Jeff Jaffe’s Blog

Novell acquires e-Security

In my post of May 15, I noted that Novell’s acquisition of e-Security was well-aligned with customer needs.

Let me be bolder. We are redefining identity management. We are taking it to a new level of relevance – to corporate governance.

To more fully appreciate this, it is useful to recount the history of access and identity management, to appreciate why a sea change is underway.

The growing importance of identity management

Access control was once very simple. It was a simple set of password mechanisms to ensure that only authorized people had access to a physical machine, an application, or a logical resource.

This was a long time ago. The area has become more highly developed in numerous ways. The changes were happening when I was IBM’s General Manager of the SecureWay Business Unit in the late 1990s. And this market segment has continued to have stunning growth in its scope.

The diversity of security tokens has exploded to provide increased protection against intruders. Numerous approaches have been used to simplify access control: single sign-on (across applications), directory based solutions to ease the management of access rights, and meta-directories that synchronize between different directory solutions.

In the process, the way that corporate I/T thinks about access control has changed. The very words “access control” convey the notion of a resource and a management agent that controls the access. Hence the original view focused on the resource.

The broadening in scope changed the focus. Sure, access to resources needed to be controlled. But by focusing on resources, corporations were ignoring the broader set of issues. The lingua franca is no longer users, access, and resources. Now we talk about roles and workflows, automated under policy control, with increasing importance placed on application programming interfaces (APIs). These themes relate access control to the intimate workings of a company. Highly sophisticated identity management systems, such as Novell’s flagship Identity Manager 3 (IdM3), have come into great popularity in corporations. Access control products that did not “get with the program” are becoming extinct.

Identity management: a control point for corporate I/T managers

With this new context, identity management rises above a previous niche role in I/T. It becomes a major control point since it is at the nexus of application management in an enterprise. There are several immediate implications:

1. The conversation about the choice of an identity management system becomes a CIO level decision. This piece of infrastructure will touch all applications, and can neither be an afterthought, nor an appendage, to one application.
2. Identity management strategies must be planned across an entire enterprise. And they must be planned together with business strategies.
3. It must be possible for the vendor of identity management to be different from the application vendor. This is required to allow I/T the flexibility to choose different applications. If identity management is too tightly linked to an application, the I/T organization will end up with several identity management systems, or will be restricted in choice of vendor for application.
4. For similar reasons, the identity management infrastructure cannot have dependencies on one particular underlying operating system – it must support all popular operating systems.

The ferment in identity management

Due to the rapid emergence of identity management as a control point, several initiatives are making identity management even more impactful. Some examples are:

1. Federation: Since identities are important within enterprises, and users work across enterprises, we need a common way to share the properties of these users. This leads to frameworks such as the Liberty Alliance to standardize means to federate identities.
2. Workflow: Some identity management systems have built rich workflow structures to simplify provisioning and the tie-in to enterprise applications.
3. User control over identity management. The corporate environment allows and demands common rules and obligations. But sometimes users’ identities need to be managed as individuals. In the space which overlaps personal and corporate use, a measure of user control is required to balance I/T’s control point. Various frameworks such as the Novell-supported Higgins project or OpenBC are examples of these initiatives.
4. Service providers. As telecommunication service providers (as well as others – governments, medical establishments) coordinate multiple services for their customers, identity management broadens its scope further.

Corporate Governance

As identity management has broadened its scope, it has stayed within the traditional boundaries of I/T. However, substantial change is afoot in a totally different part of the world – the emerging world of corporate governance.

A major shift has occurred in the ways that corporations look at governance. A variety of events: new regulations, lawsuits, policy compliance, privacy concerns, and liability have caused corporations to look seriously at the issue of governance.

The regulatory regime provides one clear and powerful motivator. Whether due to Sarbanes-Oxley, HIPAA, or Basel II, corporations are forced to track compliance/governance events more tightly than in the past.

What does a company do when new legislation is enacted? Invariably, it needs to respond well before it can perfect its I/T infrastructure. We can all remember the Herculean efforts that were exercised to implement HIPAA by legislated deadlines. When a company is in react mode, it does not react with a clean architecture. Special case solutions are built for each governance issue: a set of band-aids, special case technologies, manual processes, and just-in-time invention to solve the regulatory need.

The regulatory regime has become increasingly heavy. Beyond regulation, companies are concerned about a range of things:

• Who is authorized to purchase goods?
• Who has authority to approve what type of customer interactions?
• What policies and practices must vary globally due to differing rules, laws, and practices?
• What liabilities does a company have?
• What are the system and architectural principles to deal with compliance issues?
• How does a company contain the cost of compliance?
• How does a company address compliance without running afoul of privacy considerations?

Identity management broadens again to address corporate governance

My view is that there is an important opportunity to create a software infrastructure to address the issue of corporate governance. After all, many of the items that corporate governance tracks and reports on have signposts in I/T infrastructure.

It would be a mistake to start from scratch. Much of the architectural basis that is needed already exists in identity management products.

The first architectural basis required to address corporate governance is an infrastructure that talks about the people in the organization. Users or people are a fundamental basis for compliance reporting and governance. Identity management systems deal with people. Those with richer directory infrastructures – of course – do a better job.

Another key architectural basis is workflow, which is already built in to some identity management products. At Novell, we consider that a particular point of pride.

Yet another architectural basis is the state of the I/T assets in the business, which is addressed by event management.

Thus a subsystem which excels in these three pieces: user management, workflow, and event management provides the systems infrastructure that ISVs and corporate developers need to quickly and cleanly build new compliance or governance applications.

The missing piece: Event management

With Novell’s acquisition of e-Security, we intend to lead the next redefinition of the identity management arena. The infrastructure for corporate governance consists of three primary ingredients: identity management, workflow, and event management. Novell’s strong directory based identity management and workflow capabilities in its award winning Identity Manager product provide the first two pillars. Let’s talk about the third: event management.

When we look at the potential scope of software support for corporate governance, it requires a wide dynamic range of event management capability. At the end of the day, it is the events of the everyday running of a corporation that need to be monitored and managed. Events may differ depending on the application and the producers. The frequency of the events may differ. The workflow of the response may differ, and the reporting granularity may differ.

Also, events come in many levels of granularity. At times, it is not enough to base event responses on single-sourced events. Rather, the correlation of multiple system-level events produce composite events that are relevant to corporate governance. Such composite “Governance events” allow I/T systems to be relevant to the driving application.

To redefine identity management and create the corporate governance infrastructure segment, we needed the best event management system in the industry. So we acquired e-Security.

This is getting long, so I will explain why e-Security is best in my next post.

Thanks to all who have continued to post on this blog. A few comments are in order:

1. There has been some discussion as to whether negativity discourages Novell executives from blogging. I want to assure you it does not. All of the input of our stakeholders is important and I welcome it.

2. Part of the reason that I don’t respond point-by-point is because I have already responded to the points in earlier blogs. For example, in earlier blogs people have complained that Novell killed NetWare. I responded that we are continuing to support NetWare. (Actually, with our Open Workgroup Suite, we are extending the value of NetWare.) If in a subsequent post someone again asserts that Novell killed NetWare – but states it in terms that are more shrill – they should not expect a repeated response.

3. To Javier’s post about GroupWise, I encourage him to look at the exciting new functionality in GroupWise Mobile Server.

4. To the assertion that our strategy is “Linux only”, I encourage you to look at my May 15th post which says quite the opposite. In black and white! We are on a mixed source strategy. Deliberately. Uniquely in the industry.

5. To the post by siones42 – that we need to make the transition to OES easier, I would agree. We plan to invest more in future releases of OES. The first release made substantial progress. There is more to do. We hear you.

Finally, on an unrelated note, but worth a read, have a look at John Carroll’s blog posting on ZDNet on Mono. He sees Mono as a positive step for Microsoft developers, helping bridge the gap between the Windows and non-Windows developer worlds.

Blog purpose

Approximately one month ago I launched the Novell CTO blog. I have been gratified by the thousands of folks who have looked through my musings and the growing number of people who have posted to it. I have learned a lot.

I intend to use it as a modern way to achieve two-way communications with our stakeholders: customers (current and future), shareholders, technology partners, researchers, and employees. Accordingly it will have a broad scope of material.

