Entries from May 2010 ↓

E-discovery forensics at CEIC 2010: sorta sexy, sorta scary, not at all niche

This year marked the 10th anniversary of the Computer and Electronic Investigations Conference (CEIC), a show hosted by Guidance Software focusing on digital investigations in forensics, e-discovery and cyber-security.  I’ll be reviewing this event in two posts, because there’s a lot of ground to cover here – check in tomorrow for some show highlights and more on forensics in practice for e-discovery.

As you might guess, both the crowd and the content at CEIC had a heavy technical and practitioner bent, along with a refreshingly low BS-quotient – good attendance and engagement at the in-depth sessions, not a lot of swag-grabbing seat-fillers milling around the exhibition floor.  Forensics has traditionally had strong traction in law enforcement and government, but the new EnCase E-discovery certification exam (EnCEP) and cyber-security track brought in good numbers of private sector attendees from both IT and General Counsel as well.  Overall attendance reportedly grew about 40% this year to 1300.

At this point, some of us without EnCE certfication may be wondering, “why is forensics important to e-discovery, and what is it anyway?”

The bottom-line in practice is that forensic collection and Guidance’s EnCase format in particular have very strong court defensibility.  From a broader market perspective, Guidance is the only US e-discovery software vendor to go public (in 2006), and has an enviable customer base among the Fortune 500.  All this is to say that while forensics is an expert-grade technology, it is not at all a niche.  In fact, Guidance was #1 in our recent user survey for current usage at 23%, while rival forensics vendor AccessData was cited by 11% of respondents’ planning to purchase e-discovery software or services in 2010.

And what exactly is forensics?  Here I will steal paraphrase liberally from forensic examiner, attorney and expert at-large Craig Ball :

Computer forensics is the expert acquisition, interpretation and presentation of active, encoded and forensic data, along with its juxtaposition against other available information (e.g., credit card transactions, keycard access data, phone records and voicemail, e-mail, documents and instant message communications and texting).

What kind of data are we talking about?  According to Craig: any systems data and metadata generated by a computer’s OS and software (for example: the date you create an MS Outlook contact), as well as log files, hidden system files, and deleted files.  Many tools also handle encrypted files and have additional functions like scanning images to detect pornography – CSI-grade stuff.

The most familiar forensic method of gathering evidence is imaging an entire hard drive, i.e. creating an exact duplicate of every bit, byte and sector, including “empty” space and slack space, with no alteration or additions to the original data.  However for e-discovery purposes, processing and reviewing that much data from a large number of enterprise machines would be prohibitively expensive and time-consuming.  Not to mention the risk of finding things you’re not looking for (even potentially criminal data like pornography which must be reported by law), and the danger of making incriminating data or deleted files accessible to opposing counsel.  For these reasons (among others), vendors like Guidance offer “targeted collection,” often through desktop agents installed on laptops and PCs which automate searching and collections by specific criteria across the network.

Tomorrow’s post will feature CEIC highlights from users, vendors and speakers, plus more on forensics and the e-discovery use case.  In the meantime, for some additional perspective check out #CEIC on Twitter [update: or #CEIC2010], or blog coverage from Craig Ball, Chris Dale and Josh “Bowtie Law” Gilliland of D4.  Many thanks to them and to the others who shared their experiences with me.  Stay tuned.

EMC World redux, and EMC’s own ‘journey’

We recently attended EMC’s annual user conflab – EMC World – in Boston. The 451 Group was there in force, with Kathleen Reidy and Katey Wood representing our Information Management agenda, as well as Henry Baltazar and myself on the storage side. Yes, it’s taken me longer than I though to put some thoughts together – which I am attributing to the fact that I have been involved in the Uptime Institute’s Symposium in New York this week; an excuse that I am sticking to!

For our take on some of the specific product announcements that EMC made at the show, I would refer you to the reports we have already published (on V-Plex, Atmos, SourceOne, mid-range storage and Backup and Recovery Systems). But aside from these, I was struck by a few other broader themes at EMC that i think are worth commenting on further.

First, the unavoidable — and even overwhelming — high-level message at EMC World revolved around the ‘journey to the private cloud,’ – in other words, how EMC is claiming to help customers move from where they are now to a future where their IT is more efficient, flexible and responsive to the business. Whether or not you believe the ‘private cloud’ message is the right one – and I talked with as many ‘believers’ as I did ‘skeptics’ – there’s no doubt that EMC has the proverbial ball and is running with it. I can’t think of many other single-vendor conferences that are as fully committed to cloud as EMC, and given EMC’s established position in the enterprise datacenter and its range of services that range across virtualization, security and information management, you can understand why it has cloud religion.

But there undoubtedly is risk associated with such a committed position; I don’t believe ‘cloud’ will necessarily go the way of ‘ILM,’ for example, but EMC needs to start delivering tangible evidence that it really is helping customers achieve results in new and innovative ways.

