The future of product suites in the quest for enterprise security
Jim Reavis
Network World on Security, 09/20/99
Companies in the information security market that seek to provide a complete product suite have taken a beating recently. For the most part, analysts have advised IT decision makers to solve their information security problems by selecting the best-of-breed product in any given technology focus rather than selecting a single vendor for all security solutions.
Indeed, there is a fair amount of logic to this approach, as most of the product suite vendors have been recently assembled via acquisition, and their products often lack the seamless integration one envisions in a product suite.
Advertisement: |
Product suite vendors have suffered from the costs of acquisition integration; they are spreading scarce resources too thinly and ignoring core competencies to the point that most have seen a financial bump in the road. On the other hand, security vendors that have remained focused on one or two security submarkets have done much better in terms of revenue growth, stock price and user perception.
So why, despite all this, am I going to tell you that an enterprise security suite strategy is the direction to take your own enterprise?
* Corporate IT cannot keep up with all product offerings in all security market segments. The innovation of the blackhats and security vendors leads to rapid changes within existing product segments and is also creating new product segments. Personal computer intrusion-detection and mobile-code inspection are but a couple of examples of product niches that did not exist until recently.
* Services gaps exist when trying to include too many vendors, particularly on a global basis. Total systems security requires a meeting of technology, policy and skilled professionals. True security is not a turnkey product, but requires strong people making good decisions. It appears that the shortage in qualified security professionals will continue for several years.
This problem is exacerbated outside of major markets. Streamlining the number of vendors and product lines that consultants and engineers must master is crucial to minimizing the services gap. Some proponents of a best-of-breed strategy seem to hold to an underlying assumption of unlimited human resources available to leverage.
* Security gaps can exist when the products don't match up, either by having products that overlap too much, overlap too little or are not capable of being integrated. A classic example of the best-of-breed approach is mismatched firewalls and virtual private networks (VPN). If a company's chosen VPN technology does not interoperate with a corporate firewall, decisions must be made that risk degrading overall security. It may become necessary to punch an insecure hole in a firewall to enable the VPN traffic to get to the corporate network, or to decide to bypass the firewall entirely.
* Product interoperability. There are no guarantees in life, even when choosing a single vendor. You stand a better chance at product compatibility and problem resolution.
The enterprise security suites have failed so far, not because of the concept, but because of poor execution as a result of companies digesting acquisitions, lacking a clear message and offering immature technology.
What we have seen marketed so far have not been true security suites, but rather extensive product lines with no underlying foundation. In the future, only truly exceptional companies will be able to have stand-alone products. Others will need to find alignment with security suite vendors - through close working relationships, OEM agreements and sharing key technologies. Building upon standards and vendor development alliances, such as Checkpoint's OPSEC, will help. But how many incompatibilities have you seen because two people read one standard differently?
Our prediction of a resurgence in security suites does not necessarily mean that the future of information security will consist of a small number of vendors. By utilizing Open Source products, a security vendor can round out its product line, or otherwise leverage key technology, without bearing the entire burden of the investment internally. Open Source software development has already begun to have a big effect on many aspects of the computer industry, and we feel that its presence will be strongly felt in the security market.
Corporate security planners will reduce the number of vendors in the future. Some of this will happen by existing hosts and network equipment adding features now found in third-party add-ons. Some reduction will occur as the result of continued acquisitions and consolidation in the industry. However, we believe that security suites will rebound due to the process of maturation and corporate IT's frustration chasing the increasing complexity of security technology spending that time running their businesses.
RELATED LINKS
N+I: Intel, Microsoft step up network security
Network World, 09/15/99
New tool blocks wily e-comm hacker tricks
Network World, 08/30/99
Check Point software bolsters LAN security
Network World, 08/30/99
Scanning for weak links in server security
Network World, 08/30/99
Defending against cyberattack
Network World, 08/23/99
New spec plugs LAN security gap
Network World, 08/23/99
Archive of Network World on Security newsletters
Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.
