Home | About | Recent Issue | Archives | Events | Jobs | Subscribe | ContactBookmark The Sterling Report


Does consolidation breed software product mediocrity?



Solving the Security Appliance Paradox 

By Dan Ryan, President and CEO, Secure Computing Corporation

Instead of simplifying IT security, some security providers have complicated it with point appliances. Here’s how to get back to basics, consolidate your security infrastructure and strengthen enterprise security.

Everybody – and I mean everybody – has jumped on the security appliance bandwagon. But before you make the move to security appliances, be sure to carefully consider your options.

On the one hand, you want an innovative solution that truly safeguards your network. But if you’re not careful, you could wind up buying ‘point’ products that add complexity to your network. Indeed, in their quest for simple IT security solutions, many enterprises have wound up with complicated architectures.

Let me be clear here: Appliances are a good thing. But not all appliances are created equally. Many of them are only point products that create more problems than they solve.

Why Appliances Became Popular
To understand our current predicament, you first have to understand the two key business drivers that have created strong demand for security appliances.

First, appliances are simple to plug into your network and deploy. Generally speaking, all the software comes preloaded and, in many cases, the systems include plug-and-play configuration tools. It’s not as simple as plugging in a toaster, but gone are the days of complex security software that require you to master Unix command lines and in-depth IP information. Point. Click. Configure. Done.

Second, appliances are purpose-built. They are designed around hardened operating systems. While general-purpose operating systems, like Windows or Unix, come packed with hundreds of different services you can leverage, each service provides another potential window or doorway for a hacker to exploit. Basically, you’re making a trade-off: The more services you want to run, the greater the risk you might experience a software exploit.

By contrast, a hardened operating system doesn’t have any non-essential services. For example, you don’t need FTP or Telnet capabilities in an email security appliance. You wouldn’t put fancy windows, skylights and breezeways in a fortress. Similarly, prudent security appliance makers strip away all non-essential services from their operating system of choice (typically Unix or Linux). As a result, there are far fewer weak links for a hacker to potentially exploit.

The trend towards appliances began in the late 1990s as businesses tried to simplify their existing client/server systems while simultaneously entering the Internet age. As email, browsers and Web servers became ubiquitous, traditional corporate barriers disappeared. Businesses needed a simply – yet effective – way to established virtual borders. Security appliances soon burst onto the scene to fill that void.

Today, there’s no doubting the popularity of the appliance model. By 2008, a stunning 80 percent of security solutions will be sold as appliances, according to International Data Corp. of Framingham, Mass.

Point Products Introduce New Problems
Unfortunately, businesses are beginning to discover that many of these new appliances are causing the very complexity they were designed to eliminate. One frustrated CIO at a Fortune 100 company tells me his organization has 13 different email security point products at a single Internet gateway: One has spam filtering, another is an anti-virus system, another provides content filtering, then there’s the encryption appliance…and the list goes on and on.

Each appliance requires a different trained expert to manage and oversee the system. We didn’t mean to do it, but in some ways we’re reverting back to the complex client/server systems in the 1990s. Client/server was supposed to improve our lives. Armed with networked PCs, our employees would access and analyze mounds of data from decentralized servers.

Client/server was a wonderful concept. But poor planning prompted many businesses to deploy a wide range of server standards – NetWare, Unix, Banyan Vines, OS/2, Windows and the list went on. The complexity was even worse on the desktop, where frequent application upgrades forced IT to reconfigure and troubleshoot PCs over and over again. Businesses wound up spending far too much time managing their servers and desktops, rather than deploying innovative applications.

The situation is now similar in the security market. Instead of having a simple, elegant security solution in place, many corporations spend endless hours troubleshooting a range of appliances that weren’t designed to work with one another.

Even so, enterprises continue to embrace security point products because they don’t fully understand the alternatives. In fact, customers’ growing appetite for appliances has created a feeding frenzy among venture capitalists and big technology companies. While VCs pump money into new security businesses, established technology vendors are trying to round out their product portfolios by acquiring appliance makers. At last count, there were about 800 IT security startups vying for the attention of customers, vendors and VCs.

On the upside, many small technology companies are innovative. If you can build a better mousetrap, customers are often willing to buy it. Still, 90 percent of today’s IT security startups have revenue below $15 million and will ultimately disappear as free standing entities from the business landscape. This adds a lot of uncertainty. Will the small company be bought by someone else and will that new owner continue development on the product? Or will the company go bankrupt and leave your IT staff responsible for ongoing support?

Thousands of businesses have spent the last five years or so building out appliance-based security fabrics, yet many of the threads within that fabric won’t stand the test of time.

In other words, if you’re buying appliances from young startups, the company and its technology may fail to survive the test of time. In fact, you could be left with a dead-end product.

Finding the Total Solution
What businesses really want are fewer appliances that are designed to work together and, as a whole, deliver a best-of-breed security solution. When it comes to security, businesses simply aren’t willing to settle for second-tier solutions. But how do you take all these point products from hundreds of vendors and roll them up into an integrated, best-of-breed solution?

First, look for a web security gateway that provides bi-directional traffic protection. The solution should protect enterprises from malware, data leakage and Internet misuse, while ensuring policy enforcement, regulatory compliance and a productive application environment. And make sure the appliance continually learns about emerging Internet threats through the vendor’s own global network of intelligent devices.

But your best-of-breed requirements don’t end there. You should also embrace a secure messaging gateway that provides security across multiple messaging protocols including email, instant messaging, and Webmail. Here again, the gateway should leverage the vendor’s own global network of intelligent devices to proactively uncover spam, phishing attacks, DDoS (distributed denial of service) viruses, zombies and Trojans.

Finally, embrace a network gateway security solution for firewall and application-layer protection. The gateway should provide secure network access, protect Internet-facing applications, block viruses, spyware and spam, and create a forensic-quality audit trail for regulatory compliance and reporting.

Some pundits may be tempted to roll all three of these security gateways into a single so-called ‘God Box.’ But as you start to roll all of these capabilities into a single box, performance can lag. An email gateway, for instance, is store-and-forward and doesn’t need to offer sub-second response time. People won’t notice if an email’s delivery lags for 30 seconds or longer. A web gateway appliance, on the other hand, may require nearly real-time performance. Put the two together in a single box and nobody is happy.

Practical experience and satisfied customers assert that the best solutions-oriented approach is to leverage Web gateway security appliances, messaging gateway security appliances and network gateway security appliances in tandem for multi-layer security.

And as you scan the market for options, be sure to investigate the financial health, stability and growth of each company. As I warned before, 90 percent of today’s security vendors won’t survive over the long haul.

Interview appliance vendors much in the way you would interview a job candidate, potential business partner or prospective college for your kids.
  • Do they have financial staying power?
  • How many engineers and PhDs do they have to keep up with rapidly evolving security threats?
  • Who are their partners within the IT ecosystem? (Then, talk to those partners)
  • Who are their existing customers? (Talk to a few)
  • How do their systems snap together?
Do your homework and you’ll find a solution from a partner with staying power.

Dan Ryan is President and CEO of Secure Computing Corporation, a leading enterprise security company. Secure Computing delivers a comprehensive set of best-of-breed solutions that help customers protect their critical Web, email and network assets. In this role, he drives product development, sales, marketing, services and support. Before joining Secure Computing, Dan was Senior Vice President of Enterprise Content Management Products at Oracle Corporation, where he drove the engineering, business strategy, product development and industry relations for the suite of products. Prior to Oracle, he served as Chief Operating Officer at Stellent, which was acquired by Oracle in December 2006. As COO at Stellent, Dan was instrumental in leading the organization from that of a niche enterprise software company to a leader in enterprise content management. During his eight-year tenure at Stellent, he held several executive roles including Executive Vice President of Marketing and Business Development, with additional responsibilities for product management and strategic partnerships and alliances. Dan also drove the company’s corporate development activities and oversaw numerous strategic acquisitions. Prior to Stellent, he served as Vice President of Marketing and Business Development at Foglight Software, which was acquired by Quest. For article feedback, contact Dan at dan.ryan@securecomputing.com

Click to email this article to a friend     Back


  Home | About | Recent Issue | Archives | Events | Jobs | Subscribe | Contact | Terms of Agreement
© 2006 The Sterling Report. All rights reserved.