A Call to Action
Of the many hard lessons taught by the attacks of September 11, perhaps the most fundamental is that security measures are no longer optional. While the assault on America was not conducted by electronic means, nor specifically directed at information targets, these events have heightened our awareness of all aspects of security. Although the public focus has shifted to terrorism, we cannot dismiss the threats posed by activists, hackers, criminals, and even foreign govenrments. A recent internal Federal study issued a strong warning after giving our national agencies a collective “F” for security preparation. Unfortunately, U.S. commercial organizations on average are not much better prepared.
Even if we discount the probability of a terrorist action against our own organization’s IT assets, we should bear in mind one aspect of our recent crisis – it came from within, launched from American airspace by persons legally present in the United States. So it is with respect to network and information security – the biggest risk has been and continues to be from our employees and contractors. Thus we cannot rely solely on strong perimeter technology anymore than the US can rely on the oceans; instead, we must simultaneously employ procedures such as employee background checks, and implement technology to confirm identity, check authorizations, and audit results.
Given the need to rapidly fortify our information technology and processes, the network security sector should experience rapid growth. Indeed, even before September 11, IDC released a study which forecast 23% compound growth in the broadly defined Internet security sector. With even higher growth rates now virtually guaranteed, the sector appears attractive for investment. Indeed, the security sector in general did not participate in the Internet bubble but plodded along at its own pace and at current growth rates will amount to a $14 billion business by 2005.
Security Sectors
The complex information technology infrastructure typical of large organizations cannot be protected with a few simple add-on security products. Indeed, hard experience has shown that complete security can never be guaranteed and would not be cost effective anyway. Thus prudent managers conduct risk assessments, create realistic security policies and then deploy a variety of appropriate security products. The vast differences between the system architectures and risk levels from one organization to another creates the need for a wide spectrum of security products.
Product categories are somewhat fuzzy since almost all security products incorporate some type of user authentication and authorization as well as encryption, and many vendors offer hybrid products that incorporate several functions such as a firewall and virtual private network. Nevertheless it is important to understand the component parts of information technology security:
Firewalls block unauthorized access to certain applications and data via public networks and are widely deployed by enterprises as a first line of defense. Public networks are substantially less expensive to use than private networks, leading to enormous growth in network data transmissions and a switch away from relying on private networks As organizations of all types makes core systems and data at its branches and headquarters to Internet accessible, distributed firewalls with central management have become a necessity. And just as branches are employing the Internet for access to headquarters, so to are employees increasingly working from home and on the road tapping into the corporate data. Without personal firewalls in place for each remote access point, a back door threat to the enterprise exists via these unprotected remote workers. Given such growing points of access needing protection, the firewall market grew 42% in the past year, boosting revenues of vendors such as Check Point, Secure Computing and Computer Associates.
Virtual Private Networks (VPN) are a companion technology to firewalls. In essence a VPN creates a secure channel within the public network that enables organizations to transmit data securely to distributed sites or trusted partners. An industry website states “VPNs have the same security and encryption features as a private network, while taking the advantage of the economies of scale and remote accessibility of large public networks. VPN products fall into three broad categories: hardware-based systems, firewall-based systems, and standalone application packages.” Portable VPNs are also being created to allow mobile workers to transact company business safely using the Internet. A host of VPN vendors have taken advantage of the Internet explosion, but Cisco’s Internet hardware strength has given it a dominating position.
Encryption uses mathematical algorithms to protect the confidentiality of data and serves as the basic tool for security and privacy, especially in today’s business where data is widely distributed and access is often broadly available. Exposure of high value data can result not only in fraud but also legal liabililty. For example Government regulations, such as the Health Insurance Portability and Accountability Act, require encryption for compliance. Commercial value in the encryption sector is generally not realized by creating a new algorithm, but by implementing well known and trusted “crypto systems” in specific security applications. A useful way to segment encryption companies is to consider those that secure data at rest from those that secure data in transit. The proliferation of portable devices such as notebook computers, PDAs and smart phones vastly complicate the protection of stored data and leading to the introduction of distributed encryption systems from companies such as Pointsec Mobile Technologies.
Data in transit is obviously at risk for unauthorized disclosure or modification, particularly when using public networks such as the Internet. Wireless transmissions are generally viewed as even less secure and few employ encryption--even though such devices tend to be used by company executives and sales managers who deal with the company’s most valuable data. Encryption software sales expanded 38% last year, benefiting firms such as RSA Security, SSH and Certicom.
Authentication/Authorization verifies users’ identity and defines which resources they have access to, serving as the basis for access to internal resources as well as trusted relationships with customers, suppliers and channels. A wide variety of authentication technologies have proliferated to supplant vulnerable fixed passwords, including one-time password devices (RSA and Secure Computing), “smart” cards (ActivCard), and biometric (fingerprint, voiceprint etc.) As the demand for authorization by numerous applications creates user complexity, single sign-on solutions are gaining interest. The rising effort to administer such access control is also leading to delegated privilege management to offload the effort from a central control point and utilize policy management to streamline control. Given all of the data, applications and internal/external users needing varying security, enterprise-wide security management solutions are emerging to manage this complexity in a consistent manner. The authentication/authorization market, including firms such as, Securant, Netegrity and Evidian, expanded 35% in the past year and is projected to be the fastest growing segment over the next five years.
Public Key Infrastructure (PKI) has been widely acknowledged as a foundation technology for security because it vastly reduces the problems inherent in encryption key management. Nevertheless, implementation has fallen below expectations due to overall complexity, high costs, and a variety of competing standards. Still, digital certificates generated with public key infrastructure are emerging as a preferred means of authentication for a wide range of applications, including secure email, remote access and digital signatures, thereby leveraging the overall PKI investment. Verisign has emerged as the leader in this sector, but Entrust and Baltimore also have strong positions.
Intrusion Detection is a new but vigorous product area that complements the longstanding audit function. Intrusion detection is a form of “real time” audit, warning organizations when security perimeters or policies have been breached in time to curtail the damage and halt further attacks. Internet Security Systems has attained a high degree of mindshare for this space, but can expect strong competition going forward.
Content management security is employed to prevent viruses. While anti-virus software for personal computers has been a basic security step for years, the entry points for viruses continue to broaden. In the past year numerous viruses have penetrated organizations from email, bringing that organization and frequently, given the rapid spread of email, its partners to a grinding halt. The explosive growth of wireless handheld devices that transmit and receive data opens the door to a whole new class of viruses with little protection currently in place. With this rising complexity, many firms are starting to outsource content management security rather than try to stay on the leading edge themselves while incurring significant costs for personnel, software and hardware. The constant pace of new viruses being launched aided sales of providers, such as Network Associates, Symantec and Computer Associates, enabling this market to grow 25% in the past year.
Web server security has recently been emphasized as a result of a spate of embarrassing defacings of important commercial and government websites. The biggest threat has been from distributed denial of service attacks which overwhelm Web servers normal defenses and leave them vulnerable to penetration. This segment is still nascent and waiting for leadership to emerge.
In sum, comprehensive enterprise security requires a combination of many solutions. Each solution area is experiencing strong growth as new threats continue to emerge. Growth is also bolstered by the increasing integration/coordination of business partners outside the enterprise via the Internet, expanding points of access to sensitive systems via the Internet and the rise of alternative access technologies (e.g., wireless devices) with new vulnerabilities.
Company Growth Strategies
The security sector has spawned a large number of companies, only a few of which (e.g., Symantec, Verisign, Checkpoint ) ever achieved much size. Despite being essentially horizontal in nature, security products failed to achieve large scale because each application has a “narrow” purpose such as firewall or anti-virus. As a consequence security companies have tended to adopt one of three growth strategies:
1. Best of breed: Develop the finest product in a given category, gain market traction and make vendors with complementary products come to you for product cooperation. Checkpoint has succeeded well with this strategy, but is now facing increased competition from a host of special purpose firewalls.
2. One stop shopping: Develop or acquire multiple security applications (e.g., identity verification, intrusion detection, or Web security) and offer them to distribution channels under a common label and with a unified support system. Network Associates, Symantec and Secure Computing all tried this strategy, but met with various degrees of failure as sales and support costs skyrocketed.
3. Security suite: This is similar to one stop shopping, but the developer rationalizes the product line to share a common data infrastructure and to inter-operate smoothly. This strategy sounds wonderful but has proven extraordinarily difficult to execute given the difficulties of developing inter-locking security code to achieve multiple purposes on a variety of platforms. F-Secure went public with this premise, but has since cut back as it became evident that administrators are leery of learning an entirely new management console for security purposes.
On balance, it appears that the “best of breed” strategy is still the most prevalent and successful today. This will likely continue to be the case for some time as some of the rationale for developing a security suite has been diminished by the growing presence of common security infrastructure (e.g., public key infrastructure) with sophisticated data repositories (i.e., “directory services” including Active Directory from Microsoft and Netware Directory Services or NDS from Novell). Given the critical importance of security solutions and the pace at which the security market is moving, enterprises seem willing to invest the effort to find and utilize the best vendor in each category. This has created a tremendous opportunity for many start-ups who have developed the better mousetrap. However, once this market begins to mature and the degree of innovation slows, we expect that consolidation will occur in order to offer customers a comprehensive, integrated security suite.
Emerging Areas
Despite the increased attention to security matters, the IT security sector must still overcome complex issues that have impeded deployment of enterprise security technology. Buyers have always been put off by the complexity of security technology and the necessity of implementing frequently unpopular security policies. Moreover, the current economic malaise, compounded with a technology hangover, makes it difficult to suggest new technology spending, particularly when it is difficult to justify from a conventional ROI analysis. Nor does it help when the trade press is replete with examples of expensive PKI projects that crashed before takeoff or dangerous holes in products previously deemed trustworthy. The paucity of skilled administrators has made it difficult to implement approved security projects, leading some companies to outsource security altogether. Vendors also share part of the blame for the their inability to agree on standards that lead to interoperable products for PKI, VPN and other shared security components. Given the heightened importance of security, rapid introduction of new “best of breed” solutions and the complexity involved in managing these, we do expect outsourced or managed security providers to gain interest.
Security’s complexity has also increased as access becomes more dispersed. When computer terminals were connected to mainframes, security was relatively straightforward. The use of the public Internet to provide connectivity and transport have opened up new points of security concern as elements of the corporation’s data infrastructure are now outside the control of the company. Now the rise of connected, mobile devices (e.g., personal digital assistants, Internet-enabled phones) compounds the problem with technologies (e.g., 80211, WAP) unfamiliar to many IT shops. As a result, we see many CIOs trying to constrain the authorized use of new technologies which are outpacing the IT’s abilities to secure them. But we expect these efforts will become futile as the value of these new solutions becomes overwhelming—what CIO is going to prevail when sales executives say they require wireless PDAs to remain competitive? All of these new points of vulnerability provide a tremendous area for emerging security firms.
Summary
The IT security sector is riding three longterm convergent trends:
1) the burgeoning use of public networks to transact business
2) the increased awareness of the resulting threat from a host of adversaries and insiders, and
3) liability arising from recent legislation intended to increase consumer security. These trends ensure the steady growth of the IT security sector and present great opportunities for new as well as established vendors.
About John Muir: John has worked in the security industry since 1982 and is a frequent speaker at leading security conferences. He is a co-founder and member of the board of directors for Pointsec Mobile Technologies, Inc., a leading developer of enterprise security software used by dozens of international Fortune 500 companies and government agencies world wide.
Pointsec Mobile Technologies, Inc (www.pointsec.com) develops and markets enterprise security software for desktops, laptops, PDAs and other mobile computing devices to clients in the financial, high-tech, and medical industries, and to government agencies. Customers include Cisco, Ericsson, Nokia, InterTrust, U.S. Department of Justice, and Office of Naval Research.
