Seeking Alpha

Dana Gardner's  Instablog

Dana Gardner
Send Message
Dana Gardner is president and principal analyst at Interarbor Solutions (www.interarbor-solutions.com), an enterprise IT analysis, market research, and consulting firm. Gardner, a leading identifier of software productivity trends and new IT business growth opportunities, honed his skills and... More
My company:
Interarbor Solutions, LLC
My blog:
Dana Gardner's BriefingsDirect
View Dana Gardner's Instablogs on:
  • Five Ways To Make Identity Management Work Best Across Hybrid Computing Environments

    Any modern business has been dealing with identity and access management (IAM) from day one. But now, with more critical elements of business extending beyond the enterprise, access control complexity has been ramping up due to cloud, mobile, bring your own device (BYOD), and hybrid computing.

    And such greater complexity forms a major deterrent to secure, governed, and managed control over who and what can access your data and services -- and under what circumstances.The next BriefingsDirect thought leader discussion then centers on learning new best practices for managing the rapidly changing needs around IAM.

    While cloud computing gets a lot of attention, those of us working with enterprises daily know that the vast majority of businesses are, and will remain, IT hybrids, a changing mixture of software as a service (SaaS), cloud, mobile, managed hosting models, and of course, on-premises IT systems.

    Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy.

    We're here with a Chief Technology Officer for a top IAM technology provider to gain a deeper understanding of the various ways to best deploy and control access management in this ongoing age of hybrid business.

    Here to explore five critical tenets of best managing the rapidly changing needs around identity and access management is Darran Rolls, Chief Technology Officer at SailPoint Technologies in Austin, Texas. The discussion is moderated by me, Dana Gardner, Principal Analyst at Interarbor Solutions.

    Here are some excerpts:

    Gardner: There must be some basic, bedrock principles that we can look to that will guide us as we're trying to better manage access and identity.

    Rolls: Absolutely, there are, and I think that will be a consistent topic of our conversation today. It's something that we like to think of as the core tenets of IAM. As you very eloquently pointed out in your introduction, this isn't anything new. We've been struggling with managing identity and security for some time. The changing IT environment is introducing new challenges, but the underlying principles of what we're trying to achieve have remained the same.

    http://www.sailpoint.com/about-us/executive-team/darran-rolls

    Rolls

    The idea of holistic management for identity is key. There's no question about that, and something that we'll come back to is this idea of the weakest link -- a very commonly understood security principle. As our environment expands with cloud, mobile, on-prem, and managed hosting, the idea of a weak point in any part of that environment is obviously a strategic flaw.

    As we like to say at SailPoint, it's an anywhere identify principle. That means all people -- employees, contractors, partners, customers, basically from any device, whether you're on a desktop, cloud, or mobile to anywhere. That includes on-prem enterprise apps, SaaS apps, and mobile. It's certainly our belief that for any IAM technology to be truly effective, it has to span all for all -- all access, all accounts, and all users; wherever they live in that hybrid runtime.

    Gardner: So we're in an environment now where we have to maintain those bedrock principles for true enterprise-caliber governance, security, and control, but we have a lot more moving parts. And we have a cavalcade of additional things you need to support, which to me, almost begs for those weak links to crop up.

    So how do you combine the two? How do you justify and reconcile these two realities -- secure and complex?

    Addressing the challenge

    Rolls: One way comes from how you address the problem and the challenge. Quite often, I'm asked if there's a compromise here. If I move my IAM to the cloud, will I still be able to sustain my controls and management and do risk mitigation, which is what we were trying to get to.

    My advice is if you're looking at an identity-as-a-service (IDaaS) solution that doesn't operate in terms of sustainable controls and risk mitigation, then stop, because controls and risk mitigation really are the core tenets of identity management. It's really important to start a conversation around IDaaS by quite clearly understanding what identity governance really is.

    This isn't an occasional, office-use application. This is critical security infrastructure. We very much have to remember that identity sits at the center of that security-management lifecycle, and at the center of the users' experience. So it's super important that we get it right.

    So in this respect, I like to think that IDaaS is more of a deployment option than any form of a compromise. There are a minimum set of table stakes that have to be in place. And, whether you're choosing to deploy an IDaaS solution or an on-prem offering, there should be no compromise in it.

    We have to respect the principles of global visibility and control, of consistency, and of user experience. Those things remain true for cloud and on-prem, so the song remains the same, so to speak. The IT environment has changed, and the IAM solutions are changing, but the principles remain the same.

    Gardner: I was speaking with some folks leading up to the recent Cloud Identity Summit, and more and more, people seem to be thinking that the IAM is the true extended enterprise management. It's more than just the identity in access, but across services and so essential for extended enterprise processes.

    Also, to your point, being more inclusive means that you need to have the best of all worlds. You need to be able to be doing IAM well on-premises, as well as in the cloud -- and not either/or.

    Rolls: Most of the organizations that I speak to these days are trying to manage a balance between being enterprise-ready -- so supporting controls and automation and access management for all applications, while being very forward looking, so also deploying that solution from the cloud for cost and agility reasons.

    For these organizations, choosing an IDaaS solution is not a compromise in risk mitigation, it's a conscious direction toward a more off-the-shelf approach to managing identity. Look, everyone has to address security and user access controls, and making a choice to do that as a service can't compromise your position on controls and risk mitigation.

    Gardner: I suppose the risk of going hybrid is that if you have somewhat of a distributed approach to your IAM capabilities, you'll lose that all-important single view of management. I'd like to hear more, as we get into these tenets, of how you can maintain that common control.

    You have put in some serious thought into making a logical set of five tenets that help people understand and deal with these changeable markets. So let's start going through those. Tell me about the first tenet, and then we can dive in and maybe even hear an example of where someone has done this right.

