Incite Redux - July 10, 2007

Good Morning:
Day 2. If this vacation is like every other one, I'm starting to unwind. Yes, it's a bit strange, but it takes me a few days to get out of my run run run mindset and actually just enjoy not running. The Boss doesn't have that problem and it makes me jealous. She can instantly turn off the chaos of our daily existence and enjoy herself. I need to try hard to be better at that. It usually costs me 2 or 3 days of respite, and that's too high a cost.

Looking at Incites 3 and 4, I did a pretty good job looking into the perimeter and discussing how NAC is evolving. Of course, since being in the crystal ball business is fraught with peril, I'm not exactly right on everything. But that's part of the game. Prognosticate, figure out where you are wrong, and adapt your positions. You also hope folks on the other side of the table have short memories...

Have a great day.

Incite #3: Perimeter (R)Evolution

The consolidated perimeter platform continues to subsume additional security and networking functions, making top flight content security and application acceleration the next frontier – further squeezing pure-play security players. This accelerates consolidation in the sector, keeping perimeter architectures in flux. Customers increasingly embrace integrated solutions from larger players putting a “best of breed” mindset on life support and proving that “big is the new small.” The first open source perimeter platforms also hit in 2007, providing a legitimate alternative for technically savvy, mid-sized businesses.

Read the original Days of Incite post on this topic.

6-month grade: B+

There are a number of ways to evaluate this Incite. First, let’s look at vendor activity, whom continue to consolidate and expand their product offerings to bring more complete and integrated perimeter solutions to market. There has been a bit of a lag relative to integrating WAN optimization into the perimeter platform because the adoption curve for that technology is still in the large enterprise stratosphere. The large enterprise is OK with separate technology platforms - for a little while anyway.

If you look at the problem based on customer segment, you get a little different viewpoint. Contrary to logic, large enterprise (and service providers) are still OK with “best of breed” offerings, but that’s as much because it costs them so much and takes so much time to actually migrate much of anything – what they have is usually good enough. Kind of like compliance as a “thing,” it will take some time to kill best of breed, but it should be on the endangered species list.

But in the mid-size business segment you see a different story. There is much less loyalty to incumbents and brand down there. And that means the idea of leverage and perimeter upgrades are both feasible and happening. The idea of “big is the new small” also continues to take root. We have continuous consolidation and customers need to make a case for why they’d buy a private and somewhat marginal vendor for mature technologies (like firewalls, VPNs, IPS, and the like).

Relative to open source, there are a lot of alternatives for different perimeter functions, and they are even starting to be integrated, either as kind-of open source (StillSecure’s Cobia) or kind of free for small businesses (Astaro). You also have lots of toasters that are showing up basically using open source applications without a hell of a lot of value add. It's too bad customers don't get that they could do just as well by buying a 1U and loading IPTables, OpenVPN and Snort on the box. Since there is a sucker born every minute, there will still be vendors that try to pass off glorified open source stuff as "best of breed" network security protection.

But that’s the nature of the beast. If you haven’t looked at your perimeter lately, maybe it’s time.

Incite #4: Trust No One

The “insider threat” continues to garner tremendous hype, but leaves customers struggling to figure out muddled offerings and providing disappointing results for early adopters. The NAC (network access control) bubble pops rather visibly in a maelstrom of confusion, forcing users to focus on solving specific problems (like visitor and contractor access) and implementing monitoring processes which result in checks and balances at all levels of the organization.

Read the original Days of Incite post on this topic.

6-month grade: B

Is it just me or has a lot of the pomp and circumstances around network access control (NAC) measurably died down in the 2nd quarter of 2007? In terms of this Incite, clearly there is still a lot of discussion around the “insider threat.” But I don’t think it’s really been nailed down exactly what that means. The Data Leak Prevention folks have been pushing the insider message and the NAC folks haven’t, as much anyway.

The reality is that “trust no one” or “trust, but verify” at a minimum is the best way to keep your environment safe. Optimally it would be great to ensure that devices that connect to the network are clean and that those said devices can only get to stuff they are authorized to see. That's the pre-connect version of NAC.

Since you don’t eat the elephant in one bite, looking at pre-connect first isn’t a bad way to start. I still maintain that the real value of NAC is on post-connect. You know, making sure users only can see what they are authorized to access. Of course, I get a lot of disagreement from the folks that only do pre-connect, but that is part of the game. This is also pretty hard and requires really big boxes that can scale to LAN speeds. That's not a nailed problem yet, but some of the new inline NAC devices are making progress.

There also seems to be less disagreement about inline vs. out of band solutions, or maybe the vendors are just fighting about it less publicly. The reality is there is no “right” answer. It really depends on what problems you are trying to solve as to which architectural approach makes the most sense. Over time, the post-connect function is better suited to a network-resident capability built into the switch fabric – but we are years away from that kind of migration happening in larger environments.

And what about the vendor battles? There has only been one major flame out and that was Caymas. But there will be more. I suspect the consolidation won’t really ramp up until 1H 2008. Pretty much every vendor (at least the large ones that an acquire technology) has a NAC strategy and it will take them another 6-9 months to figure out their stuff sucks and it’s easier to just buy something.

Since even NAC won’t violate the laws of market development, the first two or three to go will garner a decent valuation. Then the fire sales will start, as dumb money doesn’t want to be left out. We've seen this movie before and it's very unlikely to be any different this time.