Will EMC's information gamble work?

One-time storage player banks its future on information management and data security

In June 2006, EMC announced that it would acquire RSA Security for $2.1 billion, only to be met with a healthy dose of analyst skepticism and a 3 percent drop in its stock price. Many on Wall Street considered the price tag too high in light of RSA’s 2005 revenues of $310 million. Moreover, industry observers were disquieted by EMC’s unrelenting buying spree: RSA was merely the most expensive purchase out of a whopping 23 acquisitions it had made since early 2003, which have crossed the spectrum from systems management to content management to BPO.

CEO Joe Tucci calmly countered that his company was focused on the big picture of information management and was providing a way to weave security into EMC’s information infrastructure portfolio. The explanation and attempts to clarify the company’s vision have so far failed to seduce some veteran analysts.

“I haven’t heard a real story for EMC’s integration, and, frankly, I don’t really see that getting done,” says Laura DuBois, research director at IDC Storage Software.

Indeed, the big question mark for IT is whether EMC can successfully integrate such a diverse menu of companies and technologies. A few weeks before the RSA purchase, Gartner analyst Robert Passmore weighed in on the huge integration task ahead: “The good news about acquiring companies is you get there more quickly. The bad news is things don’t always work together. … One thing that helps [EMC] is that the quality of their acquisitions has been quite high. But it’s a mixed bag. The serious engineering and integration is still going to take time.” Several acquisitions later, his observation holds true.

IT customers were more approving, though alert to what may happen, for example, to RSA product lines and customer relationships once RSA became the security division of EMC. “With more than 2 million records in our patient database, we’re deeply concerned about security,” says Dr. John D. Halamka, CIO of Harvard Medical School and Beth Israel Deaconess Medical Center, who believes the RSA acquisition makes sense from a HIPAA standpoint because it helps ensure that certain data can be neither compromised nor modified. To the pessimists, EMC would simply say its strategy is in line with the enterprise’s evolution from data storage to information management and data security.

Staying the course on ILM

The difficult nature of efficiently managing information is precisely why EMC, at least until about a year ago, was beating the drum of ILM (information lifecycle management), the technology concept it had long endorsed for tagging and moving information while retaining and protecting it based on its business value at different points in its lifecycle. The results, it claimed, were lower storage and management costs, improved systems performance, and easier compliance.

EMC’s 2003 acquisition of Documentum was not simply to snag a platform that helps enterprises organize and manage exploding volumes of multimedia files. With it, EMC acquired many of the elements that make up the ILM stack, including searchability, classification, and a policy engine, according to Arun Taneja of the Taneja Group. Much of that technology, along with aspects of products from other acquisitions such as Legato and Smarts, has been integrated into its InfoScape ILM software.

ILM has been slow to take, however, as many companies have stuck with point solutions that focus on data movement in one data sector, such as messaging. Rather than shift the conversation, EMC has responded by expanding its vision. “We start with ILM but extend that strategy to building the entire information infrastructure, an information-centric way of managing data that works across any type of data or application,” says Mark S. Lewis, executive vice president and chief development officer.


According to Lewis, information services will ultimately exist as a peer in a service-oriented architecture, which means they’ll have to be fully autonomous, self-managed, secure, and able to interact with multiple applications. ProActivity, which EMC acquired in June, adds an essential awareness of the business processes in which that information is used, which is especially valuable in crafting protection policies.

So, what happened to ILM? “Fact is, ILM is still the most important capability we can deliver to our customers,” Lewis writes in a November 2006 blog post.

Four-pillar strategy

Information services within an SOA is but one pillar of EMC’s four-pillar strategy. The second is information security. “Over time, you’ll see us embed security into virtually every product we sell,” says CEO Joe Tucci, who hints that there will be a number of big announcements at this year’s RSA conference Feb. 5 - 9 in San Francisco.

It’s likely that EMC will take advantage of RSA’s two-factor authentication and back-end identity management platform to create role-based access control for storage management, according to the Enterprise Strategy Group, which expects it to add identity management to Documentum and VMware (acquired in 2004). EMC will also harness RSA’s BSAFE developer platform to add solid encryption and key management to information at rest on its storage platforms and as it moves from platform to platform in ILM. In the long term, EMC also plans to harness RSA’s platform, code-named Nexus, to provide a common security infrastructure for its product lines. Another recent acquisition, Authentica, acquired this past April, adds comprehensive DRM (digital rights management) while Network Intelligence captures an audit trail across systems for compliance and incident response.

The third pillar is virtualization, which encompasses several EMC acquisitions, most notably VMware. Widely viewed as a solid company with equally solid virtualization technology, VMware also provides a path from the server world into EMC’s own core storage and virtualization offerings. “IDC studies show that those who buy server virtualization are much more likely to buy storage virtualization,” says DuBois. Or to put it more bluntly, “If you consolidate 20 physical machines on one physical server, you’ll need some hefty network storage,” says Enterprise Strategy Group analyst Bob Babineau.

