Monday, July 27, 2009

Vendors Survival: Will Software AG Survive until 2019?

This post is another post in the Vendors Survival series following posts on Microsoft, Google, HP, Sun and EMC.

The intended acquisition is an opportunity to add another post in my Vendors Survival posts series.

A brief history of Software AG Mainframe products
Software AG is larger than any German software company except SAP.
It was established in the Mainframe age (in 1969). I worked with many customers, who used and some of them are still using, its two flagship products Adabas and Natural. Although these products support many platforms, their main platform is IBM Mainframe.

Adabas is a database and Natural is a development environment. Like other pairs of Database and Development Environment in the mainframe environment (e.g. Ideal and Datacom, Mantis and Supra) build by the same vendor, they are tied together. As a result, although it is possible to use other development environments with Adabas, frequently Adabas users use Natural as its development environment. In many cases Natural is used in conjunction with Adabas, however it is also used in DB2 and Oracle databases environments.

Software AG's mainframe challenges (which are similar to other vendors except IBM) are:

1. The Platform is controlled by IBM
IBM is the only Servers vendors, the only Operating System supplier (I do not think that Solaris on z-series Mainframe is significant. It may disappear after Sun's acquisition by Oracle, same as Windows on Mainframe failed many years ago. 

Linux availability in z-Systems Mainframes is controlled by IBM, cooperating with Redhat and Novell (SuSe)) and the dominant Middleware (CICS and IMS/DC) and vendor.

IBM also dominates the Mainframe database market with DB2 and the development environment (Its COBOL environment owns approximately 80% of the market and I am not aware of other Java vendors competing with IBM in the Mainframe market).
Gradually small and medium Mainframe users are migrating to Windows and Linux on Intel based servers. As a result IBM control is growing due to Mainframe users tendency to avoid of non-Mainstream solutions.

2. Adabas is not a Relational Database
Software AG made the same mistake that Cullinet (The database market leader of the 70s with its IDMS database) and other traditional DBMS vendors made by not adopting the Relational Model in the right time. The Relational paradigm is the mainstream approach in the last 25 years (Oracle, DB2, SQL Server, MySQL etc.) and therefore Adabas is supported only by limited number of third party products and Integration solutions.

Although, it is not easy to migrate from one mainframe database and development environment to another mainframe environment, currently only two vendors (CA and Software AG) still have a significant share of the DBMS and Development Mainframe market.

Software AG's traditional Middleware
There are three types of traditional middleware developed or acquired by Software AG:

1. Online Transaction Processing (OLTP) Middleware
Software AG developed Com-Plete a Mainframe OLTP product completing its Adabas/Natural line products. However, it failed in competing with IBM's CICS and IMS/DC.

2. In order to address integration between     Adabas/Natural and other environments the company developed Entire and afterwards Entirex.
Entirex strength is in integrating Adabas/Natural, but it includes other integration functionality (e.g. integrating Microsoft's COM with Mainframe).

3. The company acquired an Israeli startup Applinx which developed a Web-To-Host product.

Software AG as a SOA & BPM vendor
The root of Software AG SOA efforts is a product named Tamino.
The product is the leading XML database.
However, it could be described by the same phrase used by an analyst for describing Novell's Netware many years ago (I am not quoting, just relying on my memory, so I may quote it inaccurately) after Microsoft released its Active Directory: Leader of declining or disappearing market.

The reason for using this description for Tamino is the addition of XML functionality to market leading RDBMS products.

In 2006, the company released a SOA suite. The suite included:

Centrasite – UDDI based registry and SOA Governance tool co-developed with Fujitsu
Information Integrator – EII product
Service Orchestrator – ESB and BPEL
Legacy Integrator – based on Entirex and Applinx
Application Designer –Ajax based User Interface
Application Composer - Composite Applications
BPM – Fujitsu's Interstage Business Process Management branded as a Software AG product.
In addition to strategic partnership with Fujitsu the two companies partnered with other companies including IDS Scheer and ILOG.

The strategy was based on partnerships, because Software AG was too small for competing with the four big SOA Echo Systems (IBM, Microsoft, Oracle and SAP).

