Incites Redux - June 19, 2006

Good Morning:
Vacation is a time to spend with family and/or friends, relax a bit, but for me vacation is always a great opportunity for me to recalibrate. I need to make sure I'm spending my time appropriately, adding value for my clients and readers, and most of all that I'm right. So I do spend some vacation time thinking more strategically than my daily activities usually allow. I know, I know, all work and no play makes Mikey a dull boy! But I love what I do, and it's so painful to catch up if you fall behind, that the boss (my wife, of course) indulges me with one or two hours in AM before we get motivated and do something with the kids.

One of the things that really pisses me off about most research is the lack of accountability. Folks make ridiculous projections, both on market sizing and industry dynamics with impunity. If they are wrong, so what? They still collect their checks and no one is worse for it. Except those poor saps that actually follow their advice. So hopefully by now you've realized I'm a different kind of analyst and a different type of guy. I not only welcome the scrutiny of my positions, I search it out. So this week, I'm going to revisit each of my 2006 Incites and give myself a "grade." The amount I've learned and how I've evolved my thinking over the past 6 months astounds me.

With all the new readers joining over the past few weeks, I also want to highlight some of my favorite posts from the past six months. So each day this week I'll also point to some of my classic rants. Some were very funny, if I do say so myself.
 
Have a great day.

Incite #1: No Mas Box

Users will increasingly revolt about adding yet another narrowly focused security appliance into their network and actively examine new “simplification” architectures. New Unified Threat Management (UTM) products, using blade servers and virtualization technologies, appear in 2006 putting vendors that license key intellectual property at a disadvantage. Management of the integrated UTM environment will remain difficult through 2007.

6-month grade: B+

Looking back the initial post (link here) introducing “No Mas Box,” I’m pleased that this one is pretty much on the money. Customers want integration, unless they can’t get the functionality they need on a combined box, which for the most part they can. UTM also is creeping its way into the high end, driven by folks like Crossbeam that are pushing enterprise-scale UTM chassis. Additionally, you have vendors like Fortinet that are trying to grow their mid-sized boxes into the large enterprise and carrier spaces.

Interestingly enough, a UTM chassis is basically a blade server architecture, so it seems in this case I’m more lucky than good with that projection. Virtualization is starting to rear its head in the UTM space, with Astaro introducing their software running on a virtual machine. The true impact of virtualization is still unknown, but I believe it will be significant in the mid-sized segment.

On the management side, my first predictions were kind of right, but for the wrong reasons. Fact is, even though now you get all the management applications within a single “console” you are still largely configuring separate functions separately. What I was really trying to say is that evolution from technical management to functional.

So, at the risk of being presumptuous the next evolution in UTM management needs to be focused around helping customers to prevent threats, as opposed to configuring firewall, IPS, anti-spam, etc. rules. At least according to me. Now it’s not like I’ve written a product design spec or anything, but I envision this being implemented as a sophisticated wizard that masks the complexity of the underlying functions. Even a combined console needs to be simplified if it’s just “integration on the glass (or LCD).”

Incite #2: Get the NAC!

The increasing number of ingress points into corporate networks (mobile, contractors, VPN) forces users to migrate to a virtual network infrastructure with a secure net and an unsecured net. Network Admission Control (NAC) architectures gain traction in 2006 to facilitate this architectural construct, but do require homogeneity of equipment pushing the pendulum away from best of breed providers.

6-month grade: B+

The NAC Incite (link here) is another example of being right for the wrong reasons. On the positive side, the customer requirements for NAC have become real. The “insider threat” is acknowledged and now it’s more about how to solve the problem – as opposed to whether the problem needs to be solved. Reading my NAC piece from January (link here), and I see yet again – that some of my positions were just half-cocked.

So, yes – NAC is important. That much I got right. And yes, folks are implementing “quarantine” networks most for remediation of polluted machines before they enter the network. And yes, homogeneity of campus equipment will be important over time, as more security intelligence makes its way into the campus network fabric.

We are seeing new entrants in the market (ConSentry, Nevis) look to use this type of “secure switch” as a way to break Cisco’s hegemony in the campus networks. Can they take Cisco down? Of course not, but there are enough folks out there that don’t want to buy Cisco (those are the folks that bought Foundry and Extreme way back when), that these folks will do well, and then get acquired by one of the existing campus players.

But what was that convoluted “secure/unsecure” terminology? What was I thinking?

Since January, I’ve refined my NAC thinking quite a bit and published a pretty significant amount of research on the topic. Go to securityincite.com and search for NAC and a whole bunch of stuff will come up. So my positions are pretty clear and I’ll be happy when January comes along and I can refresh the terminology.

Incite #3: Who are you?

Identity Management (IDM) breaks out in 2006, as ROI-driven password management and single sign-on (SSO) initiatives are deployed en masse. Smart users increasingly figure out that strