity tries to integrate these IT services, and the management thereof, to make it look reasonably seamless (so they don’t simply replace one set of complex problems for a different set of complex problems).  Private/public clouds will create variations on this theme, with security and billing being the two main differences, but otherwise very similar problems.
  • Segment 2- The opposite end of this spectrum – organizations that aggressively pursue doing as much in the cloud as possible, and only doing on-premise what is either not yet available in cloud form or too business-critical to yet trust to a cloud-based solution.  I’ve spoken to a dozen CIO’s in the last two months who have set a mandate for their organizations along exactly these lines — cloud when you can, on-premise when you have to.  This is primarily an SMB-based discussion today, but it’s starting to bleed up into the enterprise space.

These first two represent more of a true user of “cloud-based” services and benefits.

  • Segment 3 – Groups that are actually hosting the cloud services used by the first two markets; the so-called “the service provider market.” It’s a real market, but tends to have a set of problems much more in common with the on-premise guys (insofar as they’re managing workloads within a well-defined IT  infrastructure — they’re still “on-premise,” just a different “premise” from the captive IT organization).  Their users come from the cloud, rather than being a captive user community.  This “where are the users coming from” tends to cause the management problems to have different priorities than the captive user version, but otherwise has more in common than not.  The one variation in this space is how high up into the stack a given organization chooses to go (IaaS, PaaS, SaaS, etc), which will also heavily influence what “management” means to them.   For example, Amazon is clearly an IaaS vendor in this space, and doesn’t know or care about applications per se.
  • Segment 4 – Also a provider market, but where all the services provided are actually located in the cloud, rather than a captive data centerConformity is representative of this type of market.  We provide a SaaS-based solution (which also happens to manage SaaS a specific problem of using SaaS applications, but that’s not a relevant distinction here) that runs entirely in the cloud, we don’t have a data center at all (except for a VPN server and a MS Domain Controller); we do everything else in the cloud (including development / builds / e-mail / calendaring / billing…. you name it).  This type of market will also have unique and real management problems, but with a very different emphasis than the first three.  It’s also still small, but rapidly growing, based on many VC discussions I’ve had in the last four months.

These last two represent more of a true provider of cloud-based services, even though they may also have “user-like” problems they need to solve.

As already noted, there is much overlap in these four “spaces,” so I don’t think one can be entirely pure in this four market segment model.  But the particular problems and their urgency will create a form of segmentation thatwill influence and govern how cloud management companies need to talk about themselves, what they do, what pain points they address, and the value of their solutions, because the value of a given solution will vary greatly depending on where in this four-market segmentation model a given customer views themselves.

So, assuming you agree at least in spirit with this segmentation, it might be helpful to start to introduce some of this nomenclature into the industry’s on-going discussion about cloud management issues.

Anyway, this is what occurred to me when I’ve tried to compare various “cloud management” offereings; it’s a bit of apples-and-oranges.  For example, CA or BMC might be expected to want to market its cloud-based offerings to companies in the first market, as on-premise is “core” and cloud is an “adjacent” space in this market (using the Baan / Zook “core/adjacency” nomenclature).

Smaller players, like UnivaUD, market its cloud-based offerings to companies in the third market, and while there’s clearly overlap and bleed-over between these two views,  they’re different enough that trying to compare them might not make sense.

As an aside, It’s also why I think “virtualization = cloud” is a horrible hoax that some vendors are foisting off on the rest of the industry.   Virtualization is an important technology, to be sure, but it’s a quarter-inch drill bit in the fullest sense of the word, and absent any discussion of what problem is being solved and why, carries almost no useful context in any final analysis of “the cloud management market.”

SaaS Adoption and the ‘Scaling’ of Management Pain

March 2, 2010

The current approach most organizations are taking to managing SaaS applications and user access is unsustainable.

In our webinar today on SaaS, Access Controls and Compliance (an on-demand recording can be viewed here), we shared the reasons we think organizations are setting themselves up for a costly fall as they accelerate SaaS and cloud adoption:

  • The hidden costs of cloud applications – as SaaS apps have largely been deployed around IT, the costs of management and administration have also remained ‘hidden’  from CIOs and IT executives.  Manual, redundant administration of users and access results in costs and risks that often shock executives when we bring it to their attention.  For example, we’re finding that identity ‘exceptions’ across SaaS apps in customer environments typically range from 5-20%.  Translation – nearly 1 in 5 SaaS users today have inappropriate access or multiple, inconsistent identities across systems.  The risk and compliance implications of this go without saying…
  • The scaling of management pain – each new SaaS app deployed creates another ‘source’ of user identity and associated authorizations.  The need to understand roles, profiles and permissions across apps means that the hidden costs and risks of SaaS expand exponentially with adoption.  Thus not only are costs not yet visible at the executive level, they’re rapidly scaling with SaaS and cloud adoption!
  • The oncoming SaaS management ‘tsunami’ – it’s almost universally true that SaaS and cloud adoption is accelerating across nearly every market segment.  Combine this fact with the ‘scaling’ of management pain, and you start to see why we think organizations are headed for trouble.   While today it appears that manual and spreadsheet-based approaches to managing SaaS users and access will ‘work for now’, trouble is rapidly growing beneath the surface, as internal auditors, IT operations and administrators will tell you.

IT management problems are often analagous to heart disease  – foresight and preventative steps (diet and exercise) are far preferable to open heart surgery after the problem gets out of control.

Unfortunately as SaaS and cloud adoption accelerates many organizations today are on the costly path to the operating table…

Thinking about “The Cloud”

February 10, 2010

Thanks, Scott, for the warm welcome to Conformity’s Blog universe.  I’ve been at Conformity for just about a month now, and I’ve been appointed (is there an opposite of disappointed?) at the excitement around the space, the quality and dedication of the team, and the interest in “our problem” (identity in the cloud) by customers and prospects.

Of course, unless you’ve been under a rock for the past, say, 10 years, you’ve no doubt heard that Cloud Computing (or On-Demand before that or ASP’s before that or Grid’s even before that) will solve everything from bad breath and world hunger to global warming and peace in our time.  While many of the developments are truly exciting, what we today call Cloud Computing should have been expected as an obvious trend from a whole collection of trends that have led up to it.

Why?  Because every advanced endeavor ultimately evolves into increasingly smaller and focused areas of specialization, where we (as individuals or business units or corporations) pay someone else to do things we’re either too busy, too inexperienced, or too lazy to do ourselves.

I suspect few of you reading this now actually grow your own vegetables.  It’s not that you can’t, mind you, since it’s not all that hard.  But farmers and grocery stores and the whole infrastructure behind the process of getting lettuce and carrots into the trunk of my car do it faster, cheaper, and better than I can (or am willing to – I do have small children, after all).

Historically, providing whatever computing services businesses large and small use in the course of their primary business activities has been difficult enough and expensive enough that these same businesses formed “IT Organizations” to provide those services for them (believing — largely correctly — that the IT group could do it faster, cheaper, and better than they could — an early and surprising enduring form of specialization).

No reason why this same process won’t happen again and again and again, with increasing segments of what has traditionally been the purview of what we now call an “on-premise” IT service being delivered by external entities that can perform more and more elements of what IT has traditionally done themselves, and with IT’s role evolving along the way.  With the introduction of a good enough transmission medium (the Internet), a good enough computing platform (LAMP stack, with or without virtualization), and sufficient consolidation, standardization, and economies of scale around certain business applications (e-mail, SFA, CRM, HR, etc), and *POOF* Cloud Computing and Cloud-based Applications are born.

The interesting news (and for companies like Conformity and our partners the good news) is that each of these forays into these areas of specialization come with their own technical and business challenges that must be solved along the way.  We, as technology professionals, get another chance to try to address long-standing questions around business process, pricing, ease-of-use, and the never-ending quest for a more efficient way to separate and distinguish between what Geoff Moore calls “core” versus “context”.

I won’t attempt to address the specifics of how we’ll be solving bad breath, world hunger, global warming, and peace in our time today (must leave something interesting to write about in future posts), but wanted to begin the dialog around what is and is not particularly new about Cloud Computing, what problems we might expect need to be solved (because they *are* different from what’s come before) and which problems are simply old wine in new bottles…

Introducing our newest contributor, Tom Bishop

February 4, 2010

We’re excited to welcome Tom Bishop on board as our new CTO here at Conformity, and as the newest contributor to this blog.

As we’ve discussed here, the nature of SaaS and virtualized resources is driving a fundamental rethink of what identity and systems management needs to be in increasingly cloud-centric environments. Migration of business-critical applications from on-premise to cloud doesn’t remove the need for some level of control and visibility (i.e. management), just changes it. Our mission at Conformity is to lead the transformation of identity and systems management for the cloud, and we are excited to have Tom on board to help lead the charge.

Tom is a true visionary in the systems management space, and has played critical roles in several pioneering management solution vendors, having served as CTO at Tivoli Systems before and after it’s acquisition by IBM, and as the CTO at BMC Software. Tom is well known as a technology innovator, having led the development of industry standards such as the Distributed Management Task Force (DMTF), the CMDB federation specification and POSIX.

We welcome him to Conformity, and look forward to his contributions to our forum…

Conformity Announces GA Release of First Enterprise-Class Management Platform for SaaS and Cloud Apps

September 30, 2009

We’re excited to announce today the general availability of the Conformity solution, which provides customers the first enterprise-class management platform for cloud applications and users.  The Conformity solution is designed to arm enterprises with the same level of visibility and control over on-demand applications as they’ve come to expect with traditional packaged apps.  With our solution, enterprises can now be confident bringing new cloud applications into their business environments, knowing there will no longer be compromises made in the areas of management processes, insight and control.  With today’s GA, enterprises can:

  • Increase data security and reduce compliance risks
  • Optimize license allocation and expenses
  • Automate and streamline administration
  • Expand and extend enterprise usage of SaaS and cloud applications

Specific capabilities of the Conformity solution include:

  • User provisioning – provides centralized point of provisioning and deprovisioning of users accounts within cloud applications, and ongoing management of user permissions and authorizations.
  • Role and profile management – enables organizations to centrally manage cloud application roles, profiles and permissions through normalized permission models, and maps policies to users and roles.
  • Approval workflows – provides auditable cross-functional approval processes for users requiring new or amended access permissions, or role and profile changes.
  • Directory integration – enables organizations to seamlessly synchronize Conformity’s user repository with on-premise directory services.
  • Compliance reporting – provides reports required for effective preparation for audits for SOX, HIPAA, PCI and other regulatory mandates and standards.
  • Usage analytics – provides visibility, analytics and reporting on cloud application and license utilization.
  • Change management – enables archiving, management and recovery of application configurations and role models.

The Conformity platform provides templates, tools and workflow needed to manage all cloud applications in a customer’s environment.  Conformity also provides additional analytics, reporting and provisioning automation through integrations with the following leading cloud applications:

The Conformity platform also supports directory integration for Microsoft Active Directory, and is compatible with industry standards such as SPML, SAML and WS-Federation.

Please click here to read the full announcement, and stay tuned for more upcoming news!!!

Success in the Enterprise – Making SaaS Manageable

August 3, 2009

As we heard once again last week at Catalyst from end-users, partners and vendors alike, many large enterprises are now finally taking a serious look at how to effectively leverage SaaS and cloud applications in their environments.   As we’ve observed in this blog before, enterprise CIOs are also finding that there are no easy answers to how to address the fundamentally disruptive impact that SaaS and cloud-based applications have on current IT management approaches.

The issue comes down to this: if a third party controls the software, data and access, and the CIO no longer has the capabilities to directly monitor and manage software operations, how can the CIO fulfill his or her responsibility for governance and compliance?  It’s a question that SaaS vendors must address if they expect to effectively compete and succeed in the enterprise marketplace

Our new white paper titled Success in the Enterprise: Making SaaS Manageable examines the CIOs need to manage SaaS applications as part of the larger responsibility for systems management in the enterprise.  It also looks at steps SaaS vendors can being to take to meet this need, and outlines best practices in the following areas:

  • APIs
  • Activity access
  • Performance monitoring
  • Back office visibility
  • Standards

The enterprise continues to present an enormous opportunity for SaaS vendors, but to capture this opportunity vendors need to take the next steps to ensure their services provide the management visibility needed to be truly enterprise-ready, and that they address the unique identity and systems management challenges created by the SaaS model.

This is the first in a series of best practice white papers that Conformity will be publishing for SaaS vendor executives to help the industry meet the needs of enterprise CIOs and their teams.  Please visit our website to download a copy of Success in the Enterprise and to subscribe for future white papers, and to learn more about how we can help SaaS vendors address IT enterprise challenges.

Enterprise-Class SaaS Provisioning

June 3, 2009

As those of us at Conformity engage enterprise IT teams, we continue to explore the gap between existing provisioning options and SaaS deployments.  Enterprise customers are caught between the promise of cloud and SaaS solutions and the impact of this adoption on their already stretched teams and processes.   In the Conformity white paper, Enterprise-Class SaaS Provisioning, we describe the management challenges organizations face in adopting SaaS applications, and explain why IT groups struggle to utilize existing options for federating on-demand environments.

So, what information can we take away from the enterprise SaaS customers?  As pointed out in our other discussion threads, SaaS is not easily tamed by existing solutions.  We find that the cloud deployment model exposes the following shortcomings of existing alternatives:

  • Disconnected Environments: The most obvious challenge is the separation of multiple SaaS applications and the management solutions.  This disconnect fragments the core IT capabilities, creating unique cloud-based silos of user identity, business policy, and administrative rights.
  • Unexpected Deployment Complexity: IT teams can easily underestimate the impact of adopting SaaS as a solution platform.  Detailed SaaS configurations, coordination between applications, and evolving licensing models can exceed IT expectations, especially when the deployments were independently cultivated in the lines of business.
  • Lack of Deployed Standards: Customers are discovering the industry standards for management and provisioning are not aligned with the aggressive SaaS expansion.  Many advertised standards such as SAML or XACML are focused on alternative use cases and designed for either an on-premise or cloud model, limiting their real adoption by SaaS ISVs.

These challenges have curtailed enterprise efforts to utilize current deployed technologies, and in turn have impacted SaaS rollouts.  IT teams continue to evaluate complementary but incomplete options including enterprise software vendors, cloud-based identity solutions, and unique SaaS ISVs themselves.  This discovery process has provided the benefit of allowing the enterprise teams to better understand the market challenges and applicability of existing solutions.

Working with these IT teams, we have defined a common set of issues for provisioning and management and select criteria for a new approach to federating on-demand environments.  Any solution must provision users to a fully functional state across the user life cycle, a distinct challenge with many SaaS and cloud implementations.   This provisioning must align with existing IT and business processes, leverage line of business expertise, and meet the organizations compliance, security, and data visibility needs.  And deployments must be flexible enough to align with and possibly impact developing standards such as SPML or federation options like Microsoft Geneva while supplying value prior to standards adoption.  In short, these attributes define a new breed of management platform that is designed for the SaaS and cloud-based environments.

For more information, read the Conformity white paper that outlines our findings.  And please feel free to reply and continue the discussion.

SaaS, the Cloud and the ‘Big Bang’

May 11, 2009

Here at Conformity we recently wrapped up some interesting market research on the topic of adoption of SaaS and cloud-based services and the management challenges it is creating for organizations and their IT departments in particular.  Conducted in conjunction with a leading analyst firm,  we spoke with IT and business executives at nearly 50 midsize and large enterprises that were adopters of multiple SaaS applications, and who were planning on extending their adoption of the model.  We’ve summarized our findings in a new whitepaper titled SaaS, the Cloud and the Big Bang.

The results?

In organizations we spoke with, business users drove the initial wave of SaaS adoption and largely took on the associated management and support responsibilities.   In a pattern similar to what happened with distributed computing 15-20 years earlier, as SaaS adoption hit ‘critical mass’ in these organizations (particularly those with compliance exposure),  IT has been brought in to extend existing management processes, controls and tools to SaaS and cloud-based resources.

The problem?  SaaS and cloud-based services are fundamentally exploding the traditional IT management model, due to:

  • Decentralization of management – in ‘traditional’ management environments,  IT has near complete responsibility and accountability for governance and management of technology resources.  The focus on autonomous IT governance and managmeent has increased due to increasing regulatory compliance requirements (SOX, GLBA, HIPAA, PCI etc) and the resulting increase in adoption of best practice policy and control frameworks (ITIL, COBIT, ISO 17799/27001, 27002).   In the SaaS world, business users have taken on management and support responsibilities traditionally owned by IT.  For example activities such as user provisioning and permissions management, role and profile management, application customization and configuration, and vendor management are now decentralized and distributed in many organizations.
  • Loss of control – in addition to the applications themselves, metadata on users, role and profile models, authorization and credential stores, usage activity and application performance all move outside the corporate firewall.  IT loses visibility and control over this critical management data that is now fragmented across heterogeneous SaaS service providers, in addition to the applications and users themselves.
  • Broken integrations – many IT processes around application and user management are highly automated, supported by integration with on-premise directory services, identity management and systems management solutions.  These integrations largely ‘break’ in an on-demand world, and organizations are rapidly finding that creating a new management ‘blade’ for a given SaaS app in legacy management application is not a realistic, cost effective answer.  Additionally, SaaS applications must be integrated into existing business processes through configuration and management by line-of-business users, with little or no ability to automate integration into cross-application business processes.

While it is still early, clear perspectives are starting to emerge around what the characteristics of a new generation of management solutions that address the unique challenges of on-demand environments will need to include.  Organizations are finding that SaaS and cloud-based service models are driving a convergence in identity and systems management issues, which will require the reinvention of solutions that address these issues.   Areas such as  user access management, policy monitoring and enforcement, data integration and management and business process integration all need a fundamental ‘rethink’ in a cloud-based world.

If you’re interested in receiving a copy of the whitepaper, please contact us.

The Open Cloud Manifesto – there’s work to be done…

April 3, 2009

Without commenting on the motives of the players involved in  The Open Cloud Manifesto published this week, we do have to agree with one of its core tenets – that to drive further adoption and acceptance SaaS and cloud providers must work together to improve overall governance and management of offerings.  At a fundamental  level SaaS and cloud-based applications ‘break’ the models and approaches organizations have implemented for managing users, identity and applications in a primarily on-premise world (particularly in large enterprises).   SaaS and cloud based applications nearly all have their own unique, individual approaches for managing users, profiles and permissions, and do not easily integrate into existing management solutions and directory services.  To date the only standards that emerged in the broad area of  ‘management’ address access and authentication issues (SAML, OpenID etc), and none of these have even gained significant traction with SaaS ISVs yet.   When looking at the new broad, cross-vendor governance and management issues created in a multi-SaaS environment, access and authentication is only the tip of the iceberg, which is why we also believe there’s significant work to be done here…