Incite Redux - July 12, 2007

Good Morning:
Day 4 of the vacation project and we're in the home stretch. It always goes way too fast. I'll be fighting off my normal inclination to start worrying about all the crap that has piled up when I'm gone. Hopefully a few hundred tropical drinks will numb my worries and my senses. I may not remember much from today's festivities, but it'll be fun.

That's the great thing about staying at a nice tropical resort. You head down to the pool and you stumble back to your room. Maybe I'll even be good and work out a bit. No driving, no worries. Ain't vacation grand?

Well, I better get back to it. The next two days will fly and then it'll be back in the tin can on our way to rejoin civilization. Can't say I'll be happy to be back, though I'm sure by now I miss the kids terribly and I'm yearning to return to a "normal" schedule. No wonder addicts have such a hard time kicking the habit. I guess we always want to get back to what we consider "normal," regardless of how dysfunctional it is.

Have a great day.

Incite #7: The Information Strikes Back

2007 finally brings acknowledgment that data/information security is different than protecting the network and servers. Yet, there is a major skills shortage in folks that understand how to protect applications and databases, resulting in accelerating interest in application and database security product offerings. But history will repeat itself, as a “fool with a tool” is still a fool, which doesn’t help customers solve any problems.

Read the original Days of Incite post on this topic.

6-month grade: B-

Lots of folks continue to talk about “application security,” but not enough are buying it. Why? Headwind continues to be largely organizationally driven. The developers just aren’t on board yet and the DBAs would rather stick a pencil in their eyes, then let some security wonk put a box in front of their treasured database. Especially when any kind of performance hit reflects really poorly on them.

Cynical? Of course, you’d expect anything else from me?

The good news is the acquisitions of both Watchfire (by IBM) and SPI Dynamics (by HP) will provide a lot of visibility for more secure development activity. But getting developers to change their behaviors is still a long long long long term project. Even if IBM and HP tells them to do it.

Changing gears to the database security market, things continue to pick up steam in this space. You are seeing new companies emerge, marketing hijinx and fierce competition. This is good news for large enterprise accounts, as the technology is maturing rapidly and is pretty much usable for what they need. The problem is in the mid-market, where these enterprise-oriented solutions are not ready for that segment. There is a big opportunity for someone to simplify the DB security market and make it both cost and time efficient for mid-market companies to adopt.

Finally, the Web Application Firewall market is nowhere to be found. Of course, most organizations seem to understand that your first generation network firewall didn’t do a hell of a lot to stop application oriented attacks, but that doesn’t matter because the vendors say they do it now. They call it “Deep Packet Inspection” or something like that.

News flash! The vendors are manipulating the truth. Sure they can now inspect all layers of the protocol stack. But that doesn’t mean they understand about application traffic and can block these attacks. But there is no upside for the network security vendors to tell the truth. Customers aren’t clamoring for web application firewalls, so there is no urgency for Big Security to deliver them.

Candidly, I was a bit early on this Incite. I have no doubt that in the coming years; there will be a lot of focus on data-centric security – but not in 2007. CSOs are still too busy bailing the water out of the leaky boat to start actually patching the holes.

Incite #8: Identity Everywhere

Identity becomes the most overused term in 2007, as NAC vendors, systems management vendors, Big Security, and everyone else “identity-enable” their offerings more as a marketing initiative than to add value. Pragmatic CSOs focus on solving problems, embracing non-disruptive mutual authentication and integrating directory stores with network equipment to streamline management and problem isolation. The first inklings of an interoperable “identity network” emerge, making cheap multi-use tokens more compelling to a broader market.

Read the original Days of Incite post on this topic.

6-month grade: B+

You want to talk about a capability that became table stakes within a few months? Let’s talk about “identity-aware” network devices. Whether it’s IP to ID services to facilitate the tracking of me as opposed to my arbitrary IP address, or loading policies out of data in an LDAP or Active Directory environment – it’s all the same. Everyone does it. Or says they do anyway.

The identity management folks (IBM Tivoli, Oracle, CA, etc.) worked overtime in Q1 to do Barney press releases with pretty much every NAC and network security vendor. Big whoop, has that helped anyone do anything? Not really.

There is also a lot less hype and excitement about authentication now that we are 6 months past the FFIEC mandate. The folks that are going to get compliant already bought stuff. Everyone else is going to take their chances. That doesn’t mean the authentication market isn’t growing, it’s just not that newsworthy anymore.

Why a B+? Basically that last statement pretty much hasn’t happened. Seemingly the only thing the VeriSign Identity Protection Network has done is forced a new identity for Stratton Sclavos - deposed CEO. This whole Identity 2.0 thing is moving forward at a snail’s pace. Most folks wouldn’t know an InfoCard if it came up and blew their nose. And OpenID is a great option for the handful of users across the 10 web sites that actually use it.

Will it get better? Of course it will. PayPal now offers tokens to tighten authentication. Fingerprint readers are showing up on high-end laptops and at some point they’ll figure out what to do with the TPM module that is in a majority of devices out there. But for the time being, we are stuck in identity-aware purgatory. I probably know who you are, but I’m powerless to do anything about it.