Security 2015 or Why I Sometimes Hate My Clients


Last month Box announced their Enterprise Key Management thing. Today they announced their acquisition of Subspace, and are part of ACE (really important app standard). I sometimes marvel at the progress that the industry that pays my bills is making, and then this kind of shit shows up in my mailbox (the Canada Post version, not the Outlook one) …

Cyber Security 2015

In case you were wondering, mobile access is not supported and it’s recommended that you use IE or Safari.

Box Announces Enterprise Key Management


On February 10, 2015 Box announced the beta release of Enterprise Key Management (EKM). Put simply, EKM addresses cloud security concerns by giving customers control over the encryption keys used to access content stored on Box. It’s add-on functionality, at an additional cost, that’s going to remove one of the barriers to cloud adoption. This is a very, very good thing.

EKM_blog

For those customers that have been dithering about whether or not to move content to the cloud because of security concerns, EKM ought to alleviate those concerns. Of course, those customers will have to be willing to commit to Amazon Web Services (AWS) if they want to avail themselves of EKM. However, it’s a beta folks and I’d bet that Box is actively working on other options.

With this announcement there’s a bunch of organizations that, all of a sudden, have no excuses left. That’s not to say that organizations should put everything into the cloud; they shouldn’t. There’s tons of content that organizations deal with on a day-to-day basis that makes absolutely no sense to move to Box. Take a look at transactional data that’s generated by utilities, communications providers, and financial companies; there’s nothing to be gained, yet, by moving all those transactions into Box. However, those same organizations, along with most others, deal with tons of content that is perfectly suitable due to its purpose in business processes. Think about loan/mortgage applications, cell phone contracts, and applications for utility services; all of these could easily be moved to the cloud. And now (well, when EKM gets to general release) it can be done with just that little bit extra assurance of security. Which brings me to another point, which I’ve made before …

Organizations are going to have a mixed bag of content repositories for the foreseeable future. Once EKM goes to general availability I’d love to have a bar chat about which is more secure; Box, on-premises, or the hosted private data centre. Based on what I know about some orgs I’ve worked with, I’d rather they put their content in Box, with or without EKM. I digress …

My point is that hybrid is a reality and that everyone involved in managing content (vendors, customers, regulators, legislators) is going to have to figure out how best to deal with access, security, collaboration, and everything else that goes into managing content as an asset. Part of that is understanding that not all content is created equal and can be treated the same. For me the end game has to be putting the users at the center and not forcing them into Cirque de Soleil-like contortions to gain access to the content they need to execute the task at hand. If Box’s track record is anything to go by, I’m optimistic that they haven’t lost sight of ease of use with the EKM beta.

The title of Aaron Levie’s (Box CEO) post announcing EKM is Breaking the Last Barrier to Cloud Adoption with Box Enterprise Key Management (and I thought I liked long titles). Uhm, no. Hell, EKM won’t even break down the last legitimate barrier. There is still a lot of Fear, Uncertainty, and Doubt (FUD) to overcome in getting organizations to move to the cloud (not a legitimate barrier). Organizations worry about data sovereignty, sometimes legitimately. Some contexts just don’t lend themselves to a smooth cloud experience (from twitter this am, via Laurence Hart “Some agencies require govt clearance to have access to encryption keys and/or be US citizen. Box can’t do that for workforce” – he’s not wrong. Laurence expands on the quote in this post.).

If I were Box I’d handle the above like this:

  • FUD – time, tide, and attrition are your friend – patience, Grasshopper.
  • Legitimate data sovereignty issues – influence and wait for legislation; partner up to build/lease/coopt some friggin’ data centres.
  • Illegitimate data sovereignty issues – see FUD
  • The point that Laurence brought up – don’t sweat it. You can’t play there now anyways.

Box’s announcement about Enterprise Key Management is significant, and it’s a really good thing. However, it’s not the last hurdle and I’d bet money they know that. But it does take away one excuse that that ditherers and FUDders have been hanging on to.

And for those of you who are about to bring up AWS outages – IT’S A BETA!!!

Enterprise File Sync & Share – It’s Not What You Think It Is


Stop EFSSWhen Gartner came out with their Magic Quadrant for Enterprise File Sync and Share (EFSS) back in July 2014 I laughed a little because I find the idea of an EFSS market, well, laughable. Yes, I know they put in a whole bunch of stuff about what could or should be part of the market, but boiled down it seemed to me that EFSS per Gartner is little more than the old Microsoft Briefcase. I.e.: a feature of a larger solution. Let’s face it; EFSS is little more than email and consumer grade cloud storage. One of the names that’s been bandied about to replace EFSS is ECC – Enterprise Content Collaboration. I don’t like it very much, either.

If I were Box, EMC, Alfresco and most of the other vendors on the MQ I’d be more than a little irked. Most of the vendors have invested heavily, organically or via acquisitions (sometimes both), to come up with some pretty cool and innovative solutions (not products) that allow people on both sides of the firewall to work together. These solutions allow organizations to impose various levels of automation, governance, and security to critical content. Being categorized as a File Sync and Share provider is frankly insulting. I find it insulting to the vendors as well as the customers.

Some of the vendors have been more successful than others, but I don’t think it’s germane at this point to come up with a list of winners and losers as the market (whatever its true name ought to be) is still fairly nascent. At most we’ll be able to make some guesses as to who will survive intact for the next few years and who won’t. Depending on the original exit strategy, being acquired is a perfectly valid form of survival. Will success of the wrongly-labelled EFSS players be measured against the same metrics that are currently being used for the incumbent (some would say legacy) Enterprise Content Management (ECM) players? Why would I even bring this up?

Gartner EFSS MQ - July 2014

The Gartner Magic Quadrant for Enterprise File Synchronization and Sharing is available from Gartner as well as from some of the mentioned vendors including Syncplicity, Box, Alfresco, and Citrix.

Note: For what it’s worth OpenText should have been included in the MQ, based on Tempo Box, which I used when I was working there. As for what’s coming up from OpenText, I’m looking forward to seeing what OpenText Core is all about.

If you look at the MQ, some of the players are ECM incumbents (Microsoft, IBM, EMC, Alfresco), which is another reason why I find the EFSS market and associated MQ a bit of a giggle. In all but a few scenarios the ECM incumbents are competing not only against the new entrants and upstarts, but they are competing against themselves. For all practical purposes, some of the new players can provide solutions every bit as capable of meeting functional requirements as the incumbents, but with much better experiences. Sure, they’ll have to collaborate and form alliances with other vendors, but how is that really any different than what’s going on today? Where ECM currently has an advantage over the new players is in ultra-regulated environments for certain business processes. That, however, will change as the tools improve, as legislation changes, and as purchasing organizations see the FUD (Fear / Uncertainty / Doubt) for what it really is.

I recently completed an ECM assessment for a Canadian university; they asked me to assess why Alfresco wasn’t as successful as they’d anticipated (it wasn’t Alfresco’s fault – please read You Are the Problem for some details). They asked that I recommend that they either press on with Alfresco or dump it and go with SharePoint. When I brought up the option of using a cloud solution they were adamant that this was something they did not want to do. The reason they gave was based entirely on FUD, lack of understanding of current day realities, and lack of understanding of what their users (internal and external) want and need. So I included an appendix putting forward a solution based on one of the MQ’s upper right vendors. That vendor is perfectly capable of meeting the university’s requirements on all fronts.

As a consultant it’s my job to not only deliver what my clients pay me to deliver, it’s also my job to educate them and to present alternatives that they may not necessarily be thinking about. In the case of the university, a cloud based solution based on a platform provided by one of the vendors in the MQ is perfectly viable, despite my client’s prejudices.

When it comes to Box and others in the (to be renamed) EFSS market, we’re not far from the point where they can punt the incumbent ECM vendors to the curb. They’ve got some solid foundations in place and a pretty decent roadmap for the future. How the various players build on their foundations is going to depend on what they see as their core strengths and where they see the most potential. Box is taking a platform approach, Dropbox is pinning its future on Microsoft, and Huddle is focussed on collaboration. The others all have game plans that include features and functions and deployment options. I’m fairly certain that all the players are going to find their fit, but it’s not going to be EFSS. EFSS is purely table stakes, as others have said. I think we’re going to see fragmentation in the market sooner rather than later. I think we’re going to see more and more occasions where someone does what I did and puts one of the (for now) EFSS players up as an alternative to ECM incumbents. What I’m really looking forward to seeing is when/if the ECM incumbents actually change their game, not just add features, to keep up with the times. I suspect it’ll happen later rather than sooner.

A lot of people and companies, me included, have been going on about Information Governance (IG) for a while now. In a previous post I wrote about ECM not living up to its promises and being supplanted by Information Governance. What does this have to do with the space that isn’t EFSS? I’m glad you asked …

I attended BoxWorks in September 2014 (my thoughts, if you’re interested) and I’ve also been pretty interested in the whole not-EFSS space for a while; I’ve concluded that Box and some others are going to supplant the legacy ECM vendors even as ECM transitions to being a collection of functions required to deliver IG. Between the vendors that provide the core platform and 3rd parties that provide additional functionality, I’m fairly certain that most of what’s defined as IG activities and technologies could be provided. Take a look at the two graphics below; the first represents the facets of IG and the 2nd represents the various technologies that make up IG.

IGI Annual Report - IG Facets

Think about the various players in the un-EFSS market. How many of the facets (activities) in the above graphic could be handled by those players or their partners? Don’t worry about whether or not you agree or don’t that all the facets belong under IG; choose the ones that matter to your organization.

IGI Annual Report - IG Technology  Markets

Of the technology categories in the above graphic, how many could warrant inclusion, to at least some degree, of not-EFSS players and their 3rd party partners?

The two graphics above were produced by the Information Governance Initiative, in their inaugural Annual Report. Their inclusion here does not mean that I necessarily agree with what’s in the graphics or in the report, though I do recommend reading it (get it here, free subscription required).

Closing Thoughts

There are going to be some EFSS vendors (e.g.: https://www.sync.com/ – not included in the Gartner MQ) that are going to be pure play EFSS vendors, and that’s cool for them and customers that want that level of functionality. However, for most of those mentioned in the MQ the EFSS part of what they do is truly table stakes, to borrow a phrase. If I take a look at Box, Alfresco, Microsoft, EMC, OpenText (I am including them even though Gartner forgot to), etc., what they’re really providing is part infrastructure and part platform. Labelling them as EFSS makes about as much sense as calling SAP accounting software and lumping them in with Quicken.

It’s the infrastructure and platform pieces that set Box, Alfresco, Microsoft, EMC, OpenText, et al apart from the true EFSS players. With the pure EFSS players what you get is what you get, that’s it. With the EFSS+ players (I just made that up) what you get is foundational. What you do with that foundation is up to you and the potential will increase as the players mature. As much as organizations have built their information governance and management strategies around legacy ECM platforms, they’ll be able to do the same with EFSS+ platforms.

in this podcast Connie Moore and I discuss the EFSS market, as well as ECM. Brought to you by Digital Clarity Group. http://www.digitalclaritygroup.com/dcg-podcasts-efss/

Cloudy With a Chance of Success – the Update


I originally posted this back in November 2011. A lot has changed since then, but there’s also a lot that hasn’t. One of the biggest things that’s changed is that Enterprise File Sync and Share (EFSS) has gained a ton of legitimacy over the last little while.

I’m reposting this for a couple of reasons: 1) There’s much in the post that is still relevant; 2) I’ll be posting something in early January that’s related and want to use this post as a kind of introduction.

I debated whether or not I should edit the original post but decided against it. I’ve simply added some comments where I felt they were necessary to clarify things, likely as much for me as for you.

CloudsThis post was inspired by this article on CMSWire by @billycripe and by the Cloud themed tweet jam hosted by CMSWire on November 17, 2011. As usual this is just my opinion.

I’m not an expert on cloud computing, I’m just some guy that likes to be able to access the content I need to do my work, from wherever I happen to be, using whatever device I feel like using at the moment. Take this post, for example; it was written on a laptop and a tablet, in a dining room and a swimming pool (not really in the pool since my tablet isn’t waterproof though that would be mega-cool).

I agree with Billy Cripe’s thoughts that Agile can (ought to) be applied in the development of cloud based ECM solutions. However, as Billy correctly states, “Managing content is not the goal of most businesses.” Most businesses exist to make money by providing products and/or services that consumers want. Businesses rely on information in order to get their stuff done, whatever their stuff is. In order to fully exploit information, the tools (i.e.: information stores) that the businesses rely on need to be connected to each other (so do the people – the tools need to facilitate this). Content / information management tools (cloud or not) need to be part of bigger picture business solutions. We need to build solutions that deliver “I need to share this” in the context of why it needs to be shared (answer why you need to share and you’ll likely figure out who and what).

Re-reading this now it seems as of the above is meant to imply that the topic is legacy ECM systems. That may have been true originally, but it’s not now. I’m really looking at this in terms of anywhere that content can be stored.

No sane person can argue the value and validity of the cloud. Except me. I’m not daft enough to think that cloud computing doesn’t have value or is not a valid approach to take. However, I do think that we’re not going to realize the full potential of the cloud (and by extension, content) if we simply limit its scope to content management. Yeah, I know that there are other things that are done in the cloud, such as CRM, payroll, and accounting.

We’ve gotten to the point where there really is no need to keep much on premises anymore.

When I refer to “cloud” I am referring to more than just the data centre, if that’s not obvious.

Content Wherever I Am

One of the cool things about content in the cloud is that my content is wherever I am. (Okay, so it’s not really my content, it’s my organization’s content.) That’s not the point, though. The point is that I can work with content wherever I happen to be, using whatever device I choose. This does assume that the chosen content repository is able to be synched appropriately. Wouldn’t it be cool, though, that if in addition to being able to work with the content and share it with collaborators (the work variety, not the WWII Nazi variety) the content could also be appropriately tagged, filed, and placed under retention at the point that I plunk it into the repository? I.e.: Cloud repositories need to become extensions of ECM and ERM systems, probably through federation.

So the whole thing about federation is a little off. This really should be thought of as centralized policy administration and enforcement.

Correctly Connecting Corporate Content

Content is spread throughout an organization; cloudification just increases the spread. When I say content, I mean anything that is stored on digital media that serves any legitimate business activity. (For obvious reasons I am excluding physical content.) A key to widespread cloud acceptance is to be to able access / leverage content in order to execute a business activity, regardless of where the various pieces of content reside. An agent in a social services organization should not have to know or care that a citizen’s information is spread over a number of repositories that could be on-premises, in a private cloud, and in a public cloud. The agent is there to service the needs of the citizen, not to figure out some (likely) convoluted architecture just to try and find stuff.

CMIS is a step in the right direction, but where CMIS falls short is that it doesn’t address non-CMS (think ECM) repositories. What we need is something that allows connecting everything that we need, when we need it. Device and location should not be factors. In fact, the only thing that a user should worry about is whether or not they have the right content to do the job. Governance, classification, and security ought to be just taken care of.

If the scope opens up to include non-ECM tools, how much of a factor is CMIS? Look at what’s happening in the broader EFSS space with open standards and open API’s.

Speaking of Governance…

Until the governance issues get sorted, I doubt very much that we’ll see widespread adoption of public cloud services. Smaller organizations, organizations with lax regulatory / privacy regulations, and organizations that can bully providers into rock-solid SLA’s may be able to go full public cloud, but I doubt they will. I think the reality is that organizations will end up having hybrid environments of cloud and on-premises.

When I say governance I am not only referring to the poo that legislators, regulators and litigators throw in our way. Governance needs to address issues such as:

  1. what can / should be stored in the cloud
  2. service level agreements
  3. disaster recovery / business continuity
  4. security
  5. classification / categorization
  6. retention & disposition (thanks to @JamesLappin & @AlanPelzSharpe for bringing this up)

Governance of cloud content has to deal with all of the things that we need to deal with for on-premises stored content, with the added complication that we also have to deal with where the damn box is and if some foreign government can get at it whenever they bloody well feel like it. Canada’s Anti-terrorism Act and the United States’ PATRIOT Act are not going to be very helpful in encouraging organizations to move to the cloud in a big way.

With so many employees using consumer devices and consumer services it’s better to accept the potential peek from the government than it is to continue to deny things and have content out in the wild.

Parting Shots

  1. Hybrid (cloud / on-premises) will be in the majority
  2. Governance (internally & externally imposed) has to be figured out
  3. Integration / interoperability are critical
  4. Privacy concerns and government snooping are major inhibitors (@ron_miller wrote a pretty good piece about this)
  5. If we’re not careful we’ll just move the mess from our hard drives to someone else’s
  6. Some Systems of Record will end up in the cloud, if they’re not already there
  7. Services are where it’s at

Bonus Material

I couldn’t decide which song I wanted to use for this post, so you’re getting three:

  1. CCR – Have You Ever Seen the Rain?
  2. CCR – Who’ll Stop the Rain?
  3. SRV – Couldn’t Stand the Weather

A couple definitions for those that think it should be “on-premise”

  1. http://oxforddictionaries.com/definition/premise
  2. http://oxforddictionaries.com/definition/premises