    Focusing on identity

    Rolls: Obviously it would be easy to draw 10 or 20, but we like to try and compress it. So there's probably always the potential for more. I wouldn't necessarily say these are in any specific order, but the first one is the idea of focusing on the identity and not the account.

    This one is pretty simple. Identities are people, not accounts in an on-line system. And something we learned early in the evolution of IAM was that in order to gain control, you have to understand the relationships between people -- identities, and their accounts, and between those accounts and the entitlements and data they give access, too.

    So this tenet really sits at the heart of the IAM value proposition -- it's all about understanding who has access to what, and what it really means to have that access. By focusing on the identity -- and capturing all of the relationships it has to accounts, to systems, and to data -- that helps map out the user security landscape and get a complete picture of how things are configured.

    Gardner: If I understand this correctly, all of us now have multiple accounts. Some of them overlap. Some of them are private. Some of them are more business-centric. As we get into the Internet of Things, we're going to have another end-point tier associated with a user, or an identity, and that might be sensors or machines. So it's important to maintain the identity focus, rather than the account focus. Did I get that right?

    Rolls: We see this today in classic on-prem infrastructure with system-shared and -privileged accounts. They are accounts that are operated by the system and not necessarily by an individual. What we advocate here, and what leads into the second tenet as well, is this idea of visibility. You have to have ownership and responsibility. You assign and align the system and functional accounts with people that can have responsibility.

    In the Internet of Things, I would by no means say that it's nothing new, because if nothing else, it's potentially a new order of scale. But it's functionally the same thing: Understanding the relationships.

    For example, I want to tie my Nest account back to myself or to some other individual, and I want to understand what it means to have that ownership. It really is just more of the same, and those principles that we have learned in enterprise IAM are going to play out big time when everything has an identity in the Internet of Things.

    Gardner: Any quick examples of tenet one, where we can identify that we're having that focus on the user, rather than the account, and it has benefited them?

    Rolls: For sure. The consequences of not understanding and accurately managing those identity and account relationships can be pretty significant. Unused and untracked accounts, something that we commonly refer to in the industry as "orphan accounts," often lead to security breaches. That's why, if you look at the average identity audit practice, it's very focused on controls for those orphan accounts.

    We also know for a fact, based on network forensic analysis that happens post-breach, that in many of the high-profile, large-scale security breaches that we've seen over the last two to five years, the back door is left open by an account that nobody owns or manages. It's just there. And if you go over to the dark side and look at how the bad guys construct vulnerabilities, first things they look for are these unmanaged accounts.

    So it's low-hanging fruit for IAM to better manage these accounts because the consequences can be fairly significant.

    Tenet two

    Gardner: Okay, tenet two. What's next on your priority list?

    Rolls: The next is two-fold. Visibility is king, and silos are bad. This is really two thoughts that are closely related.

    The first part is the idea that visibility is king, and this comes from the realization that you have to be able to capture, model, and visualize identity data before you have any chance of managing it. It's like the old saying that you can't manage what you can't measure.

    It's same thing for identity. You can't manage the access and security you don't see, and what you don't see is often what bites you. So this tenet is the idea that your IAM system absolutely must support this idea of rapid, read-only aggregation of account and entitlement information as a first step, so you can understanding the landscape.

    The second part is around the idea that silos of identity management can be really, really bad. A silo here is a standalone IAM application or what one might think of as a domain-specific IAM solution. These are things like an IDaaS offering that only does cloud apps or an Active Directory-only management solution, basically any IAM tool that creates a silo of process and data. This isolation goes against the idea of visibility and control that we just covered in the first tenant.

    You can't see the data if its hidden in a siloed system. It's isolated and doesn't give you the global view you need to manage all identity for all users. As a vendor, we see some real-world examples of this. SailPoint just replaced a legacy-provisioning solution at a large US based bank, for example, because the old system was only touching 12 of their core systems.

    The legacy IAM system the bank had was a silo managing just the Unix farm. It wasn't integrated and its data and use case wasn't shared. The customer needed a single place for their users to go to get access, and a single point of password control for their on-prem Unix farm, and for their cloud-based, front-end application. So today SailPoint's IdentityNow provides that single view for them, and things are working much better.

    Gardner: It also reminds me that we need to be conscious of supporting the legacy in the older systems, recognizing that they weren't designed necessarily for the reality we're in now. We also need to be flexible in the sense of being future-proof. So it's having visibility across your models that are shifting in terms of hybrid and cloud, but also visibility across the other application sets and platforms that were never created with this mixture of models that we are now supporting.

    Rolls: Exactly right. In education, we say "no child left behind." In identity, we say "no account left behind, and no system left behind." We also shouldn't forget there is a cost associated with maintaining those siloed IAM tools, too. If the system only supports cloud, or only supports on-prem, or managing identity for mobile, SaaS, or just one area of the enterprise -- there's cost. There's a real dollar cost for buying and maintaining the software, and probably more importantly, a soft cost in the end-user experience for the people that have to manage across those silos. So these IAM silos are not only preventing visibility and controls, but there is big cost here, a real dollar cost to the business, as well.

    Gardner: This gets closer to the idea of a common comprehensive view of all the data and all the different elements of what we are trying to manage. I think that's also important.

    Okay, number three. What are we looking at for your next tenet, and what are the ways that we can prevent any of that downside from it?

    Complete lifecycle

    Rolls: This tenet comes from the school of identity hard knocks, and is something I've learned from being in the IAM space for the past 20 or so years -- you have to manage the complete lifecycle for both the identity, and every account that the identity has access to.