The company also partnered with three of the four Big four Echo Systems: Microsoft, SAP and IBM.
It should be noted, that Software AG BPM expertise was limited, therefore it limited its BPM efforts only to BPEL processes handling. (The limitations of BPEL described in previous post titled BPEL for the People) and used Fujitsu product instead of developing its own BPM solution.
The significant move in BPM was re-hiring Tobias Rother.

After departing from Software AG, Tobias Rother worked as Principal Managing Director of Staffware and for Tibco, which acquired Staffware.
As a Vice President BPM in Software AG, Tobias Rother formed an interesting BPM strategy aiming at addressing five different levels of business processes, including user interface mini-flow, which is not handled properly by some of the BPM suites.  

In 2007, Software AG acquired WebMethods. WebMethods was one of the three leading pure integration vendors (together with Tibco and SeeBeyond which was acquired by Sun.).

This acquisition changed Software AG SOA and BPM strategy.
Since than the SOA suite was based on WebMethods products and brand.

Centrasite is the only Software AG product which is still a major component of the SOA and BPM Suite. No wonder that Legacy integration components are also Software AG's original products: WebMethods suite functionality for legacy integration is very limited.
Software AG's SOA & BPM solutions are leading solutions. For example, according to Gartner Magic Quadrant (March, 2009) it is a leader in SOA Governance

Forrester Wave Integration-Centric Business Process Management Suites, Q4 ’08 rate the company as the strongest in Strategy and in Current Offerings.

IDS Scheer proposed Acquisition
IDS Scheer's ARIS is the leading BPM modeling tool as described in a post titled BPM & SOA

It is the Application vendors' preferred modeling tool (SAP, Oracle and Microsoft). Traditionally, it was used by SAP users. The partnership with Oracle and Microsoft is recent, so the majority of ARIS customers are SAP users and the technical compatibility of the product with SAP applications is better than the technical matching with other applications.

Recently IDS Scheer extended its solutions with BPM execution component.
This successful company positive attitude for being acquired is based on decline of new installations (less new ERP installations in Recession) and the increased competition with modeling components of BPM suites products.
Software AG is a player in the Legacy applications market. It is not a player in ERP, CRM or other applications markets.

The key questions in this First Take are:

1. For what purpose does a BPMS market leader acquire a BPM company which has overlapping products?
The reasons could be the superiority of ARIS over WebMethods modeling components, as well as extending market share.
Software AG will have to decide upon its BPM Modeling strategy: Integrating ARIS into WebMethods BPM Suite (BPMS)? Gradually replacing current modeling offering by ARIS or allowing two modeling solutions one for Applications processes and another for other environments?

2. Why should Software AG acquire a company majored in the Applications market?
The application suites are transformed gradually from rigid, large components based suites focused on providing Business functionality to next generation suites focused on Agility and based upon Services and Processes.

Oracle and SAP provides their own middleware, but Processes Modeling is a significant niche for which they are not offering solutions beside third party solutions. Software AG could dominant this niche for long term by acquiring this market leader.
It should also be noted, that a significant challenge in most ERP and CRM implementations is integration with Legacy systems. ERP and CRM as well as other applications rarely replace the entire application portfolio.

Software AG's ability to offer extended Applications to Legacy integration solutions will be augmented by IDS Scheer's products.
Improved integration may postpone or deny migration from Legacy applications and if these applications are Adabas/Natural based the company could preserve a larger install base (Sometimes it will not be only preserving but also extending the Legacy applications Business Value as a full participant in the new SOA based enterprise).

Will Software AG survive for the next 10 years?
As already mentioned in my post titled: Vendor Survival Guide: Supermarket, Grocery and Kiosk
every large company could be an acquisition target for a Mega company such as Oracle, Microsoft, SAP and IBM. Software AG is no exception to this rule.

But the Mega vendors' acquisition decisions are based upon strategy and business motivation, so why should any of them acquire Software AG?
The answer is separated to Software AG's two main business lines: Legacy Infrastructure and SOA & BPM.

I do not think anyone will acquire the Legacy Business. IBM, more a competitor than a partner, is the only candidate (No reason for SAP, Oracle and Microsoft to buy IBM Mainframe based business). 

IBM the owner of this mainframe platform strategic goal is to extend the mainframe life time as long as possible; one of the main challenges is the limited number of ISV solutions, so why should it buy major ISV and kill its products or preserve them? 