I learned with my first few posts that I cannot cover everything simultaneously. I blogged about our industry’s opportunity to create an open Linux desktop that avoids vendor lock-in. I received great feedback about the Linux desktop. But additionally, many post-ers wanted to talk about NetWare. An important topic, and so I posted some thoughts. But that topic, as well as every other technology topic of interest to Novell’s stakeholders, deserves a complete, thoughtful discussion. It will come in time. But I cannot do everything at once.

News flash: Novell acquires e-Security

Today’s top-of-mind topic is Novell’s acquisition of e-Security, a leading security information and event management software firm. Our press release can be found at here. I would like to explain the technological and market drivers which make this an ideal fit.

Before doing that, however, I need to explain our unique strategy of being a mixed source technology vendor. Many companies are on a mixed source strategy: shipping closed source when it is beneficial and complementing that with some open source products. But other than pure open source companies, I don’t think that any companies are as enthusiastic about open source as Novell is (cf. www.novell.com/ctoblog – April 3 post – for some illustration of that passion). We work hard to create communities. We work hard to make open source innovation pervasive in the infrastructure. But all this leads to a question that I have been asked numerous times during my 5 months at Novell: when will Novell become a pure open source company?

Since e-Security’s products are not open source, now is the time to explain mixed source – then we can get back to e-Security.

Maturity of Open Source Technology

Billions of dollars have been invested in proprietary technologies. Probably a trillion dollars of closed source has been installed in customer locations. Who can count the money corporations have poured into their unique applications that leverage these technologies?

The open source community has rapidly matured many technologies. But the pace has been uneven. The uneven-ness is related to several factors. Innovators will focus where there is opportunity for innovation. Open source teams will focus on areas with broader appeal. Certain technology areas – management technologies in particular – appear more closely tied to “technology incorporation into business” rather than core innovation. Such technologies are less likely to build mature open source communities. In summary, it takes a long time to catch up with trillions of invested dollars.

Meeting the Customer Need

This explains why Novell has a mixed source strategy. We are in business to address customer needs. We provide core platform services such as Netware, SUSE Linux Enterprise Server, and SUSE Linux Enterprise Desktop. We provide collaboration software such as GroupWise, the Hula open source project, and Netware file and print services. We provide management technologies, including identity, access control, resource management, and now security event management. In each discipline, we use whatever technologies are at our disposal to meet customer needs. Sometimes an existing open source project will do it. Other times, we see a path to build a solution through a new open source project. For other areas, there is simply no time, and a closed source solution exists. Customer needs are too urgent. Closed source solutions are indicated.

Some vendors are more purely in the open source camp. They play an important role and we partner with them regularly. These companies adopt unnecessary restrictions on satisfying customer needs.

Other vendors who are more purely in the closed source camp also play an important role in meeting today’s customer needs. These companies poorly create the open enterprise which we see as the long term customer imperative.

The two sets of technologies are at opposite extremes. As mentioned above, today’s I/T has trillions of dollars of proprietary technology. Only a mixed source strategy has the chance to be relevant. But the future is an exciting open source world. Our passions are focused on creating this new world.

A Mixed Source Strategy Defined

Given the tension between “pure open source” and “meeting customer needs,” I will articulate five different maturity levels and describe Novell’s unique strategy to address them. Then I will use this taxonomy to explain the logic of acquiring a closed source company for security event management.

In looking at these categories, keep one thing in mind. Novell, like any organization, has a limited quantity of resources. So as we invest we are constantly making trade-offs. We cannot do everything. If we try, we will sub-optimize every area and nothing will be accomplished. So think of this taxonomy as our underlying principles. Implementation always involves trade-offs.

Let’s assume that there is a customer need and we are making a technology sourcing decision. Here are five levels of maturity that are of interest.

1. Open source technology is sufficiently mature to address enterprise computing needs. A long-standing example of that is the Linux server. I argued in www.novell.com/ctoblog – April 3 post – that the Linux desktop has emerged on the scene as a viable tool for knowledge workers. For this category of maturity our strategy is simple. We distribute open source to enterprise customers and provide a well supported distribution. By the way, even where we provide open source solutions, there is often a need to address gaps by connecting the open source solution to existing enterprise software solutions.

2. Neither sufficient open source nor closed source. An example of this important technology area a while back was Mono, which is a project to run .Net applications on Linux. For this category we will often foster the creation of a new open source project – often having the project maintainer inside of Novell.