    Our job in identity management, our "place" if you will in the security ecosystem, is to provide cradle-to-grave management for corporate account assets. It's our job to manage and govern the full lifecycle of the identity -- a lifecycle that you'll often hear referred to as JML, meaning Joiners, Movers and Leavers.

    As you might expect, when gaps appear in that JML lifecycle, really bad things start to happen. Users don't get the system access they need to get their jobs done, the wrong people get access to the wrong data and critical things get left behind when people leave.

    Maybe the wrong people get access to the wrong data. They're in the Move phase. Then things get left behind when people leave. You have to track the account through that JML lifecycle. I avoid using the term "cradle to grave," but that's really what it means.

    That's a very big issue for most companies that we talked to. It's captured in that lifecycle.

    Gardner: So it's not just orphan accounts, but it's inaccurate or outdated accounts that don't have the right and up-to-date information. Those can become back doors. Those can become weak links.

    It appears to me, Darran, that there's another element here in how our workplace is changing. We're seeing more and more of what they call "contingent workforces," where people will come in as contractors or third-party suppliers for a brief period of time, do a job, and get out.

    It's this lean, agile approach to business. This also requires a greater degree of granularity and fine control. Do you have any thoughts about how this new dynamic workforce is impacting this particular tenet?

    Rolls: It's certainly increasing the pressure on IT to understand and manage all of its population of users, whether they're short-term contractors or long-term employees. If they have access to an asset that the business owns, it's the business's fiduciary duty to manage the lifecycle for that worker.

    In general, worker populations are becoming more transient and work groups more dynamic. Even if it's not a new person joining the organization, we're creating and using more dynamic groups of people that need more dynamic systems access.

    It's becoming increasingly important for businesses today to be able to put together the access that people need quickly when a new project starts and then accurately take it away when the project finishes. And if we manage that dynamic access without a high degree of assured governance, the wrong people get to the wrong stuff, and valued things get left behind.

    Old account

    Quite often, people ask me if it would really matter when the odd account gets left behind, and my answer usually is: It certainly can. A textbook example of this when a sales guy leaves his old company, goes to join a competitor, and no one takes away his salesforce.com account. He's then spends the next six months dipping into his old company's contacts and leads because he still has access to the application in the cloud.

    This kind of stuff happens all the time. In fact, we recently replaced another IDaaS provider at a client on the West Coast, specifically because "the other vendor" -- who shall remain nameless -- only did just-in-time SAML provisioning, with no leaver-based de-provisioning. So customers really do understand this stuff and recognize the value. You have to support the full lifecycle for identity or bad things happen for the customer and the vendor.
    Gardner: All right. We were working our way through our tenets. We're now on number four. Is there a logical segue between three and four? How does four fit in?

    Rolls: Number four, for me, is all about consistency. It talks to the fact that we have to think of identity management in terms of consistency for all users, as we just said, from all devices and accessing all of our applications.

    Practically speaking, this means that whether you sit with your Windows desktop in the office, or you are working from an Android tablet back at the house, or maybe on your smartphone in a Starbucks drive-through, you can always access the applications that you need. And you can consistently and securely do something like a password reset, or maybe complete a quarterly user access certification task, before hitting the road back to the office.

    Consistency here means that you get the same basic user experience, and I use the term user experience here very deliberately, and the same level of identity service, wherever you are. It has become very, very important, particularly as we have introduced a variety of incoming devices, that we keep our IAM services consistent.

    Gardner: It strikes me that this consistency has to be implemented and enforced from the back-end infrastructure, rather than the device, because the devices are so changeable. We're even thinking about a whole new generation of devices soon, and perhaps even more biometrics, where the device becomes an entry point to services.

    Tell me a bit about the means by which consistency can take place. This isn't something you build into the device necessarily.

    Rolls: Yes, that consistency has to be implemented in the underlying service, as you've highlighted. It's very easy to think of consistency as just being in the IAM UI or just in the device display, but it really extends to the identity API as well. A very good example to explore this concept of consistency of the API, is to think like a corporate application developer and consider how they look at consistency for IAM, too.

    Assume our corporate application developer is developing an app that needs to carry out a password reset, or maybe it needs to do something with an identity profile. Does that developer write a provisioning connector themselves? Or should they implement a password reset in their own custom code?

    The answer is, no, they don't roll their own. Instead they should make use of the consistent API-level services that the IAM platform provides -- they make calls to the IDaaS service. The IDaaS service is then responsible for doing the actual password reset using consistent policies, consistent controls, and a consistent level of business service. So, as I say, its about consistency for all use cases, from all devices, accessing all applications.

    Thinking about consistency

    Gardner: And even as we think about the back-end services support, that itself also needs to extend to on-prem legacy, and also to cloud and SaaS. So we're really thinking about consistency deep and wide.

    Rolls: Precisely, and if we don't think about consistency for identity as a services, we're never going to have control. And importantly, we're never going to reduce the cost of managing all this stuff, and we're never going to lower the true risk profile for the business.

    Gardner: We're coming up or our last tenet, number five. We haven't talked too much about the behavior, the buy-in. You can lead a horse to water, but you can't make him drink. This, of course, has an impact on how we enforce consistency across all these devices, as well as the service model. So what do we need to do to get user buy-in? How does number five affect that?

    Rolls: Number five, for me, is the idea that the end-user experience for identity is everything. Once upon a time, the only user for identity management was IT itself and identity was an IT tool for IT practitioners. It was mainly used by the help desk and by IT pros to automate identity and access controls. Fortunately, things have changes a lot since then, both in the identity infrastructure and, very importantly, in the end users' expectations.

    Today, IAM really sits front and center for the business users IT experience. When we think of something like single sign-on (NYSEARCA:SSO), it literally is the front door to the applications and the services that the business is running. When a line-of-business person sits down at an application, they're just expecting seamless access via secured single sing-on. The expectation is that they can just quickly and easily get access to the things they need to get their job done.

    They also expect identity-management services, like password management, access request, and provisioning to be integrated, intuitive, and easy to use. So the way these identity services are delivered in the user experience is very important.

    Pretty much everything is self-service these days. The expectation is to move the business user to self-service for pretty much everything, and that very much includes Identity Management as a Service (IDaaS) as well. So the UI just has to be done right and the overall users' experience has to be consistent, seamless, intuitive, and just easy to deal with. That's how we get buy-in for identity today, by making the identity management services themselves easy to use, intuitive, and accessible to all.

    Gardner: And isn't this the same as saying making the governance infrastructure invisible to the end user? In order to do that, you need to extend across all the devices, all the deployment models, and the APIs, as well as the legacy systems. Do you agree that we're talking about making it invisible, but we can't do that unless you're following the previous four tenets?

    Rolls: Exactly. There's been a lot of industry conversation around this idea of identity being part of the application and the users' flow, and that's very true. Some large enterprises do have their own user-access portals, specific places that you go to carry out identity-related activities, so we need integration there. On the other hand, if I'm sitting here talking to you and I want to reset my Active Directory password, I just want to pick up my iPhone and do it right there, and that means secure identity API's.

    We talked a good amount about the business user experience. It is very important to realize that it's not just about the end-user and the UI. It also affects how the IDaaS service itself is configured, deployed, and managed over time. This means the user experience for the system owner, be that someone in IT or in the line of business -- it doesn't really matter who -- has to be consistent and easy to use and has to lead to easier configuration, faster deployment, and faster time-to-value. We do that by making sure that the administration interface and the API's that support it are consistent and generally well thought out, too.

    Intersect between tenets

    Gardner: I can tell, Darran, that you've put an awful lot of thought into these tenets. You've created them with some order, even though they're equally important. This must be also part of how you set about your requirements for your own products at SailPoint.

    Tell me about the intersect between these tenets, the marketplace, and what SailPoint is bringing in order to ameliorate the issues that the problem side of these tenets identify, but also the solution side, in terms of how to do things well.

    Rolls: You would expect every business to say these words, but they have great meaning for us. We're very, very customer focused at SailPoint. We're very engaged with our customers and our prospects. We're continually listening to the market and to what the buying customer wants. That's the outside-in part of the of the product requirements story, basically building solutions to real customer problems.

    Internally, we have a long history in identity management at SailPoint. That shows itself in how we construct the products and how we think about the architecture and the integration between pieces of the product. That's the inside-out part of the product requirements process, building innovative products that solutions that work well over time.

    So I guess that all really comes down to good internal product management practices. Our product team has worked together for a considerable time across several companies. So that's to be expected. It's fair to say that SailPoint is considered by many in the industry as the thought leader on identity governance and administration. We now work with some of the largest and most trusted brand names in the world, helping them provide the right IAM infrastructure. So I think we're getting it right.

    As SailPoint has strategically moved into the IDaaS space, we've brought with us a level of trust, a breadth of experience, and a depth of IAM knowledge that shows itself in how we use and apply these tenets of identity in the products and the solutions that we put together for our customers.

    Gardner: Now, we talked about the importance of being legacy-sensitive, focusing on what the enterprise is and has been and not just what it might be, but I'd like to think a little bit about the future-proofing aspects of what we have been discussing.

    Things are still changing and, as we said, there are new generations of mobile devices, more biometrics perhaps doing away with passwords and identifying ourselves through the device that then needs to filter back throughout the entire lifecycle of IAM implications and end points.

    So when you do this well, if you follow the five tenets, if you think about them and employ the right infrastructure to support governance in IAM for both the old and the new, how does that set you up to take advantage of some of the newer things? Maybe it's big data, maybe it's hybrid cloud, or maybe it's agile business.

    It seems to me that there's a virtuous adoption benefit that when you do IAM well.

    Changes in technologies

    Rolls: As you've highlighted, there are lots of new technologies out there that are effecting change in corporate infrastructure. In itself, that change isn't new. I came into IT with the advent of distributed systems. We were going to replace every mainframe. Mainframes were supposed to be dead, and it's kind of interesting that they're still here.

    So infrastructure change is most definitely accelerating, and the options available for the average IT business these days -- cloud, SaaS and on-prem -- are all blending together. That said, when you look below the applications, and look at the identity infrastructure, many things remain the same. Consider a SaaS app like Salesforce.com. Yes, it's a 100 percent SaaS cloud application, but it still has an account for every user.

    I can provide you with SSO to your account using SAML, but your account still has fine-grained entitlements that need to be provisioned and governed. That hasn't changed. All of the new generation of cloud and SaaS applications require IAM. Identity is at the center of the application and it has to be managed. If you adopt a mature and holistic approach to that management you are in good stead.

    Another great example are the mobile device management (NASDAQ:MDM) platforms out there -- a new piece of management infrastructure that has come about to manage mobile endpoints. The MDM platforms themselves have identity control interfaces. Its our job in IAM to connect with these platforms and provide control over what's happening to identity on the endpoint device, too.

    Our job in identity is to manage identity lifecycles where ever they sit in the infrastructure. If you're not on board, you'd better get on board, because the challenges for identity are certainly not going away.

    Interestingly, I'm sometimes challenged when I make a statement like that. I'll often get the reply that "with SAML single sign-on, the the passwords go away so the account management problem goes away, right?" The answer is that no, they don't. They're still accounts in the application infrastructure. So good best practice identity and access management will remain key as we keep moving forward.

    Gardner: And of course as you pointed out earlier, we can expect the scale of what's going to be involved here to only get much greater.

    Rolls: Yes, 100 percent. Scale is key to architectural thinking when you build a solution today, and we're really only just starting to touch where scale is going to go.

    It's very important to us at SailPoint, when we build our solutions, that the product we deliver understands the scale of business today and the scale that is to come. That affects how we design and integrate the solutions, it affects how they are configured and how they are deployed. It's imperative to think scale -- that's certainly something we do.

    Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: SailPoint Technologies.

    You may also be interested in:
    Oct 29 11:08 AM | Link | Comment!
  • Large Russian Bank, Otkritie Bank, Turns To Big Data Analysis To Provide Real-Time Financial Insights

    The next BriefingsDirect deep-dive big data benefits case study interview explores how Moscow-based Otkritie Bank, one of the largest private financial services groups in Russia, has built out a business intelligence (BI) capability for wholly new business activity monitoring (NYSE:BAM) benefits.

    The use of HP Vertica as a big data core to the BAM infrastructure provides Otkritie Bank improved nationwide analytics and a competitive advantage through better decision-making based on commonly accepted best information that's updated in near real-time.

    Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy.

    To learn more about Otkritie Bank's drive for improved instant analytics, BriefingsDirect sat down with Alexei Blagirev, Chief Data Officer at Otkritie Bank, at the recent HP Big Data 2014 Conference in Boston. The discussion is moderated by me, Dana Gardner, Principal Analyst at Interarbor Solutions.

    Here are some excerpts:

    Gardner: Tell us about your choice for BI platforms.

    Blagirev: Otkritie Bank is a member of the Open Financial Corporation (now Otkritie Financial Corporation Bank), which is one of the largest private financial services groups in Russia. The reason we selected HP Vertica was that we tried to establish a data warehouse that could provide operational data storage and could also be an analytical OLAP solution.

    Blagirev

    It was a very hard decision. We tried to refer to the past experience from our team, from my side, etc. Everyone had some negative experience with different solutions like Oracle, because there was a big constraint.

    We cannot integrate operational data storage and OLAP solutions. Why? Because there should be high transactional data put in the data warehouse (DWH), which in every case, was usually the biggest constraint to build high-transactional data storage.

    Vertica was a very good solution that removed this constraint. While selecting Vertica, we were also evaluating different solutions like IBM. We identified advantages of Vertica against IBM from two different perspectives.

    One was performance. The second was that Vertica is cost-efficient. Since we were comparing Netezza (now part of IBM), we were comparing not only software, but also software plus hardware. You can't build a cluster of Netezza custom-size. You can only build it with 32 terabytes, and so on.

    Very efficient

    We were also limited by the logistics of these buildings blocks, the so-called big green box of Netezza. In terms of Vertica, it's really efficient, because we can use any hardware.

    So we calculated our total cost of ownership (NYSE:TCO) on a horizon of five years, and it was lower than if we built the data warehouse with different solutions. This was the reason we selected Vertica.

    Fully experience the HP Vertica analytics platform

    Get the free HP Vertica Community Edition

    Become a members of myVertica.

    From the technical perspective and from the cost-efficient perspective, there was a big difference in the business case. Our bank is not a classical bank in the Russian market, because in our bank the technology team leads the innovation, and the technology team is actually the influence-maker inside the business.

    So, the business was with us when we proposed the new data warehouse. We proposed to build the new solution to collect all data from the whole of Russia and to organize via a so-called continuous load. This means that within the day, we can show all the data, what's going on with the business operations, from all line of business inside all of Russia. It sounds great.

    When we were selecting HP Vertica, we selected not only Vertica, but the technical bundle. We also hosted the Replicator. We chose Oracle GoldenGate.

    We selected the appropriate ETL tool, and the BI front end. So all together, it was a technical bundle, where Vertica was the middleware technical solution. So far, we have build a near-real-time DWH, but we don't call it near-real-time; we call it "just-in-time, because we want to be congruent with the decision-making process. We want to influence the business to let them think more about their decisions and about their business processes.

    As of now, I can show all data collected and put inside the DWH within 15 minutes and show the first general process in the bank, the process of the loan application. I can show the number of created applications, plus online scoring and show how many customers we have at that moment in each region, the amounts, the average check, the approval rate, and the booking rate. I can show it to the management the same day, which is absolutely amazing.

    The tricky part is what the business will do with this data. It's tricky, because the business was not ready for this. The business was actually expecting that they could run a script, go to the kitchen, make a coffee, and then come back.

    But, boom, everything appears really quickly, and it's actually influencing the business to make decisions, to think more, and to think fast. This, I believe, is the biggest challenge, to grow business analytics inside the business for those who will be able to use this data.

    As of now, we are setting the pilot stage, the pilot phase of what we call business activity monitoring (BAM). This is actually a funny story, because this is the same term referenced in Russia to Baikal-Amur Mainline (BAM), a huge railroad across the whole country that connects all the cities. It's kind of our story, too; we connect all departments and show the data in near real-time.

    Next phase

    In this case, we're actually working on the next phase of BAM, and we're trying to synchronize the methodology across all products, across all departments, which is very hard. For example, approval rates could be calculated differently for the credit cards or for the cash loans because of the process.

    Since we're trying to establish a BI function almost from ground zero, HP Vertica is only the technical side. We need to think more about the educational side, and we need to think about the framework side. The general framework that we're trying to follow, since we're trying to build a BI function, is a United Business Glossary (or accepted services directory), first of all.

    It's obvious to use Business Glossary and to use a single term to refer to the same entity everywhere. But it is not happening as of now, because the business unit is still trying to use different definitions. I think it's a common problem everywhere in the business.

    The second is to explain that there are two different types of BI tools. One is BI for the data mart, a so-called regular report. Another tool is a data discovery tool. It's the tool for the data lab (i.e. mining tool).

    Fully experience the HP Vertica analytics platform

    Get the free HP Vertica Community Edition

    Become a members of myVertica.

    So we differentiate data lab from data mart. Why? Because we're trying to build a service-oriented model, which in the end produces analytical services, based on the functional map.

    When you're trying to answer the question using some analytics, actually it is a regular question, this is tricky. All the questions that are raised by the business, by any business analyst, are regular questions; they are fundamental.

    The correct way to develop an analytical service is to collect all these questions into kind of a question library. You can call it a functional map and such, but these questions, define the analytical service for those functions.

    For example, if you're trying to produce cost control, what kind of business questions do you want to answer? What kind of business analytics or metrics do you want to bring to the end-users? Is this really mapped to the question raised, or you are trying to present different analytics? As of now, we feel it's difficult to present this approach. And this is the first part.

    The second part is a data lab for ad hoc data discovery. When, for example, you're trying to produce a marketing campaign for the customers, trying to produce customer segments, trying to analyze some great scoring methodology, or trying to validate scientific expectations, you need to produce some research.

    It's not a regular activity. It's more ad hoc analysis, and it will use different tools for BI. You can't combine all the tools and call it a universal BI tool, because it doesn't work this way. You need to have a different tool for this.

    Creating a constraint

    This will create a constraint for the business users, because they need some education. In the end, they need to know many different BI tools.

    This is a key constraint that we have now, because end-users are more satisfied to work with Excel, which is great. I think it's the most popular BI data discovery tool in the world, but it has its own constraints.

    I love Microsoft. Everyone loves Microsoft, but there are different beautiful tools like TIBCO Spotfire, for example, which combines MATLAB, R, and so on. You can input models of SAS and so on. You can also write the scripts inside it. This is a brilliant data discovery tool.

    But try to teach this tool to your business analyst. In the beginning, it's hard, because it's like a J curve. They will work through the valley of despair, criticizing it. "Oh my God, what are you trying to create, because this is a mess from my perspective?" And I agree with them in the beginning, but they need to go through this valley of despair, because in the end, there will be really good stuff. This is because of the cultural influence.

    Gardner: Tell me, Alexei, what sort of benefits have you been able to demonstrate to your banking officials, since you've been able to get this near real-time, or just-in-time analytics -- other than the fact that you're giving them reports? Are there other paybacks in terms of business metrics of success?

    Blagirev: First of all, we differentiate our stakeholders. We have top management stakeholders, which is the board. There are the middle-level stakeholders, which are our regional directors.

    I'll start from the bottom, and the regional directors. They just open the dashboard. They don't click anything or refresh. They just see that they have data and analytics, what's going on in their region.

    They don't care about the methodology, because there is BAM, and they just use figures for decision making. You don't think about how it got there, but you think about what to do with these figures. You focus more on your decision, which is good.

    They start to think more on their decision and they start to think more on the processing side. We may show, for example, that at 12 o'clock our stream of cash loan applications went down. Why? I have no idea. Maybe they all went out for dinner. I don't know.

    But nobody says that. They say, "Alexei, something is happening." They see true figures and they know they are true figures. They have instruments to exercise operational excellence. This is the first benefit.

    Top management

    The second, is top management. We had a management board where everyone came and showed different figures. We'd spend 30 minutes, or maybe hour, just debating which figures were true. I think this is a common situation in Russian banks, and maybe not only banks.

    Now, we can just open the report, and I say, "This is a single report, because it shows intra-day figures and shows this metrics, it was calculated according to methodology." We actually linked the time of calculation, which shows that this KPI, for example, was calculated at 12 o'clock. You can take figures at 12 o'clock, and if you don't believe them, you can ask the auditors to repeat calculation, and it will be the same way.

    Nobody cares about how to calculate the figures. So they started to think about what methodology to apply to the business process. Actually, this is reverse of the focus from the outside, focusing on what's going on with our business process. This is the second benefit.

    Gardner: Any other advice that you would give to organizations who are beginning a process toward BI?

    Blagirev: First of all, don't be afraid to make mistakes. It's a big thing, and we all forget that, but don't be afraid. Second, try to create your own vision of strategy for at least one year.

    Third, try to disclose all your company and software vision, because HP Vertica or other BI tools are only a part. Try to see all the company's lines, all information, because this is important. You need to understand where the value is, where is the shareholder value is lost, or are you creating the value for the shareholder. If the answer is, yes, don't be afraid to protect your decision and your strategy, because otherwise in the end, there will be problems. Believe me.

    As Gandhi mentioned, in the beginning everyone laughs, then they begin hating you, and in the end, you win.

    Gardner: With your business activity monitoring, you've been able to change business processes, influence the operations, and maybe even the culture of the organization, focusing on the now and then the next set of processes. Doesn't this give you a competitive advantage over organizations that don't do this?

    Blagirev: For sure. Actually, this gives a competitive advantage, but this competitive advantage depends on the decision that you're making. This actually depends on everyone in the organization.

    Understanding this brings a new value to the business, but this depends on the final decision from people who sit in the position. Now, those people understand. They're actually handling the business and they see how they're handling the business.

    Fully experience the HP Vertica analytics platform

    Get the free HP Vertica Community Edition

    Become a members of myVertica.

    I can compare the solution to other banks. I have been working for Société Générale and for the Alfa-Bank, which is the largest bank in Russia. I've been the auditor of financial services in PwC. I saw the different reporting and different processes, and I can say that this solution is actually unique in the market.

    Why? It shows congruent information in near real-time, inside the day, for all the data, for the whole of Russia. Of course, it brings benefit, but you need to understand how to use it. If you don't understand how to use this benefit, it's going to be just a technical thing.

    Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: HP.

    You may also be interested in:

    Oct 24 7:10 PM | Link | Comment!
  • MIT Media Lab Computing Director Details The Virtues Of Cloud For Agility And Disaster Recovery

    The next BriefingsDirect innovator case study interview focuses on the MIT Media Lab in Cambridge, Mass., and how they're exploring the use of cloud and hybrid cloud to enjoy such use benefits as IT speed, agility and robust, three-tier disaster recovery (DR).

    Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy.

    To learn more about how the MIT Media Lab is exploiting cloud computing, we're joined by Michail Bletsas, research scientist and Director of Computing at the MIT Media Lab. The discussion, at the recent VMworld 2014 Conference in San Francisco, is moderated by me, Dana Gardner, Principal Analyst at Interarbor Solutions.

    Here are some excerpts:

    Gardner: Tell us about the MIT Media Lab and how it manages its own compute requirements.

    Bletsas: The organization is one of the many independent research labs within MIT. MIT is organized in departments, which do the academic teaching, and research labs, which carry out the research.

    http://web.media.mit.edu/~mbletsas/

    Bletsas

    The Media Lab is a unique place within MIT. We deviate from the normal academic research lab in the sense that a lot of our funding comes from member companies, and it comes in a non-direct fashion. Companies become members of the lab, and then we get the freedom to do whatever we think is best.

    We try to explore the future. We try to look at what our digital life will look like 10 years out, or more. We're not an applied research lab in the sense that we're not looking at what's going to happen two or three years from now. We're not looking at short-term future products. We're looking at major changes 15 years out.

    I run the group that takes care of the computing infrastructure for the lab and, unlike a normal IT department, we're kind of heavy on computing. We use computers as our medium. The Media Lab is all about human expression, which is the reason for the name and computers are one of the main means of expression right now. We're much heavier than other departments in how many devices you're going to see. We're on a pretty complex network and we run a very dynamic environment.

    Major piece

    A lot has changed in our environment in recent years. I've been there for almost 20 years. We started with very exotic stuff. These days, you still build exotic stuff, but you're using commodity components. VMware, for us, is a major piece of this strategy because it allows us a more efficient utilization of our resources and allows us to control a little bit the server proliferation that we experienced and that everybody has experienced.

    We normally have about 350 people in the lab, distributed among staff, faculty members, graduate students, and undergraduate students, as well as affiliates from the various member companies. There is usually a one-to-five correspondence between virtual machines (VMs), physical computers, and devices, but there are at least 5 to 10 IPs per person on our network. You can imagine that having a platform that allows us to easily deploy resources in a very dynamic and quick fashion is very important to us.

    We run a relatively small operation for the size of the scope of our domain. What's very important to us is to have tools that allow us to perform advanced functions with a relatively short learning curve. We don't like long learning curves, because we just don't have the resources and we just do too many things.

    You are going to see functionality in our group that is usually only present in groups that are 10 times our size. Each person has to do too many things, and we like to focus on technologies that allow us to perform very advanced functions with little learning. I think we've been pretty successful with that.

    Gardner: How have you created a data center that's responsive, but also protects your property?

    Bletsas: Unlike most people, we tend to have our resources concentrated close to us. We really need to interact with our infrastructure on a much shorter cycle than the average operation. We've been fortunate enough that we have multiple, small data centers concentrated close to where our researchers are. Having something on the other side of the city, the state, or the country doesn't really work in an environment that's as dynamic as we are.

    We also have to support a much larger community that consists of our alumni or collaborators. If you look at our user database right now, it's something in the order of 3,500, as opposed to 350. It's a very dynamic in that it changes month to month. The important attributes of an environment like this is that we can't have too many restrictions. We don't have an approved list of equipment like you see in a normal corporate IT environment.

    Our modus operandi is that if you bring it to us, we'll make it work. If you need to use a specific piece of equipment in your research, we'll try to figure out how to integrate it into your workflow and into what we have in there. We don't tell people what to use. We just help them use whatever they bring to us.

    In that respect, we need a flexible virtualization platform that doesn't impose too many restrictions on what operating systems you use or what the configuration of the VMs are. That's why we find that solutions, like general public cloud, for us are only applicable to a small part of our research. Pretty much every VM that we run is different than the one next to it.

    Flexibility is very important to us. Having a robust platform is very, very important, because you have too many parameters changing and very little control of what's going on. Most importantly, we need a very solid, consistent management interface to that. For us, that's one of the main benefits of the vSphere VMware environment that we're on.

    Public or hybrid

    Gardner: What about taking advantage of cloud, public cloud, and hybrid cloud to some degree, perhaps for disaster recovery (DR) or for backup failover. What's the rationale, even in your unique situation, for using a public or hybrid cloud?

    Bletsas: We use hybrid cloud right now that's three-tiered. MIT has a very large campus. It has extensive digital infrastructure running our operations across the board. We also have facilities that are either all the way across campus or across the river in a large co-location facility in downtown Boston and we take advantage of that for first-level DR.

    A solution like the vCloud Air allows us to look at a real disaster scenario, where something really catastrophic happens at the campus, and we use it to keep certain critical databases, including all the access tools around them, in a farther-away location.

    It's a second level for us. We have our own VMware infrastructure and then we can migrate loads to our central organization. They're a much larger organization that takes care of all the administrative computing and general infrastructure at MIT at their own data centers across campus. We can also go a few states away to vCloud Air [and migrate our workloads there in an eme

    So it's a very seamless transition using the same tools. The important attribute here is that, if you have an operation that small, 10 people having to deal with such a complex set of resources, you can't do that unless you have a consistent user interface that allows you to migrate those workloads using tools that you already know and you're familiar with.

    We couldn't do it with another solution, because the learning curve would be too hard. We know that remote events are remote, until they happen, and sometimes they do. This gives us, with minimum effort, the ability to deal with that eventuality without having to invest too much in learning a whole set of tools, a whole set of new APIs to be able to migrate.

    We use public cloud services also. We use spot instances if we need a high compute load and for very specialized projects. But usually we don't put persistent loads or critical loads on resources over which we don't have much control. We like to exert as much control as possible.

    Gardner: It sounds like you're essentially taking metadata and configuration data, the things that will be important to spin back up an operation should there be some unfortunate occurrence, and putting that into that public cloud, the vCloud Air public cloud. Perhaps it's DR-as-a-service, but only a slice of DR, not the entire data. Is that correct?

    Small set of databases

    Bletsas: Yes. Not the entire organization. We run our operations out of a small set of databases that tend to drive a lot of our websites. A lot of our internal systems drive our CRM operation. They drive our events management. And there is a lot of knowledge embedded in those databases.

    It's lucky for us, because we're not such a big operation. We're relatively small, so you can include everything, including all the methods and the programs that you need to access and manipulate that data within a small set of VMs. You don't normally use them out of those VMs, but you can keep them packaged in a way that in a DR scenario, you can easily get access to them.

    Fortunately, we've been doing that for a very long time because we started having them as complete containers. As the systems scaled out, we tended to migrate certain functions, but we kept the basic functionality together just in case we have to recover from something.

    In the older days, we didn't have that multi-tiered cloud in place. All we had was backups in remote data centers. If something happened, you had to go in there and find out some unused hardware that was similar to what you had, restore your backup, etc.

    Now, because most of MIT's administrative systems run under VMware virtualization, finding that capacity is a very simple proposition in a data center across campus. With vCloud Air, we can find that capacity in a data center across the state or somewhere else.

    Gardner: For organizations that are intrigued by this tiered approach to DR, did you decide which part of those tiers would go in which place? Did you do that manually? Is there a part of the management infrastructure in the VMware suite that allowed you to do that? How did you slice and dice the tiers for this proposition of vCloud Air holding a certain part of the data?

    Bletsas: We are fortunate enough to have a very good, intimate knowledge of our environment. We know where each piece lies. That's the benefit of running a small organization. We occasionally use vSphere's monitoring infrastructure. Sometimes it reveals to us certain usage patterns that we were not aware of. That's one of the main benefits that we found there.

    We realized that certain databases were used more than we thought. Just looking at those access patterns told us, "Look, maybe you should replicate this." It doesn't cost much to replicate this across campus and then maybe we should look into pushing it even further out.

    It is a combination of having a visibility and nice dashboards that reveal patterns of activity that you might not be aware of even in an environment that's not as large as ours.

    Gardner: At VMworld 2014, there was quite a bit of news, particularly in the vCloud Air arena. What intrigues you?

    Standard building blocks

    Bletsas: We like the move toward standardization of building blocks. That's a good thing overall, because it allows you to scale out relatively quickly with a minor investment in learning a new system. That's the most important trend out there for us. As I've said, we're a small operation. We need to standardize as much as possible, while at the same time, expanding the spectrum of services. So how do you do that? It's not a very clear proposition.

    The other thing that is of great interest to us is network virtualization. MIT is in a very peculiar situation compared to the rest of the world, in the sense that we have no shortage of IP addresses. Unlike most corporations where they expose a very small sliver of their systems to the outside world and everything happens on the back-end, our systems are mostly exposed out there to the public internet.

    We don't run very extensive firewalls. We're a knowledge dissemination and distribution organization and we don't have many things to hide. We operate in a different way than most corporations. That shows also with networking. Our network looks like nothing like what you see in the corporate world. The ability to move whole sets of IPs around our domain, which is rather large and we have full control over, is a very important thing for us.

    It allows for much faster DR. We can do DR using the same IPs across the town right now because our domain of control is large enough. That is very powerful because you can do very quick and simple DR without having to reprogram IP, DNS Servers, load balancers, and things like that. That is important.

    The other trend that is also important is storage virtualization and storage tiering and you see that with all the vendors down in the exhibit space. Again, it allows you to match the application profile much easier to what resources you have. For a rather small group like ours, which can't afford to have all of its disk storage and very high-end systems, having a little bit of expensive flash storage, and then a lot of cheap storage, is the way for us to go.

    The layers that have been recently added to VMware, both on the network side and the storage side help us achieve that in a very cost-efficient way.

    For us, experimentation is the most important thing. Spinning out a large number of VMs to do a specific experiment is very valuable and being able to commandeer resources across campus and across data centers is a necessary requirement for something like an environment like this. Flexibility is what we get out of that and agility and speed of operations.

    In the older days, you had to go and procure hardware and switch hardware around. Now, we rarely go into our data centers. We used to live in our data centers. We go there from time to time but not as often as we used to do, and that's very liberating. It's also very liberating for people like me because it allows me to do my work anywhere.

    Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: VMware.

    You may also be interested in:

    Oct 07 4:30 PM | Link | Comment!
Full index of posts »
Latest Followers

StockTalks

More »
Posts by Themes
Instablogs are Seeking Alpha's free blogging platform customized for finance, with instant set up and exposure to millions of readers interested in the financial markets. Publish your own instablog in minutes.