Obama Passport Breach

I was reading the news yesterday and this morning on the case of certain contractors accessing Obama's passport records and the firing of certain individuals involved. What was really interesting to me, as we consider the case as it has been reported, is that the individuals involved had the correct access levels to get this information. So in technical parlance they had been authenticated to the system, they were authorized to access passport records, but it was a business policy that was violated -- no data access for non-official business. 

I wonder how many businesses have not even considered this a potential risk and compliance issue? The good news is that with Sun identity offerings and our latest product Sun Role Manager we can help customers address these needs.

 Update: Now it seems that it is all candidates... I wonder what else these contractors were doing? Mmmm...

-Mark

Posted at 09:36AM Mar 21, 2008 by Mark Herring in Application Infrastructure  |  Comments[0]  |  | |

Solving Real Business Needs

I have spent the last few weeks traveling the country speaking to customers, prospects, and industry analysts.  Discussing the trends they are seeing, what they are doing, and the problems they are facing.

What was amazing about this was a consistent theme I hear from all of them -- "How do I expand my reach while mitigating my risk?"

What is Reach and why do companies care?

Most companies are trying to reach out to more customers, partners, markets, and gain opportunities. They are looking at ways of expanding their relationships with their suppliers and their entire value chain.

Consider the following examples:

• The Government of Norway has undertaken an amazing project to enable their 4.5 million citizens to seamlessly access over 200 services over the web.
• Or consider the Cleveland Clinic where they provide their 2.6 million patients access to their 2,000 service providers and provide authenticated access to prescription data for the thousands of retailers that might dispense this medication.

These are not isolated examples, but rather a growing trend where businesses seek competitive advantage by extending their reach.

The other side of REACH.. .RISK!

Unfortunately expanding the reach can have a nasty side effect, expanded risk. These two trends or business forces, reach and risk are in opposition to one another.  Consider "Zero-Reach" systems such as those dramatized in the movie Mission Impossible, where Ethan Hunt has to break into a physically secure location to access a machine. Almost no reach and very low risk.  This is in contrast to the opposite end of the spectrum.  The Internet where there is almost infinite reach, but
almost infinite risk.  The business reality is that most customer facing applications live in this infinite reach/infinite risk arena.

One cannot stop risk, but the goal of any organization it to balance these forces of risk and reach to an acceptable level.  Every organization, or potentially every system in every organization has to
consider the balance and determine what makes business sense.

"Only those who dare to fail greatly can ever achieve greatly." -- Robert F. Kennedy

This difficult balancing act isn't easy, consider the billions of dollars lost by Jerome Kerviel from Societe Generale. Arguably they gave Jerome too much reach!

It seems that one cannot read the news without hearing about the effects of this reach/risk:

• Banks failing to manage IT risk study
  A new survey by Ernst & Young has found that the majority of global banks are failing to align IT risk management practices within more general enterprise and operational risk frameworks.
  http://www.finextra.com/fullstory.asp?id=18159
  
• Top Banks Named in New Identity Theft Study
  Report Examines Incidents at Major U.S. Financial Institutions.Shockwaves rumbled through the US banking industry this week with the release of a new report estimating the annual incidents of Identity Theft associated with the nation's top banks.
  http://www.bankinfosecurity.com/articles.php?art_id=724&rf=022908

Just like investing money, there is no silver bullet or optimal balance around these forces, instead businesses need to determine their "Risk/Reach tolerance level". Most organizations are forced to have a minimal risk/reach ratio by government and SEC requirements like Sarbanes-Oxley. 

How does Sun help?

Sun's Software Infrastructure products and solutions are designed to help with this careful balancing act.

Consider General Electric. GE has a reach of over 300,000 employees and contractors that need access to a wide variety of telecommunication assets. Naturally this pool of people are in a constant state of flux and this creates business and financial risk. GE needed a way to ensure automated provisioning and perhaps more importantly automated de-provisioning of users access as users joined and left the company. Sun's Identity Manager was deployed  to manage the risk/reach ratio by creating a system that automated the provisioning and de-provisioning of users. This helped GE reduce risk posed by terminated and contingent workers accessing email and application accounts.

We welcome the opportunity to help you solve your specific risk/reach tolerance issues and encourage you to look at our recently announced acquisition of Vaau to see how we are extending our portfolio to help you solve these issues.

Posted at 06:00AM Mar 17, 2008 by Mark Herring in Application Infrastructure  |  Comments[0]  |  | |

Customers...

I have just returned after spending 3 fantastic days at our Customer Advisory Council, in Florida. Let me start by saying how humbled I was that very senior executives would take 3 days out of their excruciating schedule to be away from family and their jobs to meet with us. Thanks just doesn't do justice to the gratitude and respect we at Sun have for these invaluable customers.

We covered a lot in these 3 days, from product roadmaps and tactical plans to strategic directions and portfolio gaps. We had some really frank discussions that cannot be captured in this blog, but I thought it might be interesting to discuss the trends I saw at this meeting...

• Open Source -- Every customer is committed to open source, not because of any religious zeal, but rather that this is the way that adoption occurs. They see, like Sun does, that open source is a means to an end. By open sourcing products it increases their adoption by users, partners and perhaps more significantly for this audience by service providers that will be doing more and more coding. It really is about building a robust and thriving community that will increase adoption and knowledge of the product. For the customer this is key to them finding resources that know and can use the product.

• Paying for Open Source -- every customer at the CAC without exception wanted to pay for the open source offering for support. Not for simple "brake-fix" support, but for patch support and indemnification. They saw Sun standing behind the product and being there 24x7 to help them with any problem they had as a huge value add.   This was additional proof that the open source strategy that we at Sun have embarked upon is the winning strategy. Those vendors who ignore the open source trend will be left behind polishing that proverbial proprietary apple till it is rotten inside.
• Offshore Development -- another interested trend. Most of the customers used offshore development for coding. They either used Sun's, another service provider or their own skilled resources as architects for their product, but they used or wanted to use "cheaper" resources for coding.
• Information Risk Management -- every customer had either already deployed or where in the process of deploying an identity solution. The acquisition that we just did of Vaau was particularly interesting on how that bolsters Sun's leadership position in the Governance Risk and Compliance Arena.
• Consolidation -- most of the customers were in the process of consolidating data centers to simplify operations and reduce costs. Sun's new xVM strategy was very interesting since it allows not just consolidation but increased utilization.
• Service Oriented Architecture -- All customers had embarked down a SOA route, but few viewed this as a technology issue. They really viewed it as a new way of development (or perhaps a new discipline that created reusable services) The hype of SOA had not influenced their development, indeed some of them had not even implemented an Enterprise Service Bus (like OpenESB) but were ensuring that point to point SOA integration occurred. Others had gone further down the SOA route, but only when there was distinct business benefit.
• Buying Stacks not Point Products -- Another interesting trend that again validates Sun's strategy is that most of these customers were sold on Sun's products to fix a particular problem, be it Single Sign-on, Identity Management, Single Customer View and the like, but they bought into Sun's application infrastructure they purchased Java Enterprise System (JES). The JES model and philosophy of simple pricing, the sum is greater than the parts, and complete stack is what made the deal.
• Vendor Assessment=Replacement! -- Some vendors go into their customers and make them spend endless hours and resources documenting where software is being used and how many licenses they are bough. They are really like vultures hoping that they can extract a few more dollars from their customer base. Luckily at Sun we don't do this, and it was this exact practice that inspired the JES model of simple subscription pricing. What was enlightening is that as soon as a vendor starts this assessment the customer looks for ways to replace them. Why waste time with a "vulture vendor"

There was much more that we learned from this invaluable event, but unfortunately a lot of it cannot be shared on a public blog, but rest assured that the advice and direction given will find it into our products and our strategy... Thanks again to our customers for giving us the opportunity to listen.

Posted at 04:00AM Mar 11, 2008 by Mark Herring in Application Infrastructure  |  Comments[5]  |  | |