EMC is playing a delicate balancing game, however, as while it has integrated all its other acquisitions it has purposely kept VMware independent in order to keep IBM, HP, and other competing solution suppliers comfortable doing business with the company. As for storage virtualization, Rainfinity supplements EMC’s SAN-based Invista platform with a server-based file virtualization capability.

The fourth, IT orchestration and resource management, seems a bit of a stretch, until you remember that information availability extends beyond just storage to applications and infrastructure. “Just trying to manage storage in a vacuum from the standpoint of fault management and business process management makes no sense,” Lewis says. “With Smarts [acquired in 2005] we can introduce IT model-based management, which describes the principal behavior characteristics of the entire system. So when [access to information is disrupted] and you get thousands of error reports from applications, routers, nodes, etc., Smarts can take all that information in and say that the problem is really that your switch is broken.” nLayers (acquired in 2006) adds an understanding of the interdependencies of applications, resources, and business processes.

“Add that into the Smarts model and we can tell which applications will be impacted.” Lewis insists that EMC has no intention of getting into classic network element management category.

Indications of success

Does this four-pillared strategy make sense and is the public buying it? So far EMC is having a tough time making its strategy clear, which involves a lot of acquisitions of diverse companies and technologies and relies on its ability to integrate all these technologies with its core product line. This holds a number of risks, chief among them integrating the acquisitions themselves, a process that many a company has botched, leaving customers of the acquired companies high and dry. “Our acquisition Rule No. 1 is to do no harm,” Lewis says.

And what’s in store for RSA’s existing product line? “As EMC’s security division, RSA will be responsible for integrating security with EMC’s products but will also have an independent franchise,” says Art Coviello, former RSA CEO and present executive vice president at EMC “and will continue to sell security applications for heterogeneous environments independent of EMC’s products.” Indeed Coviello goes on to assure that RSA is continuing to build a heterogeneous key management platform that will require partnerships with companies as diverse as Oracle, Cisco, Microsoft, IBM and Hitachi. It’s unlikely that RSA will give up its SecureID gold mine. And in fact EMC has a good record of not only allowing acquisitions to remain reasonably independent, but, with access to EMC’s tremendous sales and other resources, acquired companies have generally done well. For example Documentum’s business has more than doubled since being acquired.

Keeping acquired executives on board and in positions of high responsibility is one way EMC has tried to keep its acquisitions humming (see “Leading the Charge,” left). For example, Coviello is in now in charge of EMC’s security division. Dave DeWalt, Documentum’s former president and CEO, has been an important EMC player, running its software group with Lewis and currently overseeing global sales. “They’re doing a lot to woo and make these newcomers feel at home,” Taneja says.

Another big challenge EMC must face is to organize and educate its sales force to sell the myriad products. “They’ve got north of a dozen ways to move and copy information,” says the Enterprise Strategy Group’s Babineau. “The pressure is humongous on the sales force of the acquired company,” Taneja says.

Still, the biggest hurdle -- the one IT is most concerned about -- is how the company will continue on its course of integrating such a diverse array of technologies. “InfoScape incorporates technologies from Smarts, Documentum, and Legato, but those acquisitions were two to three years ago,” Dubois says.

“One could argue that this is de-integration,” Taneja observes, “with software developers reaching into Documentum or other code and stripping off pieces like classification, a policy engine, and other elements and using them in a horizontal product. It’s a lot more difficult than simply integrating one product with another.”

In addition to InfoScape, EMC has managed to do this type of integration with other products, including its Invista virtualization solution, eDiscovery, and StorageScope. But the jury is still out on whether EMC can do all this integration quickly enough to stay ahead of its competitors. “They’re going to have to get products in consumers’ hands ASAP to be competitive,” Babineau says.

But Lewis says it’s all about pacing: “If you try to integrate too quickly you can lose sight of the core value of the property.”

Chalk one up for its successful revamping of both its flagship Symmetrix and Clarion lines. In another indication of success, EMC managed to retake its No. 1 position at IDC in Q3 2006 in three separate categories -- external storage, network storage, and network attached storage -- after some slippage in the previous quarter.

EMC officials say the company will forge ahead in its effort to offer everything up and down the stack for managing, protecting, and securing information over its lifecycle -- through acquisitions, partnerships, and integration. “EMC will continue to far out-invest its competitors in storage and information-management R&D,” Tucci says.

Meanwhile, Tucci’s big-picture comments about the changing role of IT are by no means isolated. “IT professionals are being asked to focus more on managing information and less on managing infrastructure,” DuBois says.

Click for larger view.
Click for larger view.

Copyright © 2007 IDG Communications, Inc.