Top 3 Drivers for an IAM Business Case and 8 Presentation Tips

March 4, 2012

In this post, we will discuss the top 3 Drivers for an Identity and Access Management (IAM) Business Case and 8 Presentation Tips.

Who: As always, consider your audience – who will be most interested and in what driver. At a minimum, include the following teams and see the benefits through their eyes:

1) IT Operations Management 2) Security and Legal teams 3) Business (revenue focused) Managers

What (the drivers/benefits):

1. Efficiency – The ability to do more, faster and with less effort. Examples include automating access removal when someone leaves a company, reduction of helpdesk calls from automation of password resets, SLA improvement, and quicker consolidation of infrastructure.

Primary audience: IT Operations Management

2. Effectiveness – Doing the right things and doing them well. Examples include more accurate reports, savings from reduced regulatory fines from inaccurate reports, better general consistency and automation of reports, better customer and auditor perception.

Primary Audience: Security and Legal Teams

3. Agility – Change faster with less effort. Examples include the reduction of effort to form business partnerships (and thus encouraging more partnerships), reduce the time to integrate a newly acquired company, and improved customer service.

Primary Audience: Business (revenue focused) Managers

Socializing and Presentation Tips

1. Emphasize non-quantifiable benefits over ROI calculations. The reason is because ROI calculations are based on assumptions that can often be easily challenged, derailing the entire business case if successful. Only emphasize ROI if you are comfortable sitting in front of the CFO for 20 minutes going through the detailed assumptions and calculations. It’s a safer bet to stick with non-quantifiable benefits. If you must include an ROI, be sure to include others in the assumptions and calculations.

2. “Road test” the business case presentation in one on one or smaller meetings in order to get feedback and improve your message.

3. In the presentation, spend more of your time on the expected benefits as opposed to the why, how and technical jargon, which often only detracts focus from the main drivers.

4. The overall format should include at a minimum one slide for the following: problem statement, who was involved in the business case analysis and objectives, proposed solution, expected benefits, high level plan/options and costs, and an Appendix (assumptions and calculations).

5. Present in a professional, conversational, and competent manner

6. Know the material well (more than what is just on the slides)

7. Formally present for 20 minutes and then answer questions and have a conversation for another 20 minutes (often the most important piece)

8. Speak with conviction and above all else, honesty.


Notes and Mindmaps Section

March 1, 2012

The “Notes and Mindmaps” section was inspired by Dr J’s blog of “Field Notes”.

Dr Jerry A Smith


Those that know me will contest that I tend to take a lot of notes. I do so because I truly believe that to remember is to record. This quote, “I’m not writing it down to remember it later. I’m writing it down to remember it now” really put this practice into perspective for me. As such, most of my field notes never see the light of day, not even for me. Field Notes is designed to change this.

I want to get more of these short relevant conversations into a larger discussion. The ones that are briefly scribbled into the pages of my journal.  Full articles are still very important, since they provide a source of thoughtful analysis based on some level of sharable research. However, pulling together a meaningful article that is actionable take time; time well spent, but time nevertheless.

NewImageA Field Note, on the other…

View original post 101 more words

4 Ways IaaS Cloud Computing Will Reduce Your Costs

February 28, 2012

1. Disaster Recovery – Cloud providers such as Amazon AWS offering “pay as you go” pricing enable reduced cost for disaster recovery. Essentially, one only pays when disaster happens and a recovery is needed. To be more accurate, the 24/7 activity of replication and storage of data from the production environment to the DR environment is the fixed cost. At the same time, however, the application and data servers do not cost a single penny unless a disaster happens, in which case the servers are started up. Even if a disaster lasts for months (e.g. Katrina), this is still considerably less expensive than an in-house data center that must purchase all the hardware upfront for the application and data servers.

