It’s late and my brain is fried from 3 days of meetings — but here are a few more observations from the RSA Security conference.
1. There is way less discussion about regulatory compliance than in the past which puzzles me. Compliance fatigue? Perhaps but with PCI 2.0, FISMA 2.0 and pending cyber security legislation, I expected more compliance banter. Actually, what I’d really like to hear is more talk about real-time IT risk management. RSA/Archer and Agiliance recently gave me a preview of what they are doing and it is truly a step in the right direction. We need better visibility into risk, better metrics, and more effective and efficient controls. Why aren’t more people talking about this?
2. Symantec is doing some nice integration between GuardianEdge, PGP, Verisign, and its other existing products. It’s fashionable in the industry to downplay Symantec’s acquisition and integration skills but the company really figured out how to do this over the past few years. Symantec needs to tell its story more often, it has a broad portfolio of tools that are starting to come together in visionary ways.
3. Both Juniper and Cisco have jumped into the mobile security market in a big way and will compete with the traditional endpoint security folks. What’s different here however is the role of the network where a lot of access decisions and malware prevention processes will take place. Obviously, both of these companies know something about networks.
4. Vendors are starting to realize that enterprises need an integrated security architecture — not a bunch of disparate security products. Check Point’s 3-D security architecture is a great example as it combines central policy management, identity-centric granularity, distributed enforcement, and lots of functionality (DLP, application controls, firewall, VPN, IDS/IPS, etc. Tie this together with Check Point’s historical management strength and you have a pretty compelling enterprise architecture at that.
5. I really like Citrix’s commitment to open vSwitch in its virtualization technology. The world is headed toward multiple hypervisors which makes open standards like this a “must have.”
6. McAfee’s DLP story is very good and getting better in the near future. I like the analytics capabilities which can help make policy creation and testing must simpler than other products. I hear that McAfee DLP sales are growing — not surprising given the market requirements and product capabilities.
More from SF tomorrow.
Tags: 3-D security, Agiliance, application control, Archer, Check Point, Cisco, Citrix, DLP, FISMA, GuardianEdge, Juniper, McAfee, mobile security, Open vSwitch, PCI, PGP, regulatory compliance, Risk Management, RSA, Symantec, Verisign Posted in Uncategorized | No Comments »
For the past 15 years or so, the networking industry has been hinting at a vision with a snappy title like “identity-driven networking.” I first heard this concept in the late 1990s when Cisco came up with its own spin on this theme with an initiative called Directory Enabled Networking (DEN). The thought was that the network would query the network directories to enforce some kind of access control policy based upon user properties stored in network directories. Cisco nailed the vision and was way ahead of its time.
So what’s happened since? Things were slow and spotty for a while with a few hints of innovation. Broadband access led to VPNs. Wireless networking led to the need for 802.1X device authentication. Worm storms in 2004 led to a flurry of activity around Cisco’s Network Admission Control (NAC) and Microsoft‘s Network Access Protection (NAP) to keep “unhealthy” PCs off the network. Each of these advanced the cause, but rather than fulfill the identity-driven network vision, these were really tactical solutions.
Fast forward to 2011: the industry has moved on to 40/100Gb Ethernet, IPv6, virtualization, and cloud computing, so you don’t hear much about identity-driven networking anymore–but in point of fact, the vision is coming together. Networks can now recognize multiple types of devices, network location, and user attributes to enforce policies. Critical application traffic can be prioritized on a user-by-user basis while other applications can be blacklisted or rate limited based upon users and groups. VPNs are now automated: no more IPSec clients, user names, or passwords; you can get to the network resources you want to from wherever you are.
A few leading examples include Cisco AnyConnect VPN, Juniper‘s Pulse Client and the Funk Software RADIUS server, and Extreme Networks Identity Manager.
We are quickly moving to the service paradigm of identity management where entities like users and devices connect to network services for connectivity, application access, printing, etc. Cloud computing will only accelerate this transition. In this type of architecture, networks have to play a role in “knowing” who or what wants network access, enforcing policies based upon this information, and then optimizing good traffic and blocking bad traffic. It is nice to see that we are making real progress.
Tags: 802.1X, AnyConnect, Cisco, DEN, Extreme Networks, identity-driven networking, Juniper, Juniper Pulse, NAC. NAP, RADIUS, Security Posted in Uncategorized | 1 Comment »
My colleague Mark Bowker and I are knee-deep in new research data on server virtualization. Within this mountain of data, we are discovering some existing and impending networking issues related to network switching.
Today, many server virtualization projects are led by server administrators, with little or no participation from the networking team. As you may imagine, this means that the server team configures all virtual switches to the best of its ability, without considering how physical switches are already configured. As things scale, the server team realizes the error of its ways and quickly calls the networking group in to help out. This is where things really break down. Before doing anything, the networking folks have to learn the virtualization platform, understand how the physical and virtual networks should interoperate, and then roll up their sleeves and start gluing everything together.
This is a painful learning curve but I believe that future issues will be far more difficult. As organizations increase the number of VMs deployed, networking configurations get more difficult — especially when VMs move around. Users regularly complain about the number of VLANs they have to configure, provision, and manage. This situation will grow worse and worse as VMs become the standard unit of IT.
In my mind, it makes no sense for virtualization vendors like Citrix, Microsoft, Oracle, and VMware to recreate the richness of physical L2 switches in the virtual world. So what can be done? Well one alternative is to eliminate virtual switches entirely and do all switching at the physical layer via the Virtual Ethernet Port Aggregator (VEPA) standard being developed in the IEEE.
I believe this will happen but in the meantime there is another alternative being discussed this week at the Citrix Industry Analyst Event — Open vSwitch. As described on the Apache web site, “Open vSwitch is a multilayer virtual switch licensed under the open source Apache 2.0 license. The goal is to build a production quality switch for VM environments that supports standard management interfaces (e.g., NetFlow, RSPAN, ERSPAN, CLI), and is open to programmatic extension and control.”
Here’s why this makes sense to me:
At the very least, Citrix, Microsoft, and Oracle should back this as a way to push back on VMware’s marketshare lead.
I’ve been around long enough to know the strengths and limitations of open source and standards but I think that with the right support, this one could have legs. I know that vendors have their own businesses to look after but isn’t another end goal to create products that the market wants? I think Open vSwitch would fit this bill.
Tags: Brocade, Cisco, Citrix, Extreme Networks, Force 10, HP, IEEE, Juniper, Microsoft, Open vSwitch, Oracle, VEPA, VMware Posted in Uncategorized | No Comments »
It’s been a few days since Intel‘s surprising McAfee acquisition announcement. This weekend, I took time to read what others were saying about the merger and there seems to be a lot of posturing and confusion out there. Here is a short list of some of the misconceptions:
Many of the smartest financial and industry analysts can’t make heads or tails out of this deal and I can understand their confusion. There really are no obvious synergies between the two technologies. Nevertheless, I believe that the security market is in transition where new products will need a whole new level of scale, intelligence, integration, and enterprise-class sophistication. The “new” security market will start abruptly and grow to over $1 billion extremely quickly. Intel wants a piece of this transition as well as portfolio diversification. It’s that simple.
Tags: Good Technology, Intel, Juniper, McAfee, Microsoft, Mobile Active Defense, SafeBoot, SMobile, vPro Posted in Uncategorized | No Comments »
There is a glimmer of good news on the venture capital front. In Q1 2010, venture funding rose 38% from a year ago to $4.7. What’s more, the pool of VC money is spread over 681 companies–a 7% increase from Q1 2009.
Good, but not great news. Most of the dough is going to biotech companies while investment in clean technology tripled.
The bad news? Investment in software declined 1% year over year. Remember that in Q1 2009, we were preparing for runs on banks and Hoovervilles.
While I have no data, there is anecdotal evidence suggesting additional bad news. I speak with security companies all the time and I simply don’t see VCs investing heavily in this space.
Perhaps they got burned investing in the 5th NAC, anti-spyware, or UTM vendor. Maybe they think that Cisco, Check Point, Juniper, McAfee, Symantec, and Trend Micro have everything covered. It could be that many believe that the whole tech space is mature, so they are chasing the new new thing in other technical areas.
I’m not sure why the VCs are eschewing security investments, but I do know that this is a problem. Why? At a time when attack volume is steadily increasing, cybercriminals operate like Fortune 500 companies, and FBI directors characterize cybersecurity attacks as “an existential threat to our nation,” the VCs are moving on to perceived greener pastures. In other words, there is serious demand for next-generation security skills and technology, but the supply-side continues to invest elsewhere. Bad economics and bad for the digital assets we all depend upon.
Okay, I understand that the VCs are in it for the money and nothing else, but something is wrong with this picture. It seems to me that when demand exceeds supply, there is money to be made. I’d like to see the VCs invest in security as a patriotic act, but I’m not optimistic. Therefore, I have a few ideas for the “smartest guys in the valley” on Sand Hill Rd.
The lack of VC investment in security could have broad implications moving forward, so the VCs can’t sit on the sidelines. It’s time for the rich guys to get more involved and proactively champion security innovation and investment rather than sit back, drink Merlot, and wait for business plans to come in. Our digital security may depend upon this.
Tags: Check Point, CIA, Cisco, DOD, DOE, Federal Government, Israel, Juniper, NSA, Symantec, Technion, Tel Aviv University, Trend Micro, Venture Capital Posted in Uncategorized | No Comments »
Your email:
