Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘EMC’

It’s Time For A New Name for Data Loss Prevention (DLP)

Monday, November 8th, 2010

Back around 2005, DLP was the buzz term Du Jour within the information security industry. DLP was designed to find sensitive data and make sure that this data wasn’t accidentally or maliciously misused. The most common DLP implementation was as a network gateway for filtering Layer 7 content. When a DLP device spotted credit card numbers in an e-mail, it simply blocked this transmission, thus preventing a data breach.

Back then, DLP was the proverbial low-hanging fruit for security protection so lots of firms were ready to buy. This prompted VCs to fund companies like PortAuthority, Reconnex, Tablus, Vericept and Vontu to complete in this burgeoning space.

Fast forward to 2010 and DLP has a bit of an identity crisis. Why? DLP was once a tactical point tool for blocking content on the network. Now however, DLP has evolved into:

  1. An architecture. Network DLP gateways, desktop software, and file systems agents are now part of a broader network architecture with central command-and-control and policy management.
  2. An integration nexus. DLP now integrates with encryption software, virtual desktop technology, and eRM.
  3. A policy engine. “Canned” compliance policies are no longer enough for large organizations. They want to develop and test custom policies for their own internal content. This is especially true for high security organizations or those with lots of digital intellectual property.
  4. A meta data hub. DLP is getting better at discovering and classifying data. More recently, DLP is gaining knowledge on who is actually using the data as well.

With these features, DLP is slowly morphing from a security policy enforcement point to a more holistic technology for data governance. In other words, this is an enterprise domain (i.e., consulting, distributed architecture, central command-and-control, etc.), not a tactical security domain. As such, the term DLP minimizes the technology value and no longer accurately describes what the technology does.

I know Gartner is often the default analyst firm for naming IT technologies but since nothing new is coming out of Stamford, let the people decide. I am partial to the term Enterprise Data Governance (EDG) myself–anyone have another suggestion?

Technology CEO Council’s Lightweight Federal IT Recommendations

Wednesday, November 3rd, 2010

Have you heard of the Technology CEO Council?  Neither had I until recently.  The council is made up of a strange mix of tech CEOs from organizations including Applied Materials, , , IBM, Intel, Micron, and Motorola.  Why this group and not Adobe, Cisco, HP, Juniper Networks, Microsoft, Oracle, and Symantec?  Beats me.

Anyway, the group published a paper in early October called, “One Trillion Reasons:  How Commercial Best Practices to Maximize Productivity Can Save Taxpayer Money and Enhance Government Services.”  The paper stresses the need to reduce federal spending and suggests some IT initiatives in support of this objective.  The initiatives include:

  1. Consolidate information technology infrastructure
  2. Streamline government supply chains
  3. Reduce energy costs
  4. Move to shared services
  5. Apply advanced business analytics to reduce improper payments
  6. Reduce field operations footprint and move to electronic self-service
  7. Monetize government assets

The paper is available at www.techceocouncil.org.

I agree with the spirit of this paper as there are plenty of ways to use IT costs savings to reduce overall federal spending.  That said, the paper is pretty weak and self-serving.  Specifically:

  • The Feds are already doing most of these things today.  Federal CIO Vivek Kundra is already driving data center consolidation.  Agencies were asked to submit initial input on June 30, 2010 and finalized plans are due on December 31.  Lots of federal agencies including CIA, DHS, DISA, and NASA are well along the road to cloud computing as well.  Perhaps the Feds should be more aggressive, but the same could be said of any organization.
  • The paper ignores legislative challenges.  The paper suggests things like consolidating common IT services like payroll, finance, and human resources.  Once again, this is nothing new as this type of consolidation was suggested in 2001 as part of Karen Evan’s Federal Enterprise Architecture.  Moving beyond inter-departmental cooperation toward a federal IT organization could indeed save money, but it would require overhauling (or at least tweaking) the Klinger-Cohen Act of 1996.  This could be a long arduous process.
  • What about security?  Federal IT spending is dominated by military and intelligence agencies with deep security requirements.  You can’t just consolidate around these.  Yes, security standards and regulations should be changed to keep up with the times–this is exactly what’s happening with FISMA 2.0 and the FedRAMP strategy to streamline cloud computing certification and accreditation (C&A).  Again, these things take time, thought, and care–not ideas and papers.

