Archive for March, 2009

The Big Blue Sun?

Wednesday, March 18th, 2009

According to press reports making their way around mainstream news organizations as well as the blogosphere, IBM is making a play to acquire Sun Microsystems. The initial advantages appear to be straightforward. IBM rules in the East, old-school; Sun is a major player in the West (although their Silicon Valley neighbours, H-P, sell far more hardware, especially since the Compaq acquisition). IBM’s strength is mostly in big, heavy, hardware, with proprietary systems around them, including mainframes and its distributed systems (which, for those of us who have worked with them, look and behave suspiciously like repackaged mainframes) and its huge consulting arm IBM Global Services (IGS). IBM has a robust software business, mainly focused around its database (DB2) and application server (WebSphere) as well as several other middleware pieces. Sun, on the other hand, tends to develop leading-edge, dynamic systems and software. It is the major force behind Java, the top enterprise-class development language, offers everything from low-cost “pizza-box” sized light hardware running AMD and Intel standard chips to its own high-end multi-processor multi-core Sparc-based systems.

The differences between the two can be summed up in their histories. Ten years ago, Sun said, “we put the dot in dot-com”, while IBM could have been called, “we put the red tie on the blue suit”. The history of how the Sun storage appliances came to be is particularly instructive. Several senior engineers went to a senior executive at Sun and said, “We invented NFS (the protocol used for most network attached storage devices, like those sold by NetApp), we have the best hardware, we are open across the board, why aren’t we players?” The executive approved the program on the spot; two years later, the appliances were out on the market. This type of thing could never happen at IBM. Sure, it might get approval for preliminary market and sales research after several rounds of executive committee meetings, and the huge and influential sales organization might or might not approve, but Sun is innovative and on the edge; IBM is conservative and on its seat.

The old line is that “no one ever got fired for buying IBM”. This is true, which is why big health-care organizations still buy lots of IBM. I recently worked with a large health system that insisted on buying IBM servers, despite a fully-loaded cost of purchase, deployment, maintenance and application conversion of twice the alternatives (Sun or Linux, both of which were explored and priced out), and a feature set that was about 30-35% less than their base requirements. On the other hand, small firms, start-ups, and even the financial behemoths of Wall Street (which, one might point out, essentially no longer exists), were never worried about a bureaucratic existence and “no one ever got fired”. They were, and remain, far more interested in getting the job done as efficiently, reliably and cost-effectively as possible. IBM never competed in this space. I will say it again. IBM never could and never did compete in this space.

So what are the prospects of this proposed acquisition?

  1. It doesn’t go through. Even if the IBM and Sun executives and Directors can come to terms, I would put it at 50/50 that shareholders will approve. On the other hand, Sun shareholders have tolerated directors and management that have left Sun’s stock to bounce up and down like a yo-yo over a multiyear period. Sun is currently languishing at 1/6 the price of just two years ago.
  2. It goes through. If it does, expect IBM’s famous bear hug to kill Sun. IBM has bought itself market share in many sectors before, squeezed the company, and killed the goose that lays the golden egg. Tivoli, Lotus, the list goes on. These were all great companies at one time. IBM bought them, integrated them to the “big blue” culture, and they remain withered on the vine. In the meantime, IBM has had somewhere around zero real innovation on its own all of these years. Yes, it has made major advances in its R&D labs, but has brought little to none of it to market. ZFS is the first major filesystem innovation in decades.

Either way, Sun shareholders are losers, and have been for several years. Scott McNealy was a colourful character, crazy in a positive way. To be fair, he did nearly kill the company when it got completely blindsided by the arrival of commodity hardware and Linux. However, Jon Schwartz, who managed to recover from that phrase – I attended his “Sun on Wall Street” presentations back in 2003 when he attempted to woo back many of his former bread and butter customers – has bungled it to this point.

Sun has an enormous amount of potential value locked into its franchise. IBM will not unlock it, it will crush it. On the other hand, if the deal does go through, expect many senior and talented Sun staffers to leave, if not immediately, then shortly after some next equity/options vesting milestone. Many of these will start new companies that will compete directly with what IBM (the company formerly known as Sun) does and was planning on doing. These companies will be more nimble, will succeed, and will eat IBMSun’s lunch while the people left at IBMSun desperately beg the “boys in blue (suits)” to give them an answer to the small proposal to do the same thing… that has been in committee for 24 months.

Security vs. Convenience – Trade-Offs in Operations and Business ImpactP

Wednesday, March 18th, 2009

In any business, in any setting, security is about trade-offs. It is about trading the inconvenience of process for the (supposedly) improved security that is necessary. For example, even the President of the United States is undoubtedly annoyed that he cannot go out for a walk without having the Secret Service clear it, but accepts the inconvenience as necessary to protecting his life. On the other end of the spectrum, everyone who has travelled in the United States in the last eight years is painfully aware of the inconvenience of the Transportation Security Administration (TSA) agents performing scans ranging from metal detection to show removal to full-body searches; whether or not this actually improves security is subject to debate. Shortly after 9/11, the former head of security for Israel’s airports visited, and commented to the effect that the United States does not have a passenger security system, it has a passenger inconvenience system.