3. Sufficient closed source technology and insufficient open source technology, but Novell sees an opportunity to move that area into open source. Generally, management technologies are examples of areas of mature proprietary frameworks and insufficient open source technology. For such areas, we start open source efforts so that way we can begin addressing the large volume of software. But for today, we simple don’t have the resources to duplicate massive investments made by the entire software industry – to say nothing of enterprise customers’ investments – in a short amount of time. So our strategy is to meet customer needs by shipping conventional closed source products. We also unashamedly continue to make closed source investments in these areas. This is the only way to get solutions to customers that they need. At the same time, we make targeted investments to develop an open source base.

Some ask: why not take our entire closed source investment and make that available as open source? In truth, we will do this where we think it is effective. Generally, we expect it to be effective if there is a sufficient community that will gain acceptance for the open source offering. Also, it can work when the market is interested in leaving existing closed source solutions. But we don’t see where anyone benefits if we open source technology that will not garner a community.

If it does not make sense to open source an entire investment, we incubate by open sourcing some components. One example is security. We don’t see where all security technology can be open sourced at this point. However, Novell felt that there was a need for an application container approach to assure application security. We also felt that a community could coalesce around this set of ideas. So we open-sourced our entire AppArmour investment.

A second example is identity frameworks. Identity management is a complex area with many different approaches. It is too early for the community to standardize on one approach. However, identity enablement (i.e. making a device, user, or application manageable by an identity management application) is more mature. So earlier this year we open-sourced an identity management enablement layer (known as Bandit-project (see www.bandit- project.org)). Over time, as this community grows, we would expect to open source more.

4. There is an area of technology importance where in our assessment it is unlikely that we would succeed in creating a large community of innovators. This would typically involve product areas which are already very successful in the field for a long time. For these, our strategy is to continue shipping the products as closed source. Again, there would be little value to open up the code if we did not expect a community to form.

5. There is an area of rapid technology innovation in the open source world which is complementary to existing closed source products. For such cases, our strategy is to infuse open source into traditional closed source platforms. An example of that is our decision to virtualize NetWare on top of Linux via our Open Enterprise Server product. This allows NetWare customers to leverage the rapid innovation of Linux in platform support, plug-and-play, and scalability.

Discussion

It is understood that there are many judgments to be made in the above. Honest people will differ about how to characterize some technology areas. Honest people will argue as to whether the above is the right strategy. I would not characterize this strategy as cast in stone. It undergoes continued evaluation. I invite feedback.

Our decisions are guided by the pragmatics of resource constraints. With infinite resource and infinite time we would open source everything. But we are accountable to provide technology that meets our customer needs, today – which pushes us to be objective rather than aspirational as we make these decisions.

Back to e-Security

I started with a discussion about e-Security – but first wanted to clarify Novell’s mixed source strategy – a unique technology strategy that puts customers first, enthusiastically moves the industry to open source, but does it in a pragmatic fashion.

The area of compliance and governance which e-Security specializes in is a rapidly emerging area where there are insufficient standards and open source communities to make this fit the open source model. It is broadly part of the identity space where we are incubating an open source capability.

I still need to explain the importance of e-Security, but this post has gone on rather long. So we’ll return to e-Security in my next major post.

I’m pleased to relay that my colleague on the marketing side, John Dragoon, Novell’s chief marketing officer, has just launched a blog. While I’m focusing on the technical side of what’s happening in the market, and how Novell is playing in key technology trends, John will be talking about the challenges of tech marketing. His first post emphasizes the critical role marketing plays in defining the success of a technology. The best innovation won’t succeed without effective marketing, as John clearly understands. Go over and have a look.

The Imperative for Corporate I/T

Over the last two months, I have outlined the case for the Linux desktop. Four weeks ago, I described the innovative process which is making the Linux desktop ready for prime time. Two weeks ago, I outlined the key features of Novell’s SUSE Linux Enterprise Desktop 10: why it was innovative, well integrated, and generally good enough for the knowledge worker. I also committed to follow-up with an analysis of what corporate I/T should do with this new technology.

The emergence of an innovative and adequate Linux desktop is disruptive. But for corporate I/T, there is always a switching cost. Why take the risk now? More generally, what should be the reaction of corporate I/T managers?