IBM lacks expertise in Adabas/ Natural why should it invest in a slowly declining line of business instead of investing in a growing market?

The SOA & BPM leading line of business could be an attractive acquisition target for Microsoft and SAP due to the limitations of their current SOA offerings.

It is less reasonable that Oracle who recently acquired another SOA & BPM leader (BEA) and IBM who is a leader in these markets will acquire Software AG's SOA & BPM line of business.

Do not forget that Software AG is not struggling like Sun prior to its acquisition by Oracle.
It is a profitable company and therefore may not encourage acquisition by another company.
It should also be remembered that Software AG transformation from a conservative German Mainframe company to a modern dynamic SOA & BPM company is very impressive (especially the unexpected WebMethods acquisition).

My conclusion is that Software AG could survive until 2019 but could also be an acquisition target (The whole company or only the SOA & BPM business line) sometimes near the end of this ten years period.
I do not expect Adabas/Natural to disappear until 2019, but the level of its decline could be a significant factor.

If the Adabas/Natural business line will decline rapidly, on one hand Software AG Legacy revenues will decline, so it may be an easier acquisition target and on the other hand the merging process after acquisition could be less complex.

Wednesday, July 15, 2009

The Chain is as strong as the weakest link in the chain

The title describes a Security approach. According to this approach the easiest and most plausible Security breach is by usage of the weakest link.
Lessons learned from few Penetration Tests I conducted, support the cited above approach.

It is true that there is no way to assure absolute Security (For deeper explanation why you can look at a well known security Guru, Bruce Schnirer's web site).

Any Security mechanism is breakable by someone who has expertise and spends a lot of resources (including time).
But it is also possible to breach Security without expertise and by spending only few resources for a very short time: just exploit the weakest link.

As part of a Penetration Test, I always looked for simple unsophisticated methods to penetrate instead of penetrating by usage of very sophisticated methods.
These methods could be used by anyone, unlike the sophisticated ones, which could be used only by a limited group of very talented experts.

What is the weakest link?
According to my experience it is the human factor.
For example, let's explore Passwords mechanisms. You may deploy a very sophisticated Password pattern, a frequent password change cycle enforced automatically and a reasonable Suspension mechanism for inactive users, but if users will hang on their screens (or on other visible objects), notes including their passwords, these good mechanisms are futile. Let alone a pattern demonstrated by an incident I experienced while conducting a Penetration Test.
Prior to that meeting, I discovered a user who has authorization far beyond his Role requirements. In front of the CSO I asked him for his password, just to demonstrate that it is possible to misuse the unneeded authorization. Instead of keying the password, he wrote it on a note and gave it to me. I am quiet sure that a lot of employees, lacking Security awareness training would give their passwords to unauthorized people (A well known Phishing method is sending an e-mail message including a bank logo or e-Bay's PayPAL logo and asking the recipient to type them into a form). If the unauthorized people are or pretend to be employees of a respectful organization (e.g. a research institute a market analysis', a well known Software brand or a consulting company), than the probability of disclosing information is higher.
For additional information on the effect of representing a respectful organization read about a classical Psychological experiment conducted by Milgram many years ago.
This experiment is depicted in a YouTube video.

How weak is the weakest link?
It is even weaker than my expectations. Recently I read e-week's Brian Prince post titled: You are the weakest link, and found that in a report surveying 967 end users (The survey was sponsored by IronKey) roughly half the surveyed said that their corporate data security policies are largely ignored by both employees and management. The policy violation acts severity degree is varied.
For example 61% admitted to copying confidential data and transferring the information to non-corporate device and more than 20% turned off security such as anti-virus software, desktop firewalls and enterprise devices encryption.
My Take
It is clear that the weakest chain is human beings. Precious and complicated Security software is not enough.
The question to be asked is why?
Part of the answer is human nature, but the other part could be reduced or eliminated.
As found in the survey more than half (58%) of the surveyed said that they felt their companies did not provide adequate training on following the rules. 46% said the policies were to complex to understand.
The key for good enough Security are awareness, awareness and awareness.
Adequate and down to earth Security Policy may be also helpful .

About Me

Share on Facebook