Related Items »   Your Most Vital Corporate Asset — Data

Your data stockpile represents critical collective intelligence for driving business value if harnessed correctly and made widely available. Sun Vice President of Identity Management Sara Gates shares with Boardroom Minutes readers Sun's unique approach to tying the information lifecycle to the identity lifecycle with the goal of enabling business leaders to usher their companies into the next wave of Internet computing.

Q: What are the business drivers bringing data management and identity management together?

A: Companies today are struggling to manage rapidly growing amounts of data — our catch-phrase is "data sprawl." Sprawling data means increased storage costs. It's increasingly challenging and costly to store data and meet regulatory requirements around data protection and retention. Storage capacity growth rates are ranging from 40 percent to 300 percent per year, and storage is expensive. Storage hardware utilization rates are also very low — about 40 percent to 60 percent. At the same time, there is a need to maximize the business value of data.

On the security front, companies are struggling with how to get security under control, to enhance compliance. It doesn't really matter to a CIO whether it's data security, building security, network security, or application security. It just needs to be secure. As we discussed in our last interview on identity management, Sun is putting security and control in place, not to lock things down, but so that we can hit the next wave of computing, the Web 2.0 read/write Internet¹.

So it's a natural extension to tie identity-driven security to identity-driven data management. Costs go down, security is improved, and compliance is easier to get a handle on.

Q: Why is harnessing the data sprawl so difficult?

A: The difficulty in harnessing data sprawl is the lack of a common anchor that brings meaning to the sprawl. Identity is the anchor and the meaning that starts to bring intelligence to the sprawl. One key area of data management is data classification, where the business value of data is associated with the data. Sun is bringing a new dimension to data management by tying identity to data. Who are you? What data should you have access to? This intelligence lets companies make data available for consumption based on a person's, application's or a Web service's identity and associated rights.

Sprawl without intelligence is just cost, but sprawl with intelligence is value. One of the ways to bring meaning to the sprawl is with identity. If we can make data identity-aware, as it's created, with information about who or what can access it, then we make it more easily accessible to the right people, and therefore much more valuable.

Q: How do tighter controls make information more widely available?

A: Cars have brakes not so they can stop, but so they can go fast. Data identity is the brake on the car. It provides the right level of security so data can be safely opened up to help the business run more smoothly. Companies need their employees, partners, customers, applications and Web services to have access to the right data. The age of anonymous computing is behind us and we're entering the age of trusted computing. Trust is based in part on identity. So the case we're making is that you have to put the control in place by deciding which identities have access to which information. Sure, it feels like you are securing it, tightening it down. But in reality you are making it safe to allow more open access to the right people. In contrast, data couldn't be less usable, and therefore less valuable, than it is today.

Q: To what extent can or should businesses use stored data for competitive advantage?

A: All should, but very few can. If a company has easy access to revenue data, cost data, attrition data, engineering cycle data, product data, marketing data — and they can access it securely and make it easily available to the right people, they can make better decisions. That's competitive advantage. Data sprawl without intelligence is the problem. Identity needs to be integrated into data, devices, applications, services, and processes — with fine-grained control that gives you security and availability simultaneously.

Q: So what is Sun doing, both short-term and long-term?

A: Short term (defined by what we are doing to help customers now), we are tying the identity lifecycle to the information lifecycle, to reduce costs and automate compliance demands.

The first thing we are doing is identity-based data consolidation. We said earlier that storage utilization rates are really low, but at the same time storage costs are on the rise. That's a problem. At the first stage of the identity lifecycle, when an employee joins the company for example, companies can automatically drive storage allocation based on role or identity. That starts to get things under control. As the employee changes jobs, gets promoted, or changes geographic locations, you can use that event to automatically drive the storage changes that need to occur. And then when people leave the company, you can eliminate much of their personal data and move the rest to the lowest-cost storage array.

One thing we found in the identity management market is that most large companies have 20,000+ dormant accounts — with each dormant account tied to stale data stored on primary storage. So the first thing we are doing is driving storage utilization based on the identity of a person or application and we're doing that via our Sun Java System Identity Manager product combined with several of our information life cycle management products.

The second thing that we are doing is strengthening compliance. Customers and companies now know that in order to meet Sarbanes-Oxley type demands, they need identity management for controlling who has access to business critical systems, and they need storage because they have to store compliant data in a certain way for prescribed periods of time.

Identity management today sets up accounts and roles, and manages who can access the different systems. There is a central point of control. It requires multiple approval workflows, and full auditing of everything that happens. We are now taking that capability and applying it over the multiple, secure archiving systems where all of the compliant data is stored. It's a natural extension of identity management to include the systems where compliant data is stored. It gives you more control and visibility, as well as built-in reporting by showing who has access to your archives. Now companies will be able to archive data based on identity.

In addition, an identity-based policy controls access to the archives, allowing only those people to access archives that have a legitimate reason for doing so. We do this today across systems like SAP and Oracle and Microsoft and mainframes by looking for business policy violations based on identity and then fixing them. We are applying this same concept over the systems where stored data is residing. So if someone has access to two different archive systems and that is a business policy conflict, we find that proactively and address it. This helps strengthen compliance and security.

Q: Are Sun's competitors doing this?

A:No. This is unique to Sun. We've got a leadership position in both the identity management and data management markets and we're bringing these two disciplines together to solve real customer problems today. In terms of timing, this is the year to bring identity management and data management together. Drive down your storage costs and strengthen your compliance reporting by integrating data and identity today. Only Sun can offer this right now.

Q: What is the future for identity-aware data?

A: I think the future is about the intelligent data network where data becomes the new functionality and companies are no longer held hostage to their applications. Applications are not only composable, they are disposable. But data will be widely available and completely secure. Data will be the functionality — the new "Intel Inside" for the next wave of computing.

Look at companies who have made data widely available, like Google. If Google launched an online grocery store, which product suppliers today could participate? Only those entities able to share their product, price, or distribution data. Today companies are held hostage by their applications which control the data.

About Sara Gates

As the vice president of Identity Management at Sun, Sara is responsible for the business and product strategy, product definition, and marketing for Sun's identity management portfolio. She previously held roles at Waveset Technologies, Microsoft, and Deloitte Consulting.

Additional Resources

• The Importance of Data

¹_{The next generation of the Web, in which the Web becomes a read-write platform; hard-wired applications are replaced by lightweight, consumable services; data is ubiquitous and re-mixable; and users control their own data, among other things. See http://www.oreillynet.com/pub/a/oreilly/tim/news/2005/09/30/what-is-web-20.html?page=1}