Well, their first reaction should be unbridled joy! Corporate I/T has always been at the forefront of advocating choice and standards, and eschewing vendor lock-in and proprietary designs. Not only does a capable Linux desktop provide choice, but it does it in the most open possible way – the source code is freely available. Nirvana.

But there are also very pragmatic reasons to embrace the Linux desktop. So, what should be their practical reaction? There are several steps.

1. Open Source acquisition policy. It is already the case that many enterprise users download Open Source software and many enterprises have policies that govern this. The maturity of Open Source is accelerating this trend. Companies need to create, revisit, and revise Open Source acquisition policies. Here’s why.

The desktop operating system is basic. Everyone uses one, and preferences vary. It is a virtual certainty that many individuals in an enterprise will want their own versions of desktop Linux. Some I/T organizations will encourage this. Their enterprises will get the full benefit of Open Source innovation. Each desktop will be customized for a users needs and wants. Difference will abound.

But other I/T organizations will be fearful of such a situation. The support of this diverse set of desktops will fall on the back of the corporate I/T organization. If there is no quality control or vendor support backing up the software – the costs could grow. Such I/T organizations might elect one or several vendors who they qualify to distribute and support desktop Linux.

2. Segmentation into desktop types. Certain segments are prepared to deploy Linux today. These include: thin clients, fixed function terminals, transactional terminals, and the basic knowledge worker. Given the ultimate imperative to move to open solutions and develop Linux skills, it is very sensible for I/T managers to start in those segments where Linux is more mature.

3. Pilot deployments. Aside from deploying the Linux desktop to simple environments, it is prudent to prepare for an increasing fraction of Linux desktops over time. To avoid the situation where an I/T manager is beset with this requirement with no preparation, I/T managers should find clusters of users who are ready for the Linux desktop today. Some areas, such as the thin client, fixed function, and transactional user, represent areas for wholesale migration to Linux. For others, such as office workers, knowledge workers, general purpose users, scientific users, CAD users, financial analysts – readiness will vary from organization to organization. Each enterprise should identify the user classes that are ready for wholesale migration, and the classes that should begin with pilot migrations.

4. Significant deployments. Once I/T managers have evaluated the quality and features of the Linux desktop, they should evaluate switching a large fraction of their users the next time they contemplate a major software upgrade of the desktop. It will be good enough for many users and at a much lower cost.

5. Assessing the next major desktop upgrade. The timing for preparing a significant deployment could not be more appropriate than it is today. Every I/T organization goes through a regular cycle of assessing the next upgrade of desktop software. Many organizations will assess their next desktop move at the end of 2006 for deployment in 2007. Having a pilot and/or a significant deployment affords an opportunity to compare at least two choices for the next desktop deployment. This results in a more informed decision than if the I/T manager is simply assessing an upgrade from one desktop software vendor.

6. Move the entire enterprise to Linux desktops. There are numerous enterprises that are prepared for a complete movement to Linux desktops. These include the following:

a. Unix desktop environments. The migration to Linux should be much easier.
b. Emerging countries. For new companies, most notably in the developing world, it is sensible to get on the platform of innovation – the Linux desktop – rather than starting with proprietary alternatives.
c. Deferred upgrade. Many enterprises have deferred upgrading to new releases of their existing software due to the high cost of upgrade. It is an opportune time to move to the Linux desktop with supporting software (e.g. Firefox, OpenOffice).

The Imperative for Hardware Vendors and ISVs

Hardware OEMs and software ISVs have been leaders in moving towards open software standards. This includes several players in the industry: hardware vendors who ship Linux as an option, the 100000+ Open Source projects who typically build on a Linux operating environment, as well as Windows middleware vendors who have ported to Unix and Linux. Their investments will pay off. Increasingly, they need to ensure that both client and server run on Linux.

Summary

The Open Source community has created a desktop which is good enough for most users and demonstrates excitement and enthusiasm. It will open a new generation of desktop innovation. SUSE Linux Enterprise Desktop 10 demonstrates some of that power. But the true power will be unlocked when thousands and millions of programmers and end users participate in future versions.

It is time for corporate I/T to embrace the Linux desktop, and to have a clear acquisition strategy for Open Source.