Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘CSC’

The CIA and the Encrypted Enterprise

Friday, October 29th, 2010

The international horse show wasn’t the only event in Washington DC this week; I participated in the Virtualization, Cloud, and Green Computing event in our nation’s capital. One of the guest speakers was Ira “Gus” Hunt, CTO at the CIA. If you haven’t seen Gus speak, you are missing something. He is very strong on the technical side and extremely energetic and entertaining.

Gus focused on cloud computing activities at the CIA (I’ll blog about this soon), but I was intrigued by one of his slide bullets that referred to something he called the “encrypted enterprise.” From the CIA’s perspective, all data is sensitive whether it resides on an enterprise disk system, lives in a database column, crosses an Ethernet switch, or gets backed up on a USB drive. Because of this, Hunt wants to create an “encrypted enterprise” where data is encrypted at all layers of the technology stack.

The CIA is ahead here, but ESG hears a similar goal from lots of other highly regulated firms. When will this happen? Unfortunately, it may take a few years to weave this together as there are several hurdles to overcome including:

  1. An encryption architecture. Before organizations encrypt all their data, they have to understand where the data needs to be decrypted. For example, remote office data could be encrypted when it is sent to the corporate data center, but it needs to be decrypted before it can be processed for large batch jobs like daily sales and inventory updates. There is a balancing act between data security and business processes here demanding a distributed, intelligent encryption architecture that maps encryption/decryption with business and IT workflow.
  2. Key management. Most encryption products come with their own integrated key management system. Many of these aren’t very sophisticated and an enterprise with hundreds of key management systems can’t scale. What’s needed is a distributed secure key management service across the network. Think of something that looks and behaves like DNS with security built in from the start. The Key Management Interoperability Protocol (KMIP) effort may get us there in the future as it is supported by a who’s who of technology vendors including EMC/RSA, HP, IBM, and Symantec, but it is just getting started.
  3. Technical experience. How should I encrypt my sensitive Oracle database? I could use Oracle tools to encrypt database columns. I could encrypt an entire file system using Windows EFS or tools from vendors like PGP. I could buy an encrypting disk array from IBM, or I could combine EMC PowerPath software with Emulex encrypting Host-based Adapters (HBAs). Which is best? It depends on performance needs, hardware resources, and financial concerns like asset amortization. Since there is no “one-size-fits-all” solution here, the entire enterprise market is learning on the fly.

A lot of the technical limitations are being worked on at this point, so the biggest impediment may be based upon people and not technology. We simply don’t have a lot of experience here, so we need to proceed with research, thought, and caution. To get to Gus Hunt’s vision of the “encrypted enterprise,” we need things like reference architectures, best practices, and maturity models as soon as possible. Look for service providers like CSC, HP, IBM, and SAIC to offer “encrypted enterprise” services within the next 24 months.

Cisco’s “Kitchen Sink” Product Announcements

Thursday, October 7th, 2010

Did you see the series of announcements Cisco made this week? It was pretty impressive. This is the traditional season where Cisco announces products and new initiatives but this week’s announcements were very extensive — new switches, routers, security devices, wireless access points, WAN optimization equipment, etc.

In its marketing mastery, Cisco related all of these announcements to two core strategic initiatives, data center virtualization and borderless networks. In other words, Cisco is talking about the way IT applications and services are hosted (central data centers, virtualization, cloud), and the way they are accessed (wired and wireless networks, security, access control).

Cisco is clearly demonstrating that it plays in a different space then it used to. It’s all about industries, business processes, and enterprise IT now; the network simply glues all the pieces together. So why all these announcements at once? Doesn’t this water down the individual piece parts? I don’t think so. Cisco is actually doubling down on integration across its products with an overall strategy aimed at:

  1. Competing on all fronts. In one day, Cisco delivered a response to a spectrum of IT vendors like Aruba, Check Point, Juniper Networks, and Riverbed. Cisco may not have the “best-of-breed” product in each category but it is reinforcing the message that the whole is greater than the sum of its parts.
  2. Out-executing the big competition. Cisco is betting that it can deliver technology integration and enterprise IT initiatives faster than its primary competitors — HP and IBM. There is some precedent here–HP and IBM business units haven’t always worked together well so Cisco believes it can capitalize on its organizational structure and market momentum.

Now I realize that the “integrated stack” story has limited value today since customers have a history of buying servers from HP, wired networks from Cisco, Wi-fi from Aruba, storage from , etc. That said, IT is radically changing. For example, ESG Research indicates that server virtualization is driving a lot more cooperation across disparate functional IT groups. As these organizations come together, it’s only natural that they will look for common solutions from fewer vendors.