The CEOs also need to remember that their own internal IT organizations are far different than those in the federal government. When EMC executives mandate a massive VMware project, all of IT jumps into formation.  It doesn’t work that way in the public sector.

There were certainly some good points in the paper, but overall it is really a marketing piece put out by a lobbying organization.  In my humble opinion, there is some irony in this paper and organization–while the Technology CEO Council puts out a paper about how the federal government can save money on IT, companies like Dell, EMC, IBM, and Intel are happily wasting dough on a half-baked lobbying/PR organization.  Funny world.

The CIA and the Encrypted Enterprise

Friday, October 29th, 2010

The international horse show wasn’t the only event in Washington DC this week; I participated in the Virtualization, Cloud, and Green Computing event in our nation’s capital. One of the guest speakers was Ira “Gus” Hunt, CTO at the CIA. If you haven’t seen Gus speak, you are missing something. He is very strong on the technical side and extremely energetic and entertaining.

Gus focused on cloud computing activities at the CIA (I’ll blog about this soon), but I was intrigued by one of his slide bullets that referred to something he called the “encrypted enterprise.” From the CIA’s perspective, all data is sensitive whether it resides on an enterprise disk system, lives in a database column, crosses an Ethernet switch, or gets backed up on a USB drive. Because of this, Hunt wants to create an “encrypted enterprise” where data is encrypted at all layers of the technology stack.

The CIA is ahead here, but ESG hears a similar goal from lots of other highly regulated firms. When will this happen? Unfortunately, it may take a few years to weave this together as there are several hurdles to overcome including:

  1. An encryption architecture. Before organizations encrypt all their data, they have to understand where the data needs to be decrypted. For example, remote office data could be encrypted when it is sent to the corporate data center, but it needs to be decrypted before it can be processed for large batch jobs like daily sales and inventory updates. There is a balancing act between data security and business processes here demanding a distributed, intelligent encryption architecture that maps encryption/decryption with business and IT workflow.
  2. Key management. Most encryption products come with their own integrated key management system. Many of these aren’t very sophisticated and an enterprise with hundreds of key management systems can’t scale. What’s needed is a distributed secure key management service across the network. Think of something that looks and behaves like DNS with security built in from the start. The Key Management Interoperability Protocol (KMIP) effort may get us there in the future as it is supported by a who’s who of technology vendors including EMC/RSA, HP, IBM, and Symantec, but it is just getting started.
  3. Technical experience. How should I encrypt my sensitive Oracle database? I could use Oracle tools to encrypt database columns. I could encrypt an entire file system using Windows EFS or tools from vendors like PGP. I could buy an encrypting disk array from IBM, or I could combine EMC PowerPath software with Emulex encrypting Host-based Adapters (HBAs). Which is best? It depends on performance needs, hardware resources, and financial concerns like asset amortization. Since there is no “one-size-fits-all” solution here, the entire enterprise market is learning on the fly.

A lot of the technical limitations are being worked on at this point, so the biggest impediment may be based upon people and not technology. We simply don’t have a lot of experience here, so we need to proceed with research, thought, and caution. To get to Gus Hunt’s vision of the “encrypted enterprise,” we need things like reference architectures, best practices, and maturity models as soon as possible. Look for service providers like CSC, HP, IBM, and SAIC to offer “encrypted enterprise” services within the next 24 months.

Get Ready for Multiple Virtualization Platforms

Tuesday, October 26th, 2010

My colleague Mark Bowker and I are at a Virtualization, Cloud Computing, and Green IT conference in Washington DC this week. In one of the panels we hosted, an IT executive from a cabinet-level agency mentioned that the agency was qualifying Microsoft Hyper-V even though it already has an enterprise license in place with VMware. When asked why the agency was doing this, he responded, “we are a Windows shop and have a great relationship with Microsoft. VMware has been great but we simply believe that the world is moving to heterogeneous virtualization platforms and we want to be ready for this.”

This IT executive is not alone. In a recent ESG Research study, 55% of the organizations’ surveyed say that their primary virtualization solution is VMware (VMware Server, ESx, ESxi, etc.). This relationship with VMware doesn’t preclude them from using other hypervisors however. In fact, 34% of survey respondents are using 2 virtualization solutions and 36% are using three or more. This was a survey of 463 North American-based IT professionals working at organizations with more than 500 employees.

My take-aways are as follows:

  1. Users should plan for multiple virtualization platforms. Standardization is great but it is likely that some applications and workloads will work best on one hypervisor versus another. This will demand training and management of disparate environments so standard processes and tools will be crucial.
  2. Training is key. Vendors need to realize that users need help with training and skills development before they buy the next virtualization widget.
  3. Vendors should develop broad partnering strategies. Two years ago, dedicating all virtualization resources to VMware was probably a good bet but this is no longer the case. Need proof? Cisco recently struck up a relationship with Citrix even though it has lots of resources invested in VMware and its 3 amigos relationship that also includes .

Yeah, I know, everyone would like one standard IT solution to meet all their needs. It hasn’t happened in the past and it won’t happen with virtualization either. The sooner that IT professionals and the industry recognize this the better.

Server Virtualization Security: A Lot More Work Is Needed

Monday, October 25th, 2010

If you attended VMworld in late August, you know that virtualization security was featured extensively. Ditto for VMworld Europe where VMware CEO Paul Maritz included a few security slides in his keynote presentation. Maritz and VMware get it–virtualization security has been somewhat neglected until recently. If server virtualization is truly to become next-generation cloud infrastructure, security must be integrated throughout the technology.

VMware vShield and partner products are a great start toward bridging this virtualization security gap. Unfortunately, security technology is only part of the problem. ESG recently surveyed 463 large mid-market (i.e., 500-1000 employees) and enterprise (i.e., more than 1000 employees) organizations in North America, to gauge how they were using server virtualization technology. The goal was to understand current use, future plans, successes, and challenges. It turns out that security problems are pretty persistent. For example:

  1. Security is often an afterthought. You know the “throw it over the wall” IT story? It happens here with security. Server virtualization projects are often well along the way before the security team gets involved. In these cases, server virtualization infrastructure adds security risk from the get-go.
  2. Security professionals lack server virtualization skills. When the security team gets called into the project, they aren’t really qualified to help. Since projects tend to continue, server virtualization security risks increase while the security team gets up to speed.
  3. There are no best practices. This may be changing but security professionals complain that server virtualization security doesn’t fit neatly into existing security frameworks and operating models.

In aggregate, there is a people problem (i.e., security skills), an organizational problem (i.e., project management/cooperation), and a process problem (i.e., no best practices). Yes, these issues do ease over time but it is clear to me that they never go away. At some point, highly-regulated organizations are likely to slow down server virtualization projects to address these security gaps. When this happens, server virtualization/cloud vendors will see sales slow to a crawl.

VMware is a technology company so it is doing what comes naturally–addressing security holes with new products and industry relationships. Nevertheless, VMware needs additional help from standards bodies, IT and security professional organizations, and professional services firms. The ESG Research clearly illustrates that server virtualization is a paradigm-shifting technology that changes IT organizations and processes. The real revolutionary potential of server virtualization won’t occur until IT organization and process changes become as pervasive as hypervisors.

October is National Cybersecurity Awareness Month (Who Knew!)

Monday, October 4th, 2010

If you watched any football games yesterday, you are well aware of the fact that October is National Breast Cancer Awareness Month. Kudos to the NFL for bringing national attention to this deadly disease and donating money to find a cure.

You are probably unaware, however, that October is also National Cybersecurity Awareness Month.

Over the course of the last year, we’ve witnessed visible cyber attacks on Google in January. We’ve seen the activation of the U.S. Cyber Command at Ft. Meade. At my last count, there were ten different bills in Congress related to cybersecurity, including, “The Protecting Cyberspace as a National Asset Act,” a comprehensive piece of legislation coming out of the Senate’s Homeland Security and Government Affairs Committee. Former “cyber czar” Richard Clarke published a new book titled, “Cyberwar.” Finally, we’ve recently witnessed the Stuxnet worm, a cyber weapon attacking the Iranian nuclear infrastructure.

I am providing this brief history to highlight a problem–if you aren’t a Washington cybersecurity insider, you would never know it is National Cybersecurity Awareness Month. Ironic? Yes, but also sad.

Now, I know it is early in the month and there is lots of further activity planned. I am also aware of the fantastic work driven by the National Cyber Security Alliance, an industry group spearheading the National Cybersecurity Awareness Month (www.staysafeonline.org). President Obama will step up and talk about cybersecurity and the indefatigable Howard Schmidt will be as vocal and visible as possible throughout October.

These folks deserve a lot of credit, but somehow the IT and security industries continue to offer lip service support for National Cybersecurity Awareness Month through their Federal offices alone. I did a quick website scan of leading IT and security companies this morning: only RSA Security mentioned National Cybersecurity Awareness Month on its website (Note: The acting NCSA President works at EMC/RSA).

My point here is that National Cybersecurity Awareness Month isn’t making enough people aware of cybersecurity vulnerabilities, education, or government initiatives. Why? It doesn’t appear to me like the industry really cares. Oh sure, there is a bit of token money to appease their clients in Washington, but where is the national spotlight? Beats me.

I was on this soap box last year and will continue to be until I’m proven wrong. I probably have 20 meetings scheduled with security industry insiders in October and I’ll ask each and every one of them if they know what month it is. My guess is that they will say National Breast Cancer Awareness Month.

WSJ Reports Imminent Sale of ArcSight: Handicapping the Suitors

Thursday, August 26th, 2010

An industry friend just sent me a story from the Wall Street Journal proclaiming that security management leader ArcSight will be acquired within the next week. The story goes on to say that the likely buyers include Oracle, HP, , IBM, and CA.

Hmm. First of all, anyone familiar with ArcSight was sure this was coming. The company is a leader in a growing market segment, has a great Federal business, and is one of few real enterprise players. It is interesting to me that the Wall Street Journal is spreading rumors but that’s another story.

Let me weigh in by handicapping the field:

  1. Oracle. This would be a bold strategic move as Oracle plays in security tools and the identity management space, but not the broader security market. ArcSight is an enterprise software company so it fits with Oracle sales and channels. ArcSight also runs on an Oracle database (for better and for worse). To me, Oracle makes sense as a potential suitor.
  2. HP. HP people always tell me that they want to be in the security services, not the security products business. The company backed this up when it sold its identity management portfolio to Novell. ArcSight fits with OpenView/Opsware as enterprise software so it may have changed its mind, but HP probably wants to be careful with acquisitions in the wake of the Mark Hurd scandal. Heck, HP put in a bid for 3PAR this week and Wall Street went nuts. Given these factors, I’d be surprised if it were HP.
  3. EMC. Forget this rumor. EMC already bought one of ArcSight’s primary competitors (Network Intelligence, now RSA EnVision). There are a dozen security acquisitions I could think of that would make more sense for EMC/RSA.
  4. IBM. Great fit in terms of enterprise software but this would be IBM’s third security management offering (the original Tivoli security manager and then GuardedNet which IBM got as a result of the Micromuse deal). Neither of these products have really resonated in the market. If anyone can erase two previous products, IBM can. I rate this one as likely as Oracle.
  5. CA. CA’s security presence is really limited to the identity space. Like IBM, CA has tried several times to penetrate the security management market with little success. I can see CA wanting ArcSight but if Oracle or IBM jump in, the price may quickly get too high for CA.

Given the Intel deal, McAfee is likely out of the running. I’ve heard through the grapevine that McAfee made several attempts at ArcSight but the price tag was just too big. Symantec, like IBM and CA, has also developed security management products that haven’t taken off in the market. If Enrique Salem is up for another big acquisition, ArcSight would be a great fit.

Finally, wherever ArcSight ends up, there are plenty of other innovative security management companies that may quickly follow. Feisty Q1 Labs would be a natural for Juniper. Brainy Nitro Security could be a fit for Cisco or CA. LogRhythm could be a good addition for HP, Check Point, Websense, etc.

ArcSight deserves what it gets as it really guided the security market moving forward. Its fate will greatly influence the enterprise security market moving forward.

Lieberman Cybersecurity Bill: Fatal Flaws and What the IT Industry Must Do

Monday, June 21st, 2010

While it may seem like cybersecurity issues have taken a back seat in Washington, there is actually a lot of work happening on Capitol Hill. Senate majority leader Harry Reid (D, NV), is pushing all Senate committees with any type of cybersecurity or industry oversight to get on their legislative horses and address the existing mess.

To that end, Senator Joseph Lieberman (I, CT) is working with colleagues Susan Collins (R, ME) and Thomas Carper (D, DE) on a fairly comprehensive cyberseurity bill called the Protecting Cyberspace as a National Asset Act. The bill seeks to revamp the paper-centric FISMA Act of 2002, centralize cybersecurity management in DHS, and establish a more proactive public/private partnership for cybersecurity risk management.

The essence of the bill is certainly welcome. We need to address cybersecurity issues ASAP like President Obama promised he would do more than a year ago. Unfortunately, the Lieberman bill has a few significant flaws, in my opinion. One major problem is with the bill’s link to federal procurement. The Lieberman bill seeks to legislate security in federal IT spending by “creating a system that requires acquisition officers in the federal government to have the knowledge that they need about the vulnerabilities in products.” This in itself is a good idea but:

  1. How do you do this? There is some talk in Washington about insisting that vendors pass some type of security certification that governs their development processes and cyber supply chain assurance model. Okay, but this certification doesn’t exist today and certification can be nothing more than a check box exercise like FISMA is. In the current state of the industry, this requirement is ludicrous.
  2. Product vulnerabilities are one ingredient. The Lieberman bill’s focus on product vulnerabilities hearkens back to cybersecurity issues circa 2004 when it was fashionable to blame Microsoft for all security problems. Yes, these remain important but we need to think about system vulnerabilities (i.e., a superset of product vulnerabilities), comprehensive testing, and a lot more security training.

I don’t claim to be an expert on the Lieberman bill but it seems to me that we are falling into the old Washington scapegoat mentality of looking for a villain (i.e., the IT industry). Don’t get me wrong, lots of vendors should be called to task for unacceptable security practices but these provisions seem overly simple or impossible to enforce to me.

While the Feds figure out the next act in the cybersecurity play, it is really up to the IT industry to step up and establish its own security best practices and self-certification methodology. Strong examples already exist from vendors like , HP, IBM, and Oracle. While some folks will certainly flame me for saying so, Microsoft’s SDL is also a model for the rest of the industry.

Legislators are caught between a rock and a hard place. They have to do something but these are uncharted and highly technical waters. This being the case, the IT industry has to do a better job of stepping in and demonstrating leadership. If this doesn’t happen, the U.S. IT industry will face difficult, costly, and confusing legislation that could impact financial results for years to come.

FedRAMP Seeks to Unify Cloud Computing Security Standards Across the U.S. Government

Wednesday, May 5th, 2010

Yesterday, I hosted a panel at the Cloud Computing summit focused on cloud security for the federal government. The panel was made up of some smart folks: Alex Hart from VMware, Bob Wambach from , and one of the primary authors of the Cloud Security Alliance guidelines, Chris Hoff from Cisco.

While these folks offered great contributions, most questions were focused on the fourth member of the panel, Peter Mell from NIST, the chair of the Federal Cloud Computing Advisory Council. Why? Let’s just say that Mell may be the single individual most focused on cloud security in the world. He has been tasked with defining cloud computing standards for the entire federal government–a big responsibility since President Obama and Federal CIO Vivek Kundra continue to trumpet the benefits of cloud computing and push federal agencies to adopt pilot projects.

Mell’s work will soon come to fruition when the feds introduce the Federal Risk and Authorization Management Pilot program (FedRAMP). FedRAMP has two primary goals:

  1. Aggregate cloud computing standards. Today, many agencies have their own sets of standards, which complicates procurement and frustrates federally-focused technology vendors. FedRAMP is intended to consolidate cloud computing requirements into one set of standards that span the entire federal government.
  2. Ease agency certification processes. Let’s say Microsoft’s federal cloud is FISMA-certified by the Dept. of Agriculture. In today’s world, this wouldn’t matter to any other agency–they would still be required to certify Microsoft’s cloud before procuring services. Kundra, Mell, et. al. recognize the redundancy and waste here. With FedRAMP, once a cloud provider passes the Certification and Accreditation (C and A) of one agency, all other agencies get a free pass.

Since FedRAMP is still a work in progress, the audience made up of federal IT people had a lot of questions about all of the fine points. Thus Mell was in the hot seat for most of the time.

Peter Mell deserves a lot of credit. Federal agencies have often acted independently with regard to IT, so Mell and his team are herding cats.

If FedRAMP works, cloud service providers can deliver to a single set of standards. This will encourage innovation and bolster competition. On the agency side, FedRAMP could pave the way for a wave of cloud computing consumption over the next few years. What happens if FedRAMP fails? The federal government becomes difficult to service, so most cloud service providers treat it as a market niche. If that happens, the federal government could lose its cloud computing leadership and momentum very, very quickly.

RSA 2010: Cloud Security Announcements Already Dominate

Tuesday, March 2nd, 2010

It’s pouring in San Francisco, but ironically, the RSA Conference is already pointed toward clouds–in this, case cloud computing security.

There were two announcements yesterday around securing private clouds. New initiative king Cisco announced its “Secure Borderless Network Architecture,” which is actually pretty interesting. Cisco wants to unite applications and mobile devices through an “always-on” VPN. In other words, Cisco software will enforce security policies for mobile devices regarding which applications they can use and when–without user intervention. Pretty cool, but you would need a whole bunch of new Cisco stuff to make this happen.

On another front, industry big-wigs EMC, Intel, and VMware are pushing for a “hardware root of trust” for cloud computing. The goal here is to create technology that lets cloud providers share system state, event, and configuration data with customers in real time. In this way, customers can integrate cloud security with their own security operations processes and management. This is extremely important for regulatory compliance. (Note: Another reason why EMC/RSA bought Archer Technologies).

These interesting announcement probably presage a 2010 RSA Conferernce trend: “all cloud all of the time.” Since ESG Research indicates that only 12% of midsized (i.e., 100 to 999 employees) and enterprise (i.e., more than 1,000 employees) will prioritize cloud spending in 2010, all of this cloud yackety yack may be a bit over the top.

Two other announcement worth noting here:

  1. An actual leading voice on cloud computing security, the Cloud Security Alliance (CSA), teamed up with IEEE to survey users about cloud computing security. Users overwhelmingly want to see industry standards and soon. Bravo CSA and IEEE, I couldn’t agree more.
  1. I like the F5 Networks/Infoblox announcement around DNSSEC. The two companies will offer integration technology between F5 load balancers and Infoblox DNSSEC. This partnership blends the security of DNSSEC with the reality of distributed web-based apps and infrastructure. Kudos to the companies, the federal government will be especially pleased.

See you at the show!

Search
© 2010 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site