Another issue EMC has to be careful about is its characterization of ‘virtualization’ versus ‘verticalization.’ This is designed to position EMC’s ‘virtualization’ approach as a more flexible and dynamic way of deploying a range of IT services and apps across best-of-breed ‘pools’ of infrastructure, more dynamically than through the vertical stacks that are being espoused by Oracle in particular.

Though I believe that a fascinating — even idealogical — battle is shaping up here, it’s not quite so clear-cut as EMC would have you believe. What is a vBlock if not a vertically integrated and highly optimized storage, server, network and virtualization stack? And doesn’t the new vBlock announcement with SAP offer an alternative that is in many ways comparable with the Oracle ‘stack’ (especially if you throw in Sybase as well)? I get the difference between an Oracle-only stack and a more partner-driven alternative, but I think the characterization of virtualization as ‘good’ and verticalization as ‘bad’ is overly simplistic; the reality is much more nuanced, and EMC itself is embracing elements of both.

Speaking of journeys, it’s also clear to me that EMC is on a journey of its own, both in terms of the products it offers (and the way it is building them), and in terms of how it positions itself. EMC has always been a technology company that lets its products do the talking; but in an era where larger enterprises are looking to do business with fewer strategic partners, this isn’t always enough. Hence, the ‘journey to the private cloud’ is designed to help EMC position itself as a more strategic partner for its customers, while efforts such as the VCE (VMware, Cisco and EMC) coalition bring in the other infrastructure elements that EMC itself doesn’t offer. At the conference itself, much of the messaging was focused on how EMC can help deliver value to customers, and not just on the products themselves.

This approach is a rather radical change for EMC. Though it remains at its core a conservative organization, I think this more ‘holistic’ approach is evidence that two senior management additions EMC has added recently are starting to make their presence felt.

The first hire was that of COO Pat Gelsinger, an ex-Intel exec who has been brought to assemble a plan to execute on the private cloud strategy. As well as a very strong technical pedigree, Gelsinger’s strength is the combination of an ability to conceive and articulate the big picture, as well as understand the tactical steps that are required to realize this; including product development, customer satisfaction and M&A. It seems to me that Gelsinger is already immensely respected within EMC, and already seems regarded by some as CEO-in-waiting; a transition that would be a shoe-in should this strategy pay off.

The other key addition is that of ex-Veritas and Symantec CMO Jeremy Burton as EMC’s first chief marketing officer. To me, this appointment underscores EMC’s need to market itself both more aggressively, as well as differently, in order to maintain and grow its position in the market. Though Burton has only been in the job for a few weeks, we got a sense at EMC World of how he may reshape EMC’s public image; a more light-hearted approach to keynotes (some of which worked better than others, but you have to start somewhere!) bore Burton’s hallmarks, for example.

But if Burton came to EMC for a challenge, I think he has one; EMC’s reputation and brand in the large datacenter is solid, but it has work to do to build its image in the lower-reaches of the market, an area that CEO Joe Tucci has highlighted as a major growth opportunity.

Although this is as much a product challenge as anything else, EMC must also carefully consider how it brands itself to this audience. Will an existing EMC brand – Clariion, Iomega or even Mozy — appeal to a smaller storage buyer, or does it come up with something entirely new? Given its disparate product set here, could an acquisition of an established smaller-end player provide it with an instant presence?

Then there’s the issue of direct marketing; today, EMC spends a fraction of its rivals on advertising in the trade and business press. Given Burton’s background at Oracle and Symantec, plus the growing imperative for IT companies to appeal to the C-level suite to reinforce their strategic relevance, could EMC soon be featuring on the back page of the Economist?

E-discovery user survey 2010 – a view from the front lines

Some of the best-kept secrets in e-discovery are not the kind revealed in a courtroom.  We all know about legal confidentiality, but the IT side has its own code of silence – call it “analyst-client privilege.”

It’s not that users and customers won’t talk about their vendors and methods – especially if they’re unhappy with those vendors, or have a horror story to share, which many do.  But users rarely go on-the-record with specifics in e-discovery.

So this year we introduce our first annual user survey.  It’s available as part of our just-released E-discovery and E-disclosure report for 2010, or you can access a copy through Applied Discovery here.  It will also be featured in our upcoming BrightTALK webinar on Thursday, May 27th at 12 noon ET, presented by Research Director Nick Patience.  Register here to attend.

And what did we learn?

Users report that corporate litigants still overwhelmingly use existing in-house resources and employees to fulfill discovery requests.  In spite of vendors’ claims that the market demands one throat to choke, customers still purchase tactically depending on their requirements.  About half perform e-discovery on an ad-hoc basis with no repeatable business process or dedicated staff.

What they are buying is even more revealing – our data gives the distribution of usage between 50+ vendors, with purchasing broken down by product or step in the EDRM (Electronic Discovery Reference Model), and whether customers choose software, services, law firms or in-house systems for each function.  Cross-tabbing by industry, company size, volume of litigation and legal budget shows even more granular trends and hot spots in what remains a highly fragmented market.

Beyond a snapshot of current holdings, half our respondents have shopping plans for 2010, showing shifts in vendor traction and product purchasing.  Users have strong predictions of their own for the market as well.  They are clear on pain points in the process and vendor selection criteria.  That said, future purchasing plans show little critical mass on vendor selection – it’s still anybody’s game in e-discovery.

And what about the cloud?  Or information governance?  Is cost still king for everyone?

Join us for a thorough run down of the state of the market in 2010 – a view from the front lines of e-discovery.  Register here to attend.

Why SAP should march in the direction of ANTs

SAP faces a number of challenges to make the most of its proposed $5.8bn acquisition of Sybase, not the least of which being that the company’s core enterprise applications do not currently run on Sybase’s database software.

As we suggested last week that should be pretty easy to fix technically, but even if SAP gets its applications, BI software and data warehousing products up and running on Sybase ASE and IQ in short-order, it still faces a challenge to persuade the estimated two-third of SAP users that run on an Oracle database to deploy Sybase for new workloads, let alone migrate existing deployments.

Even if SAP were to bundle ASE and IQ at highly competitive rates (which we expect it to do) it will have a hard time convincing die-hard Oracle users to give up on their investments in Oracle database administration skills and tools. As Hasso Plattner noted yesterday, “they do not want to risk what they already have.”

Hasso was talking about the migration from disk-based to in-memory databases, and that is clearly SAP’s long-term goal, but even if we “assume for a minute that it really works” as Hasso advised, they is going to be a long-term period where SAP’s customers are going to remain on disk-based databases, and SAP is going to need to move at least some of those to Sybase to prove the wisdom of the acquisition.

A solution may have appeared today from an unlikely source, with IBM’s release of DB2 SQL Skin for Sybase ASE, a new feature for its DB2 database product that provides compatibility with applications developed for Sybase’s Adaptive Server Enterprise (ASE) database. Most Sybase applications should be able to run on DB2 unchanged, according to the companies, while users are also able to retain their Sybase database tools, as well as their administration skills.

That may not sound like particularly good news for SAP or Sybase, but the underlying technology could be an answer to its problems. DB2 SQL Skin for Sybase ASE was developed with ANTs Software and is based on its ANTs Compatibility Server (ACS).

ACS is not specific to DB2. It is designed to is designed to support the API language of an application written for one database and translate to the language of the new database – and ANTs maintains that re-purposing the technology to support other databases is a matter of metadata changes. In fact the first version of ACS, released in 2008, targeted migration from Sybase to Oracle databases.

Sybase should be pretty familiar with ANTs. In 2008 it licensed components of the company’s ANTs Data Server (ADS) real-time database product (now FourJ’s Genero db), while also entering into a partnership agreement to create a version of ACS that would enable migrations from Microsoft’s SQL Server to Sybase Adaptive Server Enterprise and Sybase IQ (451 Group coverage).

That agreement was put on hold when ANTs’ IBM opportunity arose, and while ANTs is likely to have its hands full dealing with IBM migration projects, we would not be surprised to see Sybase reviving its interest in a version that targets Oracle.

It might not reduce the time it takes to port SAP to Sybase – it would take time to create a version of ACS for Oracle-Sybase migrations (DB2 SQL Skin for Sybase was in development and testing for most of 2009) – but it would potentially enable SAP to deploy Sybase databases for new workloads without asking its users to retool and re-train.

New report: Open to disruption — open source in content management

We have a new report entitled, “Open to Disruption: The Impact of Open Source in Content Management.”  Our purpose with this report is to look at the commercial implications of open source in content management. That is to say, our focus is on the vendors that have tied their business models to the availability of open source code and the customers that are willing to engage financially with these vendors.   The community-run projects (e.g., Drupal, Joomla et al) have a big impact on this market, but they are not the focus here.

I’ve been slogging away on this report for weeks and it has been really interesting to write. I have been covering the vendors making a go with business models tied to open source for several years now, but I never sat down before and tried to look at the market as a whole, to look across the vendors, across the different sectors in content management and across target markets.

Some of the things that struck me and are covered in much more detail in this report are:

  • There is growing acceptance of open source in content management and there are more commercial options for organizations that want (or need) to have a commercial license and/or entity behind the code. More than a dozen vendors are profiled in the report.
  • That said, we’re still in the early days of commercializing open source in content management.  While many of the open source projects in content management are well established, many of the vendors in this report have had fairly significant changes to business models and / or geographic expansion in the last two years.  Most are still fairly small (e.g., no more than $10m in revenue and less than 100 employees), though several are growing quite rapidly.
  • There is a good deal of variety in terms of platforms, market focus (e.g., SMB vs. enterprise) and sector (WCM vs. ECM), though open source has a much stronger showing (and much more accepted) in WCM than in other areas of ECM.
  • Many of the vendors in this sector are moving to or have moved to sales of commercial licenses (even if they don’t call it that) generally of “enterprise” products that extend an open source core.  This is the model that Alfresco follows, with some success, and it is being taken up by a number of other vendors here as well.
  • This isn’t true across the board though and there is certainly no shortage of controversy about this approach.   This report also profiles that are primarily selling support subscriptions for open source code, implementation services or add-on products / extensions.

The report goes into a good deal of depth on what is driving adoption of open source in content management, challenges to adoption that are specific to this sector, the overall vendor landscape and business models the various vendors are applying.  The report also profiles Acquia, Alfresco, Concrete CMS, Day Software, dotCMS, DotNetNuke, eZ Systems, Hippo, Jahia, KnowledgeTree, Liferay, Magnolia, Nuxeo, SilverStripe, Squiz and Umbraco.

SAP-Sybase: the database rationale

The 451 Group has published its take on the proposed acquisition of Sybase by SAP. The full report provides details on the deal, valuation and timing, as well as assessing the rationale and competitive impact in three core areas: data management, mobility, and applications.

As a taster, here’s an excerpt from our view of the deal from a database perspective:

The acquisition of Sybase significantly expands SAP’s interests in database technology, and the improved ability of the vendor to provide customers with an alternative to rival Oracle’s database products is, alongside mobile computing, a significant driver for the deal. Oracle and SAP have long been rivals in the enterprise application space, but Oracle’s dominance in the database market has enabled it to wield significant influence over SAP accounts. For instance, Oracle claims to be the most popular database for deploying SAP, and that two-thirds of all SAP customers run on Oracle Database. Buying a database platform of its own will enable SAP to break any perceived dependence on its rival, although this is very much a long-term play: Sybase’s database business is tiny compared to Oracle, which reported revenue from new licenses for database and middleware products of $1.2bn in the third quarter alone.

The long-term acquisition focus is on the potential for in-memory database technology, which has been a pet project for SAP cofounder and supervisory board chairman Hasso Plattner for some time. As the performance of systems hardware has improved, it is now possible to run more enterprise workloads in memory, rather than on disk. By using in-memory database technology, SAP is aiming to improve the performance of its transactional applications and BI software while also hoping to leapfrog rival Oracle, which has its disk-based database installed base to protect. Sybase also has a disk-based database installed base, but has been actively exploring in-memory database technology, and SAP can arguably afford to be much more aggressive about a long-term in-memory vision since its reliance on that installed base is much less than Sybase’s or Oracle’s.

SAP has already delivered columnar in-memory database technology to market via its Business Warehouse Accelerator (BWA) hardware-based acceleration engine and the SAP BusinessObjects Explorer data-exploration tool. Sybase has also delivered in-memory database technology for its transactional ASE database with the release of version 15.5 earlier this year. By acquiring Sybase, SAP has effectively delivered on Plattner’s vision of in-memory databases for both analytical and transaction processing, albeit with two different products. At this stage, it appears that SAP’s in-memory functionality will quickly be applied to the IQ analytic database while ASE will retain its own in-memory database features. Over time, expect R&D to focus on delivering column-based in-memory database technology for both operational and analytic workloads.

In addition, SAP touted the applicability of its in-memory database technology to Sybase’s complex-event-processing (CEP) technology and Risk Analytics Platform (RAP). Sybase was already planning to replicate the success of RAP in other verticals following its acquisition of CEP vendor Aleri in February, and we would expect SAP to accelerate that.

Meanwhile, SAP intends to continue to support databases from other vendors. In the short term, this will be a necessity since SAP’s application software does not currently run on Sybase’s databases. Technically, this should be easy to overcome, although clearly it will take time, and we would expect SAP to encourage its application and BI customers to move to Sybase ASE and IQ for new deployments in the long term. One of the first SAP products we would expect to see ported to Sybase IQ is the NetWeaver Business Warehouse (BW) model-driven data-warehouse environment. SAP’s own MaxDB is currently the default database for BW, although it enables deployment to Oracle, IBM DB2, Microsoft SQL Server, MaxDB, Teradata and Hewlett-Packard’s Neoview. Expect IQ to be added to that list sooner rather than later, and to potentially replace MaxDB as the default database.

I have some views on how SAP could accelerate the migration of its technology and users to Sybase’s databases but – for reasons that will become apparent – they will have to wait until next week.