Vista security - Microsoft's created a Hummer
If Microsoft was a car manufacturer, a few years ago it would have been hit with a whole bunch of complaints about how its vehicles failed to meet safety requirements, particularly with the trend towards off-road driving. It’s not our fault, they said, our cars were never designed to be off-road and besides, have you seen how badly you drive? The debate has raged, the company has been castigated and, as a result, has stepped up to the plate with admirable resolve, with the result that (in the shape of Windows Vista) the company does appear to have addressed the central issue: to produce a car that can be driven within acceptable bounds of safety. Or, in other words, to produce an operating system that can withstand the pressures of being network-connected.
I’m saying this to work through why, when attending a recent event concerning the new security features of Vista, I felt strangely, even guiltily nonplussed. Guilty because, after all, Microsoft has put in a great deal of effort into hardening Windows Vista, pitching its l’il (ahem) operating system against an increasingly diverse set of threats and doing its very best to address the perceived security issues and poor reputation that kicked off its whole “trustworthy computing” initiative a few years ago. Hurrah... but what do we have as a result? Does it mean that companies, or their data and applications, will actually be more secure? I don’t believe so. Windows Vista may not be perfect, but it should probably be judged as adequate – essentially Microsoft will be able to confirm they have done their bit. Indeed, perhaps Microsoft has done more than enough – in attempting to silence its critics, Microsoft may well have created a Hummer. Whatever it has done, it is now time for Microsoft to move on.
I’m not sure the next “place” for Microsoft is about focusing on a risk management approach to security (though this is important), nor should it be about treating security as a business enabler (though this is to be hoped). Instead I think Microsoft’s focus should be on using its security capabilities as a security enabler – rather than putting all of its energies into emphasising the security proof points around the Vista platform, Microsoft should emphasise and strengthen the tools it has for reviewing the wider security measures in place in customer IT environments, and then reporting on what’s there and what can be done to improve things. Security of IT has similar properties to water finding a way through rock – all vendors need to assure the security of their own products, but security issues have a habit of worming their way through the cracks.
Of course, Microsoft cannot do this on its own. This suggests an opportunity for the company to partner with other strategic vendors (Cisco and SAP, for example) that also have a vested interest in raising the security bar for their customers, and to offer its wares as part of a security ecosystem. Not only would this serve to move the focus away from Windows and toward the infrastructure as a whole (a good thing for Microsoft’s image perhaps, but more importantly for companies that actually want to deploy secure environments), but also it would then enable more attention to be paid to the operational processes around security.
When Microsoft first announced trustworthy computing, it was accused (by me, among many others) of being both hypocritical and patronising as it took an evangelical, “we know best” approach, and of course its own chequered past undermined its fragile credibility. Equally, it was, and is still not possible for Microsoft to cover security in its entirety – it is bounded by its own technologies, skills and areas of coverage. A combination of good review tools and appropriate partnerships, coupled with the proscriptive best practice that was supported by both, would give Microsoft the wherewithal to achieve what this was all supposed to be about in the first place – help companies reduce the risks caused by the use of IT.
Adopting a review-based, partner-led approach would enable Microsoft to evangelise good practice without being patronising, an approach that can be further helped when rolled out to its wider partner base of solution vendors and systems integrators. Rather than “we know what’s best,” Microsoft could then offer review tools from the perspective of “helping you to decide what is best”; if such tools were provided as part of Vista it might also offer the company another way to approach the “why Vista” question, offering the new operating system as a part of a general evolution towards better practices with tools to support them.
As a conclusion, then – from a security perspective, Microsoft products in isolation make little difference other than giving the company the ability to say, "I'm alright, Jack." Microsoft working with partners to deliver an improved infrastructure, with Vista as a catalyst, now that is starting to be interesting. Vista may be roadworthy, or even off-roadworthy, but now Microsoft needs to ensure that the corners are banked and fundamentally, that the drivers know how to drive.
The slow, lingering death is over
WinFS is
no more. This comes as no great surprise to me. The effort to provide a common data storage system for the Microsoft environment was a massive undertaking. It has been a long-held vision for such a long time because of the the significant impact it has for any Microsoft product which needs to manage data. It had also become a personal holy grail for Bill Gates, which does make me wonder if the announcement was timed to follow that of his planned change in role.
The existence of a common data storage system, manifested as a discrete product/capability of the Windows operating system in WinFS, is no longer the primary goal. However, the capabilities of that data platform are materialising in multiple places: Orcas, the next generation of Visual Studio, the .NET Framework with
Entities - a high-level data model for representing customers, products - and
LINQ - a general purpose query language for XML, relational and potentially other data types - SQL Server and so forth. WinFS will no longer be the focus going forward but the notion of the
Data Platform Vision will be.
In terms of the impact, I actually think it is comparatively limited. Interaction with the data storage system is primarily through higher level products - Visual Studio, SQL Server, Data Protection Manager and so forth in a Microsoft world - and the message from Quentin Clark, Director of Program Management for WinFS who
posted the announcement, is that those products will incorporate aspects of what would have been WinFS. The only minor impact - and I think it is minor because WinFS was pulled from Longhorn Server /Vista such a long while ago now - is from a marketing/perception perspective, now that the operating system will lack one of the three pillars that originally underpinned the vision. Microsoft has done a good job with Vista of providing much of the user experience of WinFS, such as search and extensible metadata, without it being baked into the platform.
So, all in all, newsworthy as Microsoft appears to have finally admitted defeat when it comes to the search - no pun intended - for its holy grail but in the larger scheme of things not as significant as the announcement would have been two years ago. I think the same is true for organisations considering the adoption of Longhorn Server/Vista. There are much more significant issues that they should be worrying about, particularly as they spend the vast majority of their time working with technologies that hide the underlying data storage system.
VMware fesses up - sort of
No sooner had I poseted on EMC than VMware issued an intriguing
press release, about its support for software test and integration. Don't get me wrong I'm all for it, and I'm all for VMware "strengthening its offering" in this area. I can't help thinking however that they've missed out one tiny but essential detail - that a significant proportion of VMware use is in this kind of environment anyway. From the release:
"As customers standardize on VMware virtual infrastructure, they are seeing a huge opportunity to leverage VMware's virtualization platform to enable a clean hardware and configuration-independent way to move from development to test to staging to production and streamline the constant iteration and cycling back through those stages," said Dan Chu, senior director of developer products at VMware.Hmmm - perhaps the release wouldn't have had quite the same impact if it had said, "As customers standardize on VMware in their development and test environment, they may one day conside the use of VMware to deliver a virtual infrastructure..."
Or maybe that's just me.
Bringing the long-tailed mouse to life
I
discussed the Higgins project a couple of months ago. For those of you interested in turning the concept into reality, can I suggest you hop over to ZDNet and take a look at David Berlind's
excellent set of screen shots from a "demo" Higgins-based solution shown at the
Identity Mashup Conference. The use of "icards" may lead some to repeat ealier claims that Higgins is an open source alterantive to Microsoft's CardSpace (aka InfoCard) but
this is not the case.
Thanks David.
100 and counting: oak trees and acorns
Well, I have to say I'm surprised!
Our only-slightly-tongue-in-cheek SOA 2.0 petition (
stop the madness!) has now attracted over 100 signatures.
I think we're still a long way from beating back the tide of
Oracle's misplaced SOA 2.0 marketing messages, but I'm dead chuffed we've even got this far. When we recorded our recent
SOA 2.0 podcast episode I said that when I created the petition, I thought if we got to 20 or 30 signatures, that would be pretty cool. (That bit didn't make it into the edited audio, though, as I had got into an extensive ramble by that point, and we couldn't put our listeners through that kind of pain).
What's particularly gratifying is that roughly 65% of the signatories appear to be real people, doing real jobs - not representatives of Oracle's competitors, or talking heads like us.
Now, I'm getting a bit cocky and thinking that 500 would be a good target?
Go on!
EMC and nLayers – another quart to be squeezed in a pint pot
A long, long time ago, I remember I was in a briefing with
EMC. "Storage is a software problem," I said, to much general agreement and backslapping all around. While EMC was no stranger to acquisition, this was before it had made any of its "strategic" software purchases such as Documentum, Legato and VMware. Having bought the latter for reasons only it knows, for a while EMC considered presenting itself as an enterprise management company – the one stop shop of software to manage the dynamic data centre environment of the future. The company it quickly fell back from this position, as it sought to sustain its hardware sales, while struggling to integrate the various products into a coherent software portfolio and, frankly, as it also discovered that there was little market for overhyped fantasies about how IT could run itself.
All the same, EMC has continued with its strategy to move from an over-dependency on hardware to one which balances hardware with software and services. What with the more recent acquisitions of Smarts (for network and IT event management) and now
nLayers, it looks like the company is being drawn inexorably towards becoming an enterprise management player.
It is perhaps worth explaining what is nLayers, a software product that enables the auto-discovery of IT assets (think: hardware and software) that exist on the corporate network, together with the dependencies between them. Knowing what’s out there is a well known challenge for IT managers, who waste much time and effort keeping manual or spreadsheet records up to date, who lose money paying for things nobody is using, and who have to cope with unexpected dependencies being turned up during an upgrade or new deployment. nLayers has a broad remit: by acquiring such a company and then saying that it is just for information management, EMC is once again trying to fit a quart into a pint pot. The product is capable of so much more; so is EMC, if it could just get its act together in enterprise software.
In recent times, EMC has been quick to downplay any enterprise management aspirations, preferring to explains its software portfolio in terms of the management and protection of information. Even so, it knows that the portfolio is capable of so much more. Smarts (with its own sales force) is deployed in ways that go well beyond this quite limited scope, and VMware (run as completely a separate business) doesn’t fit the description at all. Is it any wonder that Wall Street has reacted poorly to the nLayers acquisition.
EMC is going to have to do something. By attempting to straddle the two stools of information management on one side, and enterprise management on the other the company is giving itself something of an identity crisis. On the one side it has a goodly set of tools and capabilities to take on other enterprise management companies, who are themselves encroaching on EMC’s own base (CA for example, which is growing its information management portfolio, or Symantec if it ever manages to work out how to exploit the capabilities it absorbed from Veritas). On the other side however, and despite the fact that EMC's hardware business makes up proportionately less of its revenue year on year, it cannot risk undermining its position by looking like anything other than a storage company right now. As a storage company, EMC is a market leader; as a management software company, EMC becomes just one of many.
Nobody said life wasn’t going to be hard; meanwhile however, the company appears to be in denial. Judging by the nLayers acquisition, EMC is clearly resolved, or perhaps resigned to delivering a more comprehensive portfolio of enterprise management software. The question is, how can the company do so without alienating its existing storage customers and jeopardising new sales, or losing the faith of the financial markets. EMC needs to present a coherent strategy that covers all the bases, and fast; and this time it needs to have the wherewithal to stick with it.
Lots happening in world of identity management
The last couple of weeks have seen a lot of activity in identity management land. Last week saw
Burton Group's Catalyst Conference, which is always one of the key events in the identity management calendar. Although I wasn't able to be there it has been admirably covered by Sun's
Mark Dixon and
Digital ID World's Eric Norlin and Phil Becker (
here,
here,
here,
here,
here and
here). The conference also saw a meeting of the
Identity Gang, briefly summarised by
Kaliya Hamlin aka Identity Woman here. The discussions continue this week at the Berkman Center for Internet & Society with the
Identity Mashup Conference.
With all this activity, it is not surprising that there has been a fair amount of news, but I wanted to call out a couple of announcements that caught my eye. Both relate to user-centric identity, which as I discuss in our recent report on
identity management is a separate world from identity management behind the firewall but:
As more and more of the interactions with businesses are performed digitally, individuals will want to use a single identity with multiple organisations. They will want to manage their identity and control how that identity is used and how much information is exposed, dependent on the context of the interaction.
For organisations operating in a "business-to-consumer" context, it is important to pay close attention to ongoing developments and how enterprise identity management vendors plan to coexist.
Although neither announcement specifically calls out bridging these two worlds, they are both associated with ensuring a consistent desktop experience for individuals (and one which is applicable whether or not the individual is behind a corporate firewall) as they are authenticated by a variety of identity providers. This doesn't span the divide but it is an important plank in that bridge.
Following on from the
Higgins Project and
Bandit, yesterday saw the
announcement of another, to my mind complementary, open source user-centric identity project: the Heraldry Identity Project proposal within the Apache Software Foundation. This is welcome news, given the objectives of bringing the world of lightweight URL/XRI-based identities to the desktop by combining the
Yadis identity service discovery protocol with the
OpenID single sign-on authentication protocol and developing a common desktop component. Being a user of
LID (which is interoperable with OpenID and Yadis) and the VeriSign (whose David Recordon proposed the Heraldry project to Apache)
Personal Identity Provider, I have first-hand experience of the need to hide the underlying mechanics and provide individuals with a consistent desktop experience - it is meant to be user-centric after all. What I find particularly encouraging is the desire to exploit
OSIS, the potential open source implementation of Microsoft's CardSpace (formerly InfoCard), since this promises to ensure a consistent experience for individuals, irrespective of their desktop platform. Obviously, it is still very early stages for both Heraldry and OSIS (not least because the intellectual property issues need to ironed out!) but this is a good start.
The second announcement - or more correctly
news story - concerns Microsoft's plans to release a software development kit for the
Windows Live ID service. Windows Live ID is the reincarnation of Passport, fulfilling the same authentication role for Microsoft's Live services as Passport did for the MSN services. Live ID goes beyond Passport, though, acknowledging the importance of federation and the need to work with CardSpace. With the SDK it will be possible for application developers to use the Live ID service within rich client applications, thereby allowing individuals who are already users of Live Messenger/Mail/Search ... to be authenticated without having a new set of user credentials. The sheer number of individuals using the various Live Services, together with Microsoft's foothold in the developer community, suggests that Live ID will become a significant identity provider.
Microsoft also plans to provide an SDK for service providers, the Relying Party Suite (RPS), to allow them to use the Live ID service. Given the past failure of Hailstorm, primarily because Microsoft had naively assumed that service providers would be prepared to relinquish control of their valuable customer data, I am not so sure that this SDK will prove as attractive.
Finally, a new MWD podcast episode - SOA 2.0, and Bill Gates' retirement
In this 24'40" episode Neil WD embarks on a grumpy monologue about SOA 2.0 - explaining why the term is so counter-productive and why it leads people to a dangerous, myopic perspective of SOA.
Neil M manages to get a word in edgeways, and explains how service-orientation and event-driven processing are actually completely different types of
concept which shouldn't be mixed design decision which shouldn't be conflated. (Thanks to
Steve - I didn't explain it very well before!)
Jon Collins manfully tries to keep a rein on proceedings and largely succeeds.
Sorry it's taken us so long to get this most recent episode to you (it's three weeks or so since the last one...). We've just been crazily busy. We promise to try harder!
There's also a separate 6'22" postscript,
sans Jon Collins due to a bit of a technical problem with our recording yesterday. In it Neil M explains why Bill Gates' planned retirement from Microsoft is largely only interesting as a symbol of the company's slow transition to a new technology strategy - rather than having a material impact on the company. Meanwhile Neil WD muses on what might make a good leaving present.
Download the audio for the
main episode; or download the
postscript. Here's the
podcast feed if you want to subscribe.
