|
|
| Home - Industry Article - July 08 Issue |
Solving the Security
Appliance Paradox |
By Dan Ryan, President and CEO, Secure Computing Corporation
Instead of simplifying IT security, some security providers have complicated it with point appliances. Here’s how to get back to basics, consolidate your security infrastructure and strengthen enterprise security.
Everybody – and I mean everybody – has jumped on the
security appliance bandwagon. But before you make the move to security
appliances, be sure to carefully consider your options.
On the one hand, you want an innovative solution that truly safeguards your
network. But if you’re not careful, you could wind up buying ‘point’ products
that add complexity to your network. Indeed, in their quest for simple IT
security solutions, many enterprises have wound up with complicated
architectures.
Let me be clear here: Appliances are a good thing. But not all appliances are
created equally. Many of them are only point products that create more problems
than they solve.
Why Appliances Became Popular
To understand our current predicament, you first have to understand the two key
business drivers that have created strong demand for security appliances.
First, appliances are simple to plug into your network and deploy. Generally
speaking, all the software comes preloaded and, in many cases, the systems
include plug-and-play configuration tools. It’s not as simple as plugging in a
toaster, but gone are the days of complex security software that require you to
master Unix command lines and in-depth IP information. Point. Click. Configure.
Done.
Second, appliances are purpose-built. They are designed around hardened
operating systems. While general-purpose operating systems, like Windows or
Unix, come packed with hundreds of different services you can leverage, each
service provides another potential window or doorway for a hacker to exploit.
Basically, you’re making a trade-off: The more services you want to run, the
greater the risk you might experience a software exploit.
By contrast, a hardened operating system doesn’t have any non-essential
services. For example, you don’t need FTP or Telnet capabilities in an email
security appliance. You wouldn’t put fancy windows, skylights and breezeways in
a fortress. Similarly, prudent security appliance makers strip away all
non-essential services from their operating system of choice (typically Unix or
Linux). As a result, there are far fewer weak links for a hacker to potentially
exploit.
The trend towards appliances began in the late 1990s as businesses tried to
simplify their existing client/server systems while simultaneously entering the
Internet age. As email, browsers and Web servers became ubiquitous, traditional
corporate barriers disappeared. Businesses needed a simply – yet effective – way
to established virtual borders. Security appliances soon burst onto the scene to
fill that void.
Today, there’s no doubting the popularity of the appliance model. By 2008, a
stunning 80 percent of security solutions will be sold as appliances, according
to International Data Corp. of Framingham, Mass.
Point Products Introduce New Problems
Unfortunately, businesses are beginning to discover that many of these new
appliances are causing the very complexity they were designed to eliminate. One
frustrated CIO at a Fortune 100 company tells me his organization has 13
different email security point products at a single Internet gateway: One has
spam filtering, another is an anti-virus system, another provides content
filtering, then there’s the encryption appliance…and the list goes on and on.
Each appliance requires a different trained expert to manage and oversee the
system. We didn’t mean to do it, but in some ways we’re reverting back to the
complex client/server systems in the 1990s. Client/server was supposed to
improve our lives. Armed with networked PCs, our employees would access and
analyze mounds of data from decentralized servers.
Client/server was a wonderful concept. But poor planning prompted many
businesses to deploy a wide range of server standards – NetWare, Unix, Banyan
Vines, OS/2, Windows and the list went on. The complexity was even worse on the
desktop, where frequent application upgrades forced IT to reconfigure and
troubleshoot PCs over and over again. Businesses wound up spending far too much
time managing their servers and desktops, rather than deploying innovative
applications.
The situation is now similar in the security market. Instead of having a simple,
elegant security solution in place, many corporations spend endless hours
troubleshooting a range of appliances that weren’t designed to work with one
another.
Even so, enterprises continue to embrace security point products because they
don’t fully understand the alternatives. In fact, customers’ growing appetite
for appliances has created a feeding frenzy among venture capitalists and big
technology companies. While VCs pump money into new security businesses,
established technology vendors are trying to round out their product portfolios
by acquiring appliance makers. At last count, there were about 800 IT security
startups vying for the attention of customers, vendors and VCs.
On the upside, many small technology companies are innovative. If you can build
a better mousetrap, customers are often willing to buy it. Still, 90 percent of
today’s IT security startups have revenue below $15 million and will ultimately
disappear as free standing entities from the business landscape. This adds a lot
of uncertainty. Will the small company be bought by someone else and will that
new owner continue development on the product? Or will the company go bankrupt
and leave your IT staff responsible for ongoing support?
Thousands of businesses have spent the last five years or so building out
appliance-based security fabrics, yet many of the threads within that fabric
won’t stand the test of time.
In other words, if you’re buying appliances from young startups, the company and
its technology may fail to survive the test of time. In fact, you could be left
with a dead-end product.
Finding the Total Solution
What businesses really want are fewer appliances that are designed to work
together and, as a whole, deliver a best-of-breed security solution. When it
comes to security, businesses simply aren’t willing to settle for second-tier
solutions. But how do you take all these point products from hundreds of vendors
and roll them up into an integrated, best-of-breed solution?
First, look for a web security gateway that provides bi-directional traffic
protection. The solution should protect enterprises from malware, data leakage
and Internet misuse, while ensuring policy enforcement, regulatory compliance
and a productive application environment. And make sure the appliance
continually learns about emerging Internet threats through the vendor’s own
global network of intelligent devices.
But your best-of-breed requirements don’t end there. You should also embrace a
secure messaging gateway that provides security across multiple messaging
protocols including email, instant messaging, and Webmail. Here again, the
gateway should leverage the vendor’s own global network of intelligent devices
to proactively uncover spam, phishing attacks, DDoS (distributed denial of
service) viruses, zombies and Trojans.
Finally, embrace a network gateway security solution for firewall and
application-layer protection. The gateway should provide secure network access,
protect Internet-facing applications, block viruses, spyware and spam, and
create a forensic-quality audit trail for regulatory compliance and reporting.
Some pundits may be tempted to roll all three of these security gateways into a
single so-called ‘God Box.’ But as you start to roll all of these capabilities
into a single box, performance can lag. An email gateway, for instance, is
store-and-forward and doesn’t need to offer sub-second response time. People
won’t notice if an email’s delivery lags for 30 seconds or longer. A web gateway
appliance, on the other hand, may require nearly real-time performance. Put the
two together in a single box and nobody is happy.
Practical experience and satisfied customers assert that the best
solutions-oriented approach is to leverage Web gateway security appliances,
messaging gateway security appliances and network gateway security appliances in
tandem for multi-layer security.
And as you scan the market for options, be sure to investigate the financial
health, stability and growth of each company. As I warned before, 90 percent of
today’s security vendors won’t survive over the long haul.
Interview appliance vendors much in the way you would interview a job candidate,
potential business partner or prospective college for your kids.
- Do they have financial staying power?
- How many engineers and PhDs do they have to keep up with rapidly evolving security threats?
- Who are their partners within the IT ecosystem? (Then, talk to those partners)
- Who are their existing customers? (Talk to a few)
- How do their systems snap together?
Do your homework and you’ll find a solution from a partner with staying power.
Dan Ryan is President and CEO of Secure Computing
Corporation, a leading enterprise security company. Secure Computing delivers a
comprehensive set of best-of-breed solutions that help customers protect their
critical Web, email and network assets. In this role, he drives product
development, sales, marketing, services and support. Before joining Secure
Computing, Dan was Senior Vice President of Enterprise Content Management
Products at Oracle Corporation, where he drove the engineering, business
strategy, product development and industry relations for the suite of products.
Prior to Oracle, he served as Chief Operating Officer at Stellent, which was
acquired by Oracle in December 2006. As COO at Stellent, Dan was instrumental in
leading the organization from that of a niche enterprise software company to a
leader in enterprise content management. During his eight-year tenure at
Stellent, he held several executive roles including Executive Vice President of
Marketing and Business Development, with additional responsibilities for product
management and strategic partnerships and alliances. Dan also drove the
company’s corporate development activities and oversaw numerous strategic
acquisitions. Prior to Stellent, he served as Vice President of Marketing and
Business Development at Foglight Software, which was acquired by Quest. For
article feedback, contact Dan at
dan.ryan@securecomputing.com
 
|
|
|
