Posted 9:59 PM (2) comments

Oracle-Sun merger: a gathering of opinion

When I heard about Oracle's purchase of Sun, I started contacting those I know in IdM - vendors, consultants, and users - to gather their opinion on what it means both to the industry and to those who use the products. Here's what some people had to say:

I think [this] is a positive change, Sun was suffering from a lack of direction, and Oracle is probably going to get things straight.

Regarding the market, in the software arena is where things are going to be interesting:
MySQL is going to die.
In the identity space I think Oracle products are going to win, that probably means that OpenSSO, glassfish etc are going to suffer a slow death (I am not sure about the dedication of Oracle to OpenSource). I still think that the Directory is going to be the only part of sun that has a potential to live.
This sets an interesting landscape in which those employees that are fired (or made redundant :) ) as they might take the OpenSource code and spin off a company that makes a living out of that (something along the lines of unboundID).

Regarding Symlabs as a company I do not expect to see major changes, as the clients that prefer Oracle are going to prefer Sun, it also means that the VDS from Sun is never going to see the light (OVD is a good product).
In the federation space the oracle product would probably stay and we have always had a good relationship with oracle (from our IGF collaboration).

- Antonio Navarro, Symlabs
My view: The directory will survive. Everything else is suspect (including Open SSO).

- Mike Neuenschwander, MyCroft
1. Larry Ellison wants an operating system so that he can pee with the Big
Guys. And hey, what's a few billion more or less?

2. Larry is just about the uncoolest person in the world a far as the open
source community goes. And HE is going to own Java? Give me a break!

- Tim Cole, Kuppinger-Cole
In the identity management space, Sun and Oracle are direct competitors and Oracle will likely want to consolidate products.

1. Directory: Oracle’s OID is core to Oracle’s platform, as it uses the database as a back end. On the other hand, Sun’s directory server is much more widely deployed, despite some reliability problems. Hitachi ID predicts that Oracle will add the ability to use an Oracle database as a back end to Sun’s directory server and use the resulting software to replace OID.

2. User provisioning: Architecturally, Sun’s identity manager product (Waveset acquisition) has serious performance and scalability problems, since it keeps a significant amount of user profile data in a complex XML object stored in each user’s LDAP directory object. As a result, Oracle will will likely ask Sun IDM customers to upgrade to Oracle’s product (Thor acquisition). Sun IdM customers will not accept an upgrade option unless the new product has all of the same functionality and there is a reasonably automated migration process. This means that Oracle will have to spend a significant amount of time and product engineering effort to:

• (a) Find the functional and integration gap between the Sun and Oracle user provisioning products.
• (b) Close the gap so that the Oracle (formerly Thor) product covers 100% of the capabilities of the Sun product.
• (c) Develop a migration program to help customers move from the Sun to the Oracle product.This process will likely take 1–2 years and consume most of Oracle’s IdM product engineering bandwidth, effectively ruling out any major improvements in either product during that time.

3. Role management: Sun’s acquisition of Vaau was mostly intended to impress influencers such as analysts and press. Hitachi ID’s evaluation of Vaau convinced us that the Vaau product was totally unworkable (we could not get it to even load a real-world data set from a mid-sized company). It follows that this product will be replaced by Oracle’s role manager (Bridgestream acquisition).

4. Web access management: Sun has had no luck selling its WebAM/WebSSO product, and has consequently open sourced it. As an open source (and importantly: no license fee) product, this product has quickly improved both in quality and market acceptance.
Oracle’s acquisition in this space (Oblix) has reasonable market share and is architecturally robust. Oracle will likely be forced to maintain both products – one commercial and one free – going forward.

5. Federation: Neither Oracle nor Sun seem to have a large market share for their federation technologies, so this space remains open to strategic changes. Hitachi ID does not have any special insight about where this market segment will wind up, though the volatility in the market may well create an opening for the user-centric and claims-based technology being developed by Microsoft.

- Idan Shoham Hitachi ID Systems, Inc.
Huge layoffs at Sun--more than already anticipated (5-6K),

Huge change of culture at Sun,

Huge psychic impact on IT domain

* mega-consolidations, not just M&As

* concern for independence of JAVA, Open Source OSs, MySQL (this more so because of Oracle's db)

* hegemony of Oracle within world-class db farms


Oracle may be a better fit for Sun [than IBM]-- (Solaris/Sun platform, Oracle Fusion)

* Intensive use of Java by Oracle

* Oracle does not have IBM's data-storage model/infrastructure

* Oracle may not be anywhere near as stifling as IBM to Sun's innovation model

* Sun still has truck loads of talent that could be leveraged by Oracle

Christopher Paidhrin, IT Security Officer, ACS Healthcare Solutions
I think it will significantly strengthen Oracle's position in the identity space. They will be a strong player. Sun started Liberty, and now Oracle is driving it.

Dick Hardt, Sxipper (and Microsoft).
[B]etween the two companies they have a glut of products that will need rationalization. It's practically the whole stack from directory up to role management and beyond. A clear roadmap of product rationalization will be needed quickly in order to prevent customer chaos. No matter what, there are products that will have to go. This is an opportunity for the other vendors like IBM, Microsoft and Quest to step in during the turmoil. This really goes to show that no bet - established suite vendor or otherwise - is necessarily a safe bet!

Jackson Shaw, Quest
Consolidating the identity management market further was undoubtedly not one of the top 5 reasons that Oracle acquired Sun but this will definitely be one of the many ripples that occur from this deal. Clearly there is significant product overlap, so there is probably going to be a period of anxiety for both Oracle and Sun identity management customers regarding which product from the Sun or Oracle portfolio wins out in the end when the merged product roadmap is finally announced.

- Tom Kemp, Centrify
This move represents further consolidation in the Identity and Access Management (IAM) market. While they were once a leader in the IAM space, recently Sun has struggled to maintain its momentum and market share. This has been due, in part, to Sun's focus on re-stabilizing their server business, instead of focusing on their IAM technologies. After recently shopping themselves around for acquisition by other major technology players like IBM and Cisco, the Oracle acquisition calls into question the future viability of Sun's IAM product line. Oracle has its own IAM suite that is well positioned in the market with 5.1 percent market share compared to Sun's 1.4 percent market share.

- Jay Roxe, Director of Product Marketing, Novell
It's safe money that there will be a period of both uncertainty and difficulty as both Oracle and Oracle/Sun customers rationalize their environments and offerings. For companies looking to make a decision, should they buy & deploy a stack now and hope their efforts are not scrapped by the vendor OR should they go with the the stack alternative that's always been there, has great references, a very healthy business, and lives and dies by this space?

- Chris Sullivan, Courion Corp.

Labels: acquisition, oracle, Sun

Posted 9:14 AM (0) comments

Holy crap!!

I had to look twice at the calendar this morning when I read: Oracle agrees to buy Sun for $7.4B - Network World. But no, it was the 20th of April, not the 1st.

After all, there's so much overlap (starting with, say, MySQL) that it will be a complicated mesh-vs.-divest argument. There's virtually nothing in the IdM arena, for example, that Sun can provide which Oracle doesn't already have - and, in most cases, already have a better solution.

It's really only in the hardware business that Oracle is acquiring something they don't already have, but it seems like a very drastic step to take simply to be able to assemble their own appliances.

Maybe it's just Larry Ellison's way of telling both IBM and Microsoft that he intends to be a player in every high tech arena.

Labels: acquisition, oracle

Posted 9:23 AM (0) comments

More self-issued stuff

Jeff Bohren jumps into the discussion but unfortunately misses the target and crashes badly.

He says: "First party claims such as personal info can and should be made directly by the consumer who owns them. Information Cards provide a convenient way to do that. I see no compelling business case for a third party to make first party claims in a B2C scenario." But there is a definite compelling reason - we rarely believe (or, at least, we shouldn't believe) without verification the claims that a stranger makes to us. Just ask any single woman who goes to a bar on a Saturday night! The third party, the trusted third party, provides validation for the claims. The claims are offered by the first party, directed by the first party and even initiated by the first party, but without the validation of the third party they are completely worthless.

He goes on to note: "The mistake is saying an identity oracle can divulge whether your credit is good enough for the purposes of the transaction without divulging your credit score itself. I don’t believe that is possible in practice. If you say 'Jeff’s credit score is as good as %90 of the people who have not defaulted on a loan of that amount', then you have for practical purposes divulged Jeff’s credit score. " Um, no, you haven't. Any more than the Oracle agreeing that you are of legal age to purchase alcohol could be said to 'divulge' your age. "Over 21" covers a whole lot of ground. A validation that I am of legal age to buy says nothing about whether I'm of legal age to claim Social Security benefits, far less is it an indicator of my actual age. For the credit score, the RP decides what score is acceptable and asks the Oracle if the first party's score meets that criteria. No numbers are divulged, but the transaction can proceed.

In general, we need to think of the Identity Oracle as a binary soothsayer - only yes or no answers are forthcoming.

Labels: cardspace, liberty alliance, oracle

Posted 9:36 AM (4) comments

More on the Identity Oracle

I tried to leave this comment on Kim Cameron's blog, but pushing the "post" button seems to send IE (which I have to use there in order to submit an identity card) into the never-never..
********************************************
Drop it while you can, Kim. Bob's right on this one. The "Identity Oracle" is a business model, not a technology feature. As I've said many times (and countless others have re-iterated), the technology is easy, it's the people that are the hard part.

"Claims transformation" is simply changing data from one format to another, or one protocol to another, etc. It's technology. It may be a necessary part of the infrastructure for an Identity Oracle, but it's only one small part.

For my take on the Identity Oracle, watch next Wednesday's Identity Management Newsletter.

Labels: attribute exchange, cardspace, oracle

Posted 1:04 PM (0) comments

Journalistic ethics

Larry Barrett, at Internet News, jumped the gun on the announcement that Oracle had acquired Bridgestream. While the deal has been rumored for a couple of weeks (and actually was signed off on over two weeks ago), the lawyers had held off on the announcement to be sure all the Ts were crossed and all the Is were dotted. Official announcement should come on Tuesday, Sept. 4.

Barrett has done a great disservice to those of us who try to practice ethical journalism by actually abiding by embargo dates so that we can thoroughly research the story before it breaks. It is a big story, but there's nothing about it which requires breaking a confidence. I'll have more to say once it's official.

Labels: acquisition, bridgestream, journalism, oracle

Posted 3:31 PM (0) comments

Oracle to buy BridgeStream?

Dan Primack, over at PEHUB, threw out a rumor the other day that Oracle was about to acquire BridgeStream, the role definition and management company. I've followed the privately held San Francisco startup for the past couple of years, and even just last summer believed that acquisition wasn't in the cards just yet:

"With some preaching a top-down approach of creating roles based on business rules and practices while others advocate a bottoms up approach emphasizing audits and data mining of what people actually do, there's no definitive "best practices" for role creation. While it seems obvious that, eventually, a synthesis of these methods will emerge as the standard way to create and manage roles, there's still enough diversity in the marketplace that the big identity management vendors aren't willing to bet on the final outcome. Instead, they'll partner with many different role creation companies. That means that folks like Bridgestream, Eurekify, Trusted Network Technologies, BHOLD, Blackbird, Engiweb, Prodigen, SecurIT, and Vaau will maintain their independence for now with only the remote possibility that should any of them founder with customers their investors might seek to sell out at fire sale prices."

But I think I can give a fair amount of credence to Primack's rumor for two reasons:

1) Oracle is still on an acquisition roll, and getting deeper into roles makes sense for them;
2) Role management needs to be intimately connected to the IdM suite of products, something that simply parternering with an independent role management company doesn't give a major vendor.

Look for this to become official over the next week or so...

Labels: acquisition, bridgestream, oracle, RBAC, roles