In the meantime, service providers and financially-strapped organizations (i.e.,  State/local government, higher education, real estate, etc.) will look for IT savings anywhere they can, even if it means moving away from some vendors with relatively stronger point products in the process.

Cisco also has a services opportunity in that it gets to play services Switzerland and partner with companies like Accenture, CSC, and Unisys in competition with IBM Global Services and HP/EDS.

Lots of people knock Cisco products and point to better, faster, cheaper alternatives. Maybe, but the overall Cisco story seems pretty strong to me. As of Tuesday, Cisco has a bunch of new products that support its corporate strategy and make its story even stronger.

Note to Cisco: Pick Your Security Battle

Thursday, February 11th, 2010

I’ve written some not too flattering things lately about Cisco. Now I’ve got nothing against Cisco — I’m actually quite impressed with its broad portfolio, M&A strategy, and sales/marketing muscle. Cisco also has a lot of Chutzpah — taking on Dell, HP, and IBM on next-generation servers wasn’t a move you’d see from a risk-averse company.

In general, I admire Cisco, but I’m not sure where it is going with security. I’ve written a few blogs about flat revenue, changing agendas, and product commitments in the past that I’m sure haven’t played well in San Jose. The pushback I tend to get is that Cisco builds security into all of its products so individual security products aren’t the right thing to focus on.

Hmm, this may be so but in my humble opinion Cisco is fighting on two fronts and right now it can’t win on either one. Allow me to elaborate.

Front number one is traditional security products. Aside from a few exceptions like IronPort, Cisco security products haven’t kept up with the competition. You can build all the security you want into products but you still need firewalls, IDS/IPS, gateways, etc. Cisco is losing a lot of these security product sales. The other problem here is that Cisco doesn’t cover all security areas. It has no desktop presence, limited application presence, no database presence, etc. This is the front where I’ve been most critical of Cisco. The only way Cisco can bounce back here is with a big acquisition (McAfee, Check Point?) or with a lot of strategic little ones.

Front number two is business security solutions. What I mean by this is more end-to-end security solutions that secure enterprise or vertical industry business processes. I believe Cisco is trying to go in this direction based on its new positioning and tag lines like, “enabling the next-generation workforce to collaborate with confidence.” Cisco’s instincts are spot on — enterprise organizations are now trying to secure business processes not just IT infrastructure. The move to secure business solutions means that deals get bigger and executives get involved with security decisions. Good news for Cisco except that it can’t hold a business security solutions candle to others like HP, IBM, Accenture, SAIC, etc. When push comes to shove, these others have vertical industry and business process mojo that Cisco just doesn’t have.

Cisco should go after the business security solutions market but it can’t just throw around new marketing initiatives and succeed like it has in the networking space. I suggest that Cisco do one, a few, or all of the following:

  1. Buy a services company. Dell, HP, and IBM are all using services as a differentiator and winning the secure business solutions battles (note:  I realize that a professional services acquisition would be far more strategic for Cisco than security alone). I don’t think Cisco can win by being Switzerland with everyone else. Cisco needs to acquire someone like CSC or (dare I say?) Unisys for services muscle. This will help with UCS sales AND business security solutions. Note that HP is very successful at selling business security solutions yet it has few security products. The reason? Services strength, global reach, business process expertise, and lots of industry experience.
  2. Double down on identity management. In my mind, the identity space is perfect for Cisco. Why? The technology is rapidly changing and it will likely end up as a network service. Identity is also a key component of cloud computing. Cisco owns Securent and Rohati but that’s not enough. Courion is out there as a product and Ping Identity as a SaaS/network service (note: I like the Ping or network services play best). Alternatively, if Cisco buys a professional services company, it could make identity a core skill set and work with independent leaders like CA and Oracle.
  3. Get vertical. Cisco does a bit of this but it is mostly through its sales and marketing effort. My contention is that Cisco should acquire and build vertical solutions for health care, financial services, and the Federal government or get super aggressive with partners (note: HP and IBM may have locked up the best ones). Cisco can’t just deliver pipes, it needs entire secure solutions.
  4. Go deep with compliance. For years Cisco looked at compliance as a subset of security management. This may have been true 4 years ago but is no longer the case. Since increasing regulation impacts all industries, Cisco’s commitment here could complement all of my other suggestions.

Cisco has dabbled with a similar business security solutions strategy. For example, ScanSafe is a potential great adjunct to UCS, data center products, and cloud/service provider sales and marketing. That said, Cisco has yet to jump in with both feet.

Note to John Chambers: If you want to compete with HP and IBM you need more than marketing magic that sits on the network — you need real business security solutions.

Given its security leadership history, I believe Cisco can be successful here with the right investments but I don’t believe that Cisco can fake its way through, or compete on security products and business security solutions from its current weak position.

Search
© 2010 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site