In a business, there really are two kinds of security to take into account: physical security and information security.

Physical Security

Physical security is security of premises and persons of the institution. Thus, the White House has the Secret Service, the Capitol has the Capitol Police, and just about every office building in Manhattan has a security desk and turnstiles. This security may extend outwards. Thus, key personnel may have guards (I once worked for a man who never went anywhere without an armed escort). At times, it can be quite entertaining. Years ago, I worked at a firm that brought a senior Netscape executive to speak. He had a security detail almost as large as the President’s.

Information Security

Information security is the security of the information in the hands of the institution. Although the term “Information Security” or “InfoSec” is normally used to apply to the security of digital information, such as that stored in a company’s databases, the term technically applies to all information, including that in file cabinets and desks. However, since physical information such as papers and folders is only at risk within the confines of its physical location, information security is normally applied to digital assets. Information security is a unique discipline and is particularly challenging, for several reasons:

  1. Ease of Reproduction: Digital assets can be reproduced at what is essentially zero cost, and without disturbing originals. Thus, if someone steals account information, the original is never disturbed. The Internet itself has been described as the greatest copy machine ever created.
  2. Ease of Access: Unlike physical assets, which require physical access to premises in order to access the information, digital assets can be accessed without ever going near the physical premises. Every day, millions of people purchase items from, without ever setting foot in Seattle, let alone Amazon’s facilities.
  3. Expected Convenience: For good reason, most people expect computer systems to make their lives and jobs easier and more convenience. The very notion of systems that inconvenience them runs contrary to their expectations, and thus makes behavioural changes extremely difficult.


Of course, the need for security creates the previously discussed trade-offs. Many businesses, especially those with highly sensitive data or regulated data, such as credit card information (PCI) or health records (HIPAA), require those who desire access to internal records to use a virtual private network (VPN) and some form of one-time password, such as RSA SecurID tokens, to access corporate systems. The inconveniences are multiple:

  • It is much easier to just connect to a system than to open a VPN application, connect and log in to that, which often precludes direct access to other, non-corporate systems, while connected.
  • These one-time passwords are inconvenient, require a physical item to carry around which, if unavailable or lost, mean inability to access systems.

Despite the inconveniences, many corporations and, in the case of HIPAA or PCI, regulations, require usage of these security systems. The cost is not insignificant. A single VPN concentrator (the term used for the system that allows users to connect to a VPN), one-time password server, and tokens, can cost thousands of dollars for a few users, in addition to thousands of dollars in implementation costs. If the business systems are mission-critical, then reliability means multiple redundant systems, possibly in multiple locations, which can increase capital costs 3-4 fold, and implementation costs by a similar order, depending on systems complexity. Finally, in all cases, there is the hidden cost of the employee/customer/consultant time in accessing the system. Assume a field salesperson who is compensated $100,000 per year, with benefits adding 30%, for an average hourly cost of $65/hour. If they need to access the systems twice per day, at 250 business days per year (according to the US Department of Labour, that is 500 accesses per year. If the inconvenience adds “only” 5 minutes per connection on average, that is 2,500 minutes lost, or 42 hours, for a total cost of $2,708 per year. This salesperson just lost 2% of their productive time, at company expense, of course. Add to that the downtime when the VPN and login systems are inaccessible, or the salesperson cannot find their access token, and the costs go up dramatically.

Reverse Trade-Offs

The most interesting cases can be found when a “reverse trade-off” occurs. In these cases, the organization actually makes it harder to become more inconvenient, for no good apparent reason. Put in other terms, they make it more inconvenient and more insecure, at the same time. These are usually indicative of poor security within the institution itself.

I recently received an email from a reporter asking me to help them on behalf of a reader. Apparently, this reader is an online banking user, like the majority of those reading this article. The bank had limited the customer’s password to 6 characters. Yes, in this day and age when social networking sites with no private financial information require at least 8 characters, a bank was insisting on no more than 6. The reader, who, justifiably, wanted more security and a longer password or passphrase, was interested in understanding why the bank did this.

In the case of this bank, it is highly likely that it is one of:

  • a very long time ago, someone created a system that only used 6-character passwords
  • the customer account is being mapped directly to a login account on, some system, given the password-length likely an older mainframe, which speaks poorly of their application design, as well as their account-security and management procedures
  • the least likely but most disturbing, the bank decided that the cost of password resets is simply too high, and force easy, simple passwords, with just 6 characters, and have thus consciously chosen convenience over security

Either way, we are dealing with ignorance or incompetence. Either way, this is highly likely the tip of the iceberg, and indicative of very poor security measures internal to the bank, and indicative that they are probably spending far more money for far less security, as well as other back-office operations, than they should. Either way, don’t trust your information to this bank.