2. Batch Computing – Batch applications often follow a predictable “batch window” of high and low processing requirements. For example, nightly batch processes may require 1000 servers of processing to complete it’s processing from 12am-8am before the next business day starts. These 1000 servers must be purchased up front and may not be used (or used very little) during day-time business hours, resulting in a very low CPU utilization rate of 33% (8/24).  With IaaS cloud computing and the ability to scale (or auto-scale) when needed, the CPU utilization rate is theoretically 100% or realistically at least in the 90s. Major savings.

3. Short-term Web Site – For example, a marketing professional may create a dedicated web site for a product. If that web-site is mentioned in a commercial  during the Super Bowl with 100M+ viewers, there a good chance that web site will get hammered, potentially with 100’s or 1000’s or more  unique hits within a few minutes, potentially requiring 100’s or 1000’s of servers. A few days after the Super Bowl, the  marketing web site requires 2 servers for the rest of the year. Again, with a pay as you go and auto-scaling capability, the cost savings in comparison to traditionally purchasing all the equipment up front are through the roof.

4. Test & Dev – Cloud computing is also cost effective for test and development environments that may not need to be running 24/7. Again, pay only for the time the system is running.

IaaS Cloud Computing will not always reduce costs

It’s important to call out that IaaS Cloud computing may not be cost effective for large business steady state workloads for many use cases and may even be more expensive.  I predict, however, this will change due to improved automation capabilities that enable IT Operation teams to perform more efficiently. The technology of automation capabilities are still lacking and not yet mature enough to provide real steady-state savings. Examples of automation capabilities include automated patches, backups, database replication (e.g. Amazon AWS RDS), and the ability to quickly deploy and configure  a complex, integrated environment of web, application,  data and network components components in an automated fashion. Again, the tools exist but are still several years until mainstream adoption in my opinion. Put another way:

Sufficiently mature and integrated automation capabilities will be the tipping point for mainstream enterprise adoption of IaaS Clound Computing. We are still several years away from this reality. Do you agree or disagree? Your thoughts are welcome.

IaaS Cloud Computing Providers: Notes and Mind-maps

February 21, 2012

The IaaS landscape is far from mature. Providers vary greatly in terms of the service, features, and markets they serve. As outlined in the mind-map, the key points below are of the strengths and weaknesses noted based on Gartner research and my own observations. It’s interesting to understand the varying SLA’s and that none of the major vendors but some of the smaller offer 100% SLA. The virtualization technology Citrix Xen, open source KVM, and VM Ware are the predominant choices. Some providers are geared toward niches: Disaster Recovery, Government, Compliance (e.g. HIPAA) while others are general purpose. The leader in the market is Amazon AWS but in my opinion CSC has the best enterprise offering. has a unique feature to pay less for VM’s that are not used, which is great for DR. Rackspace is embracing the open source movement and I believe they are on the right path to compete with the big boys. For more observations, see the mind-map or it’s bullet point form below.

IAAS Vendors Mindmap

IAAS Vendors


  • Amazon Web Services
    • Strengths
      • Paid by the VM (no contract)
      • Xen virtualized
      • DC around the world and for US gov’t
      • Also offers cloud storage, CDN, and PaaS services
      • Market and thought leader
      • Largest pool of capacity (good for batch)
      • API access and many 3rd party management tools
      • Large partner ecosystem – licensing and packaging s/w to run on EC2
      • Compliant – PCI, SAS, FISMA etc…
      • Good for Cloud native, batch, big data, e-business, test and dev
    • Cautions
      • Best effort cloud
        • highly variable EBS performance and between VMs
        • weakest SLA of top providers – 99.95%, capping at 10% of annual bill
          • Requires customer to run in at least 2 AZ’s
          • Does not include EBS
        • Be careful with modeled network charges
        • Forum based support is free and enterprise class support is 10% uplift to bill
      • Only basic ACLs for controlling network access (rather than full-fledged firewall service)
      • No managed services but available via partners
        • Adding automated infrastructure management (e.g. RDS) but does not provide core functions of ‘turn key’ use case
      • No colocation but available via 3rd party (Equinix)
      • For better terms, sign an enterprise agreement (0 dollar contract)
  • AT&T
    • Strengths
      • Paid by the VM, cloud storage, CDN, colocation, managed hosting, VMWare virtualized
      • Good for multiple workloads requiring managed services, cloud experimentation for small teams and use with other AT&T services
      • Focused on hybrid (not pure) cloud
        • VMware
    • Cautions
      • Developer centric offering, low SLA (99.9%), awkward UI, proprietary API w/o 3rd part tool support
      • VM provisioning time long and weak RBAC
      • De-emphasis on self-service
  • Bluelock
    • Stengths
      • Mid-market, vCloud Datacenter for public and private IaaS w/ optional managed services
      • Supports vCloud Global connect – federation between vCloud DC providers
      • “Portfolio” tool provides monitoring and IT financial management
      • Good for e-business, general business, test and dev
    • Cautions
      • Prime target for acquisition
  • Carpathia
    • Strengths
      • Focus on mid-market and gov’t and emphasis on compliance
      • Citrix Xen virtualized and also offers private cloud, US gov’t cloud, storage, colocation, managed hosting
      • Primary differentiator is compliance (FISMA, DIACAP, HIPAA, PCI, C&A)
      • Also offers VMWare virtualized option and options to mix with Xen
      • Good for significant compliance requirements and public sector
    • Cautions
      • Focused on managed services (not self service)
      • Limited brand awareness outside of public sector but this is changing
  • CSC
    • Strenghs
      • vCloud DC, optional managed services
        • Public multi-tenant, private single tenant – both in CSC DC
        • Private single tenant in customers own DC
        • Standardized architecture across public and private
        • Top 5 market share in VMWare hosting
        • Strong roadmap for enterprise IT operations management tools including automated managed services
        • CloudLab for developers – IDE integration, network simulation
        • Generous with offering trials
        • Good for general business, test and dev, cloud-enabled DC transformation and transition
    • Cautions
      • Support and account management weak, parent company slow and may interfere
  • DataPipe
    • Strengths
      • Hypervisor neutral on Citrix platform in public/private variants w/ optional managed services
      • Offers colocation and managed hosting and a suite of managed services on top of AWS
      • Low cost Kernel-based VM (KVM)
      • Can use Stratoshpere in conjunction with AWS
      • Good for hybrid hosting, supplemental infrastructure in conjunction with AWS
    • Cautions
      • Emphasis on managed services
  • GoGrid
    • Strengths
      • Xen virtualized public/private, optional managed services plus storage, CDN partnering with EdgeCast and managed hosting
      • 100% SLA
      • Successful blend of self service and managed services
      • Eases licensing and allows partners to build on top of each others software stacks
      • Good for cloud native apps, e-business, hybrid hosting big data, test and dev
    • Cautions
      • S/w is dev all in-house which may make it hard to compete
      • RBAC limited and only basic ACLs, firewall extra
      • Offer own API but not many 3rd party tools
    • Strengths
      • Mid0market, VMWare virtualized plus private cloud, colocation, and managed hosting
      • Specializes in cloud DR
        • Uses VMWare Site Recovery manager for synchronization and optional EMC SAN for replication
        • Cost effective parking feature to run VM inactive mode for a fraction of cost of running VM
      • Automated Managed Services
        • Workflow driven automated patch management system
        • Portal based service catalog
          • 1st offering is pre-configured SharePoint as managed service
      • Contracting flexibility w/ minimum revenue commitments
      • Good for cloud DR including continuous availability facilitated by using IaaS as secondary DC
    • Cautions
      • Growing via acquisitors and may be an attractive acquisition
  • IBM
    • Strengths
      • Paid by the VM, KVM, colocation, managed hosting, private cloud
      • Integrates well with other IBM tools
      • Lot of partnerships with independent software providers (ISV)
      • Good for orgs with deep investment in IBM, cloud native, test and dev, or batch
    • Cautions
      • Best effort, dev centric towards new cloud native apps and test and dev and low SLA 99.9%
      • Forum based support with enterprise 10% uplift of bill
  • iLand
    • Strengths
      • vCloud Powered w/ focus on DR using VMWare Site Recovery Manager
      • Offers hosted virtual desktop
      • Good for Cloud DR
    • Cautions
      • Potential target for acquisition
  • Joyent
    • Strengths
      • paid by the VM, KVM
      • Emphasis on performance (and its analytics)
      • On verge of PaaS with its SmatOS
      • Good for cloud native apps that need performance
    • Cautions
      • No self-service network security, single account model
      • Highly dev centric with emphasis on API and emblement of 3rd party tools
  • NaviSite
    • Strengths
      • VMWare Virtualized with optional managed services, colocation and app management
      • Strong self-service and RBAC and workflow
      • Integrated performance monitoring, auto-scaling
      • Good for general business apps, test and dev
    • Cautions
      • Acquired by Time-Warner in 2011 but unclear long-term vision
  • OpSource
    • Strengths
      • paid by the VM, VMWare Virtualized with optional managed services
      • 100% availability
      • ISV partnerships
      • Good for e-business, cloud-native, hybrid SaaS, test and dev
    • Cautions
      • Geared toward hosting use cases for web apps (not general purpose workloads)
  • Rackspace
    • Strengths
      • Paid by the VM, Xen w/ managed hosting, hybrid hosting, private cloud, storage, PaaS, monitoring, virtual desktop, and SaaS SharePoint and email
      • Primary sponsor of OpenStack (open source cloud stack)
      • Good support and easy to use and low cost
      • Large eco-system of vendors likely to compete with VMWare, MS, and Amazon that enables 3rd party management tools support
      • Good for Hybrid hosting where IaaS is supplemental to dedicated infrastructure, test and dev
    • Cautions
      • Dev centric, best-effort and geared toward hosting use case
      • No self service security features
      • Migrating from proprietary to open cloud stack
  • Savviis
    • Strengths
      • Public/private VMWare virtualized w/ optional managed services and colocation
      • Offers different price points, SLAs
      • Strong customer portal w/ strong security features
      • Strong automated managed services including on-demand DB from Oracle and MS
      • Good for general business apps, test and dev
    • Cautions
      • Overly diverse product portfolio (multiple flavors of single and multi-tenant)
  • SoftLayer
    • Strengths
      • Focus on small business, paid by the VM Citrix Zen w/ storage, CDN, private cloud, colocation, dedicated hosting and managed hosting
      • Thought leader and deep investment in managed services / exceptional portal
      • Strong monitoring and alerts from failure
      • Ability to integrate with 3rd party authentication (VeriSign) and free vulnerability and PCI compliance scans
      • Good for e-business, test and dev, self managed hybrid hosting
      • API Supported by RightScale
    • Cautions
      • Focus on small business w/ smaller consultative sales
  • Tata Communications
    • Strengths
      • Citrix xen based, public w/ colocation and managed hosting
      • Supports AWS API
      • Strong RBAC and financial tools and free VPN
      • Good for cloud native, test and dev, and cost-conscious customers
    • Cautions
      • No managed hosting, 99.95% SLA by SLA credit cap of 20% of bill
      • Low brand awareness w/ focus on Asia
  • Terremark
    • Strengths
      • 2 VMWare virtualized Offerings and vCloud Express and offers managed hosting and colocation
      • “Enterprise Cloud” – Strong focus on self-service VDC and good for general business apps, test and dev
      • “CaaS” focused on hybrid hosting and customers that need some managed hosting with VDC – can provision VMs and dedicated servers w/ metering by the day (not hour) – good for hybrid hosting, general business apps
      • vCloud Express – for developers and quick POC’s
    • Caution
      • Weak customer service
      • Split product portfolio may cause difficulties
      • Integrating Terremark w/ Verizon
      • vCloud DataCenter only offered as private cloud IaaS
      • Future strategy is hypervisor neutral
  • Tier 3
    • Strengths
      • vCloud Powered
      • A lot of new custom functionality
      • Two tiers of SLA – 99.9% and 99.999% w/ replication to second DC
      • Scriptable templating for deployment “Blueprints”
      • Good for e-business, cloud native, general business, test and dev
    • Cautions
      • No vCD UI
      • Very small but innovative, prime for acqusition
      • Limited brand awareness and marketing
  • Viracore Systems
    • Strengths
      • vCloud express complements its private cloud IaaS
      • Unified management portal
      • Good for non-mission critical, small-scale web apps, test and dev
      • vCloud Express
    • Cautions
      • SMB focused, lacks feature depth including self-service load balancer, monitoring, VPN and weak firewall
      • Guaranteed CPU not RAM
      • Limited brand awareness

What kind of models does an Enterprise Architecture describe?

June 5, 2011

What is an Enterprise Architecture Model?

Many mistakenly assume that Enterprise Architecture is a “tech thing” only. This could not be further from the truth.

From a modeling perspective, enterprise architecture brings great clarity to a system.

What is a system? According to Google: “A set of connected things or parts forming a complex whole, in particular.” Note: No use of the word technology in the definition.

What kind of models does an Enterprise Architecture describe? Again, according to Google (define keyword): “An enterprise architecture (EA) describes the structure of an enterprise, its decomposition into subsystems, the relationships between the subsystems, the relationships with the external environment, the terminology to use, and the guiding principles for the design and evolution of an enterprise …”. Note: No use of the word technology in the definition.

Or to summarize, Enterprise Architecture is the System of the Enterprise

A subset of an enterprise architecture are automated systems. Another subset of an enterprise architecture are NOT automated systems.

Let’s take the US Government as an example. The US government is composed of 3 branches – executive, legislative, and judicial. All 3 branches work together in a SYSTEM to provide life, liberty, and the pursuit of happiness. An Enterprise Architecture is used to describe the system of the US Government.

Every business, government agency, university etc… has an enterprise architecture. The question is – are they fully conscious of their enterprise architecture? Furthermore, what are the benefits of being fully conscious of an enterprise architecture? What are the benefits of using an Enterprise Architecture? With those questions in mind, stay tuned for my next blog post.

Hint: the value of adding the TIME dimension to our enterprise architecture models to effectively manage change.

TOGAF 9 – The Certification and 2 Improvement Proposals

March 12, 2011

I recently passed the TOGAF 9 Certification exam. The process of studying the TOGAF material really did help to give a clearer context of the role of an Architect and how to do my job better. The content was a thick yet generally readable 800 pages and I also took a course from “Architecting the Enterprise”, which I highly recommend.

I decided to become certified in TOGAF 9 because it is generally accepted as the most well-known and respected framework for Enterprise Architecture out of the 75+ existing architecture frameworks. This doesn’t mean, however, that the TOGAF 9 is readily applicable out of the box – and it is acknowledged in the “Preliminary Phase” to customize the framework as needed before beginning the work in the ADM (Architecture Development Method). In fact, almost all other existing architecture frameworks could be viewed as some derivation and modification of the TOGAF.

The framework is very thorough and would certainly benefit an architect to have a deep understanding of it. At the same time, however, there are other frameworks (e.g. PEAF) that are simpler and easier to teach and use out of the box.

Two key concepts that the TOGAF could improve upon:

1)      Phase G – “Implementation Governance” – By calling out governance during implementation, TOGAF is missing the boat in terms of emphasizing the governance needed BEFORE implementation (Phases A-E). For example, during Phase E, when solutions are first considered, there may be various solution options to choose from – ranging from the most strategic to the most tactical. Continuing with this example, the most strategic decision may cost $20M while the most tactical decision may cost $100K – and there may be options in between the two extremes. It is the job of the architect to define the various solutions options. A governance board which includes key executives should then make that important investment decision. This type of governance is equally if not more important than “Implementation Governance” in Phase G and therefore TOGAF 9 needs to change to better emphasize governance throughout the entire ADM.

2)      Estimation – “Just give me a number”- In companies where products are heavily or entirely based on software/web, often business executives or product people just want to know – how much will it cost to build? This question is first asked at product conception before requirements and any of the key phases in the TOGAF such as phases B-F. An important concept that is unjustly buried deep under the 800 pages of TOGAF is that cost estimation becomes more accurate as each ADM phase is completed. For example, in Phase B we will have gathered key processes and requirements and in Phase C we become aware of the key logical application and data components. The outputs from Phase B & C is potentially sufficient detail to provide a cost estimate with, say, 70% confidence.  The technology view from Phase D and the solutions in Phase E potentially enables a cost estimate with 90% confidence.  The key point: From a CEO or business executive’s point of view, a big reason to “do TOGAF” or Enterprise Architecture is to define to sufficient detail the strategy, architecture, and solution (via diagrams, matrices, and views), so accurate costs can be estimated, to make go/no-go decisions of major initiatives, and to support optimal program and implementation project planning.

Why SOA is the Foundation for Innovation – Part II

February 13, 2011

In this previous post (Why SOA is the Foundation for Innovation – Part I), an explanation was given for why the principle of Loose Coupling in a SOA is fundamental to the promotion and fostering of innovation in a system. In this post, we will discuss fundamental patterns that implement the key principle of Loose Coupling.

Loose Coupling Defined

First off, Coupling can be defined as the relationship between things. If there is a very strong (tight) relationship between two things, then when one thing changes the other thing must change or the system will break. In a complex, tightly coupled system with 100’s or 1000’s of “things”, the effort or cost to change is very high because a change to one thing requires changes to many other things, directly or indirectly, coupled to it – otherwise the entire system will break. Clearly, this paradigm is strongly opposed to ease of change and innovation!

On the other hand, Loose Coupling advocates minimizing the dependencies between things. Additionally, the dependencies that DO exist between things are put under a microscope and micro-managed to prevent the proliferation of future dependencies. Therefore, agility (or the ability to quickly change) is increased due to the reduced impact that a change to one component has on all the other components in a system. This also allows individual things in a system to evolve independently which fosters the spirit of innovation.

Loose Coupling Patterns

Now that we understand that Loose Coupling, a key principle of SOA, is fundamental to fostering innovation, let’s turn to a couple of fundamental SOA design patterns that, if followed, make Loose Coupling “real”. In a SOA, the goal is to promote loose coupling in 2 main areas:

1) Between Services – The provider service is able to perform its functions without any help from other services.

2) Within Services – The interface is decoupled from technology and implementation details and only exposes the functional spirit of the domain.

The following pattern summaries help to realize loose coupling in a SOA:

Transformation – For example, a service which wraps a legacy system, may utilize an intermediary component that performs a data format transformation of CSV (common in legacy environments) to XML, before the legacy processing begins. This transformation component decouples the interface from the implementation. Transformations tend to reduce performance yet they are unavoidable in most environments.

Intermediate Routing – dynamically determines a message path based on factors such as the message contents or service utilization (load balancing). This may be achieved through intermediary agents that read messages and dynamically determines their path, calling the appropriate service. This decouples the connection between services.

Asynchronous Queuing – An intermediary queue receives a service request, message ABC, and forwards them to the provider, when it’s ready. The provider may not be ready because it is already busy processing a previous request. The queue will determine when the provider is ready. Additionally, this enables the consumer to go on processing other requests until the provider has finished processing message ABC (in a request/response message pattern) – all enabled by a queue, decoupling the consumer and provider.

Event-Driven – enables consumers to be automatically notified of provider events. An intermediary event agent manages the consumer subscriptions and provider event notifications, decoupling the communication between services.

These above patterns, commonly found in an Enterprise Service Bus, are some of the more important ones that can be used to realize a loosely coupled SOA that serves as the foundation for innovation!