Blue Ocean

The concept of cloud brokering had been drawing more attention lately. In particular, Gartner has developed quite a bit of market analysis on the topic. Most of these analyses tend to focus on the business of cloud brokering. However, I find it insightful to consider the potential technology platforms associated with cloud brokering. Very often, the largest and most durable technology businesses are strongly intertwined with differentiated, scalable, hard to replicate technology platforms (i.e. databases, operating systems, search engines) By nature, these platforms provide a long-term sustaining competitive advantage. Furthermore, when it comes to corporate strategic investment or VC funding, the ability to articulate breakout platform opportunities can prove invaluable. Platform envy can significantly increase investors' belief into a new and unproven business model such as the one we will be discussing here.

So, let us try to identify the four most compelling cloud brokering platforms, capable of fueling and sustaining large revenues within the emerging market of enterprise cloud services.

Security Brokers - The Cloud Firewall

The first platform candidate is the security broker. Security is certainly a key concern of enterprises contemplating the adoption of cloud services and infrastructures. CIO and CSO need a coherent security strategy to manage risk and compliance across cloud providers and architectures (private, public, semi-private clouds). Because of the heterogeneous nature of clouds, the proposed solution is to unify external security under a single security control point, the cloud security broker. Security cloud brokers become security hub across multiple enterprises (tenants) and cloud services, allowing enterprises to harmonize security despite differences in cloud providers' security frameworks, capabilities and APIs. The strategic technology underpinning platform is the cloud security gateway [link to previous blog]. This cloud firewall becomes the security control point for cloud. Security brokers operate or manage them. Initially, security brokers may get pinned down as identity and access brokers but as SSO and access management quickly commoditize, information security and information management become the predominant value of cloud security brokering (e.g. encryption, data loss protection, rights management, backup, archiving, eDiscovery). For cloud security brokering, large security companies such as Symantec [Link to O3] should play an important role since the platform becomes an essential delivery mechanism for security across mobile devices and cloud services. In addition to the emergence of cloud security brokers implemented as web security gateways, one should anticipate security to be increasingly delivered at the edge of the network by specialized cloud providers, a little bit like content is increasing delivered through CDN. This means that large network infrastructure providers such as Telcos and Internet infrastructure companies such as Akamai should also play an important role, especially in the SMB segment that already prefer a "no software" delivery model.

User Management Brokers - The Cloud Identity Hub

The second large cloud brokering opportunity is the "identity hub". The identity hub is identity management as a service. In the long run, the identity broker replaces traditional enterprise IDM. In the short run, the cloud identity broker supplements existing IDM systems by enabling the provisioning and life-cycle management (profile mgmt, credential reset, etc) of users across external cloud services. In that sense, the identity hub is a virtual directory in the cloud. It brokers identity from the enterprise to external clouds providers. In today's early days of cloud, legacy user repositories such as Active Directory or LDAP stores remain the enterprise authoritative identity stores. Over time, as the center of gravity of IT shifts from in-premise to cloud, the identity hubs becomes authoritative and start governing identities across both internal and external applications. On top of these multi-tenant cloud directories, user management self-services, workflow and governance services emerge, making the cloud identity broker the natural heir of today's identity management platforms. One should expect IDM companies to eventually dominate the space. However, many of these companies will be slow to embrace the cloud due to lack of cloud DNA or fear of cannibalizing their legacy business. Hesitations may leave the barn door wide open for large SaaS vendors that already think of themselves as platforms and already host house important elements of enterprise identities. CRM, collaboration services, HR SaaS such as Salesforce, Google, Box.net, Workday or SuccessFactor (now SAP) come to mind as legitimate candidates to occupy the enviable position of identity broker within the cloud eco-system.

Service Management Brokers - The Cloud & SaaS Marketplace

The third obvious cloud brokering platform opportunity is the cloud and SaaS marketplace. This cloud exchange is to the enterprise and cloud services what the Apple store is to consumers and their beloved device: the mission-critical broker service that integrates, manages, fulfills and bills cloud services. This cloud broker is essential to the transformation of IT into a business enablement function (i.e. IT as a Service). As IT transforms into a service organization focused on agile business enablement some primitives capabilities become foundational: automated procurement of cloud services, on-demand provisioning of users and elastic deployment of applications. The enterprise SaaS marketplaces become the metaphor for business functions and employees to access the new IT capabilities in self-service. IT itself become the ultimate broker but it needs a specialized technology platform. The broker makes IT truly capable of enabling heterogeneous services while ensuring capacity, monitoring SLAs, and usage-based billing across the different groups and functions that comprise a large enterprise. Integration is another critical value-add of the SaaS service broker. SaaS marketplace therefore must be more than simple SaaS stores, they must be thought as end to end platforms that can support the dynamic meshing and flexible workflow composition of external cloud services across multiple providers. They need to be tightly integrated with corporate identities and corporate information as well. These are the characteristics of a true cloud platform and potentially very large enterprise business. Cloud and SaaS marketplaces should be the promise land of the traditional middleware and system integrators such as Oracle, HP, IBM, Microsoft or Dell; unless the dominant SaaS platforms manage to "force" their way into the new market to beat the incumbents.

Data Integration and Intelligence - The Cloud Datamart

The last and maybe the largest cloud brokering platform may turn to be the cloud data mart. Son of Haddoop and Cassendra, this cloud broker rules the cloud data integration and intelligence markets. The business problem it will solve is the age-old IT challenge of business data integration and business intelligence. When corporate data actually resides across distributed cloud services and databases (HR, CRM, finance...) this old problem becomes a whole new ball game. The technology cornerstone is a cloud database, multitenant, distributed yet capable of integrity. Think of it as an intelligent data warehouse infrastructure at the edge of the network, capable of logging, aggregating, and intelligently analyzing corporate information stored across multiple enterprise SaaS services. It is both a big data challenge and a cloud integration challenge. The cloud datamart need to integrate with the CRM, HR and ERP systems of tomorrow. We already know that these systems and their data stores will no longer stand in-premise. A cloud database is a fairly thorny technical problem in itself. Cloud data integration is its business killer app. The technical and business requirements are extremely ambitious but rewarding. Can you imagine the next generation Oracle, Splunk and Business Objects as a single cloud offering?!

Business and technology predictions are of good form at the beginning of a new year. Of course, these predictions will often be defeated by the devils of execution. Most are soon forgotten. Yet, there should be little doubt that the heterogeneous and distributed nature of the cloud creates large business opportunities for cloud brokers. The shift to the cloud screams for changes in technology platforms. With changes come land grab opportunities. As product people and architects, it is thought-provoking to imagine the lands we should lay course to, in order to find the new gold. Eldorado or fool's gold, that is the only question.

Posted by Nico Popp at 8:43 PM | Permalink | Comments (0)

Today, we are announcing Symantec O3 early access program, a new approach to securing enterprise clouds. But what is Symantec O3 really about? No doubt, cloud is an inexorableIT trend. However, CIOs and CISOs often cite security as a major concern. That is not to say that the new cloud platforms are fundamentally more insecure than the computing platforms that preceded them. Quite the opposite, cloud-oriented architectures have the potential to provide stronger security than most IT organizations can achieve today.

Nevertheless, SaaS applications and cloud infrastructures challenge in their own way IT's fundamental function of defining and enforcing consistent security policies across devices, users, and information. The new cloud platforms directly conflict with the need for enterprises to establish consistent risk profiles and compliance postures. The shift to the cloud is eroding our traditional controls. Network-based security is no longer as effective since the network is no longer ours The network and its controls now belong to Salesforce, Amazon or Google.

The shift to the cloud raises a fundamental question regarding the role of tomorrow's IT. If IT can outsource desktops, applications and infrastructures operations, can IT also outsource the governance of corporate digital policies? The answer is simple. IT should no have to embrace the cloud at the cost of renouncing its "raison d'être"! We ought to be able to embrace the clouds without relinquishing the control of our own security policies.

This need to layer IT driven security independently of cloud providers drives the emergence of a new security control point. The new control point must act as a "cloud firewall." Unlike it sibling, the cloud firewall inspects outbound traffic. It is not network-centric but web-centric since Web protocols are the clouds lingua franca. The security gateway leverages identity and access control to initiate itself between all user devices (fixed or mobile) and clouds infrastructures (private or public). It creates a new layer of IT security and governance. By virtue of being inline with cloud traffic, the cloud firewall is context aware (identity, device type, location, time, etc). It is also be content-aware, providing information security through the deep inspection of HTTP streams and the application of DLP, encryption and tokenization technologies. Indeed, the cloud firewall has complete visibility. It feeds cloud access and information events into log management systems that can now correlate security information across internal and external systems across managed and unmanaged devices.

At a time where pundits are claiming the deperimeterization of the network, it is time to reinvent a new form of perimeter for the cloud. Delivering on such vision will take no less than the leading security company. The cloud firewall is the cornerstone of tomorrow's IT security. So, long live Symantec O3, the catalyst for a new form of perimeter security, a perimeter for the cloud.

Posted by Nico Popp at 1:41 PM | Permalink | Comments (0)

The two hottest areas in enterprise security are undeniably mobile and cloud. As small and large security companies go after the fast growing markets, few seems to understand that both markets will rapidly converge to be serviced through a single solution. Yet, it should not come as a surprise since both enterprise cloud and mobility are about enabling employees to access corporate resources and information from anywhere, any time.

Beyond the simple fact that mobile is about the cloud and the cloud needs to be mobile, there are profound technology-driven drivers for mobile and cloud security solutions to become one. Unlike the PC platform that preceded them, IOS and Android heavily sandbox application and data, making them very poor platforms for security software developers to replicate yesterday's agent-based security approach. Turn yourself now to the cloud and it is the same dilemma. Since an enterprise does no longer run the applications and infrastructures that host corporate data and services, it is no longer possible for security vendors to leverage traditional infrastructure hooks to provide consistent security. In particular, the network-based security controls are outside of reach since cloud vendors will not expose them.

Where does it leave us? The answer is as simple as it is obvious. Both mobile and cloud require the emergence of a new security control point that stand below mobile devices and above cloud providers. Think of it as a new layer of security. That layer of security will control and police service and data access across mobile devices, cloud data and services. It is an identity security service. It will have to control and protect the flow of information between mobile devices and cloud storage. It is an information security service. It needs to enable audits of event across mobile and cloud access . It is a log and event management solution.

Indeed, mobile and cloud security are the two faces of one and the same security, and compliance solution. The perimeter is dead, but the age of "security in the middle" only begins

Posted by Nico Popp at 3:04 PM | Permalink | Comments (0)

Every so often in technology, new trends emerge to drive large changes to society by transforming our established computing paradigms. Cloud as a computing pattern is certainly not dissimilar. The cloud carries in itself all the genes of disruption that the PC, client-server and Web revolutions embodied before it. For many, cloud computing is the logical evolution of information technology towards the utility model. From an economic standpoint, it signals the great commoditization of IT.

When large technology shifts occur, opportunities arise for new and innovative companies to displace the large and sleepy incumbents within their core markets. To understand the cloud tectonic shift, and the potential losers and winners, I devised a simple visual representation that captures the competitive landscape of cloud computing. If one thinks of the traditional computing world as the "primordial Pangea", the old world appears as a highly coupled stack with devices on top, infrastructure at the bottom and applications and development platforms snugged in-between the two dominant businesses. Although simplistic, this representations has the merit to capture the market significance of companies such as Microsoft/Intel, Oracle, SAP, HP, IBM, Cisco and EMC (the device and infrastructure incumbents).

When the shift to the cloud happens, the old continents spread apart, and the original Pangea morphs into a "cloudscape". New major classes of devices platforms appear (mobile platforms in particular). The old core platforms have transformed and taken new names (SAAS, PAAS and IAAS). The four strongholds drift apart creating "seas" of opportunities for new intermediaries (the cloud brokers). who can integrate, secure and harmonize these new heterogeneous environments. Many of these new markets are still up for grab, but a few enlightened companies have already moved in a an attempt to capitalize on explosive growth as old budget money shifts towards the new models.

The four strongholds

The cloudscape shows the four old strongholds as four new distinct and decoupled markets. Furthermore, a new generation of cloud-enabled device platforms have emerged (IOS, Android...). SAAS are rapidly replacing traditional applications in the eyes of corporate users and consumers. For developers, PAAS are becoming the environment of choice for custom web service development and deployment. At the bottom, infrastructure is becoming a commoditized utility service. The four strongholds are still differentiated markets. No real consolidation has occurred yet, as the new players are too busy battling for supremacy within their own market. Each of the four platforms appear to present a significant business model with large ecosystems acting as powerful "moats" or barrier to entry.

IAAS and the commoditization of I.T. infrastructures

The most powerful stronghold may prove the IAAS since the business model is based on very large economy of scale with razor thin margins and high volumes that cannot be realized by new entrants who may lack the CAPEX muscle or the home-grown commodity technology to enter. The IAAS vendors are rapidly commoditizing the compute and storage stack. They are now walking up the stack to subsume middleware such as RDBMS (database.com, BigTable and the No SQL movement). The next target is the network infrastructure. Large virtual private clouds soon emerge that allow enterprises to create complex segmented networks without having to buy expensive networking gear. Corporate networks are built using virtual switches. They are secured by commoditized software appliance (virtual firewall, virtual IDS and virtual IPS) sold on a usage basis. As the IAAS market consolidates around Amazon, Google, a few large global Telcos, the old IT power houses (Cisco, HP, IBM) may still be able to carve out some land for themselves. Unfortunately, some of them have lost their strategic compass lured by the temporary gold rush of the so-called private cloud market, a desperate attempt to re-invent yesterday's "build-it-yourself" model of information technology.

The battle for Development as a Service (DAAS)

The cloudscape identifies and positions the main platforms tenants and their strongholds. For example, Amazon has a strong position in infrastructure as a service (IAAS), while Salesforce is a dominant SAAS vendor. Like OS vendors before them, both are vying to leverage their strength position to become the application development platform of choice. Amazon is betting on infrastructure for their unfair advantage. Salesforce is betting on corporate business data such as customer info and collaboration artifacts. Google's bet is on becoming "Office" for the cloud, thus owning corporate unstructured data. For new businesses like Zynga, infrastructure is king. For enterprises who need to build mission-critical business applications, data is queen. Google+ is more innovative than Chatter but Google needs to become enterprise-friendly (new DNA and a large M&A likely required).

The cloud brokers and the rise of the middle-man

Nevertheless, in between these giants, there is still ample room for trusted cloud brokers who can integrate business data across multiple cloud sources and provide business intelligence across all SAAS services. In fact, the map identifies very large intermediary opportunities. Cloud brokers can become significant disintermediation businesses. The distant and heterogeneous nature of the four large cloud markets creates a real opportunity for cloud middle-men to reduce the complexity of integrating, securing and brokering the capabilities of the new cloud platforms through a unified management interface. The "device management as a service" layer (e.g. VDI in the cloud) or user and SAAS management (e.g. SAAS marketplaces and SAAS data integration as a service) are examples of these new intermediaries seeking to capitalize on the plurality of devices and SAAS platforms.

Security as a fundamental ingredient (says the wishfully-thinking security guy)

Interestingly, Security emerges as a fundamental enabler. If one considers availability as a form of security, security is in actually relevant to all forms of cloud brokering. This leads us to believe that security companies could benefit from the new world balance if they can establish partnerships with the strongholds who are about to significantly impact the distribution of security services. Moreover, security assets provide a natural beachhead for security companies to extend into cloud brokering opportunities. Conversely, security M&As could become increasingly important to cloud platform vendors or cloud platforms wannabes in search of differentiation and higher margins.

Eventually, what the cloudscape demonstrates is that in the long run, information technology is not immune to the fundamental laws of physics. Cloud computing is undeniably disruptive technology. But, in the end, the four core business strongholds still exist, granted, under new names, forms and shapes. Under the tectonic shift of cloud computing, the whole industry landscape of information technology is about to radically transform under our eyes, reminding us once again of what an old French chemist taught us a few centuries ago: "Nothing is created, nothing is destroyed, everything transforms." -Lavoisier

Posted by Nico Popp at 12:50 PM | Permalink | Comments (0)

Last week, the White House announced its official National Strategy for Trusted Identities in Cyberspace (NSTIC). NSTIC is the largest-ever effort by the federal government and private sector partners (including Symantec) to develop a secure, standards-based and interoperable online identity system. The goal: Improve the security and privacy of online interactions and more effectively fight cybercrime. Today's announcement marks the culmination of two years of effort by VeriSign (first as an independent company and later as part of Symantec) to help bring this important initiative to life.

At the heart of NSTIC is the concept of an Identity Ecosystem based on trusted identity frameworks. Trusted identity frameworks are the lynchpin to trusted interactions online, for everything from e-commerce to electronic health records to online voting. These frameworks will require all participating service providers to ensure the credentials they offer adhere to the same standards for identification, authentication, security and privacy. This wouldn't be a "national online identity" setup, but rather interoperability among many market offerings.

The initiative recognizes that public-private partnerships are essential for success. Symantec and other private sector companies have already created the technology for strengthening and sharing high assurance identities. Government leadership will promote, facilitate and coordinate industry to further NSTIC goals.
The government can also help overcome the three big impediments this kind of initiative faces:

1. Privacy concerns: The government can define and deploy standardized trust frameworks that help ensure citizens privacy (e.g. by working through the private sector, leveraging organizations such as the Online Identity Exchange).

2. Liability concerns: Data breaches involving personally identifiable information (PII) can easily run into the tens or hundreds of millions of dollars, depending on the number and kind of records affected. Once trust frameworks are in place, Congress can pass legislation to cap liability for organizations certified under those frameworks.

3. Business concerns: The federal government can create business incentive for trusted identity providers to join the eco-system by becoming the initial customer. That would basically prime the pump for a trusted identity service business model.

NSTIC's goals for FY11 include:

• Convene the private sector by hosting workshops on governance, privacy and technology
• Establish a governance model, standards and models for addressing liability
• Develop criteria, assess potential programs and prepare for formal funded pilot launches in FY12

These plans are ambitious, certainly, but are necessary given the escalating data breach and cybercrime threats people face every day. NSTIC will provide the means to dramatically improve online authentication and the security, privacy and business benefits it provides.

Posted by Nico Popp at 2:52 PM | Permalink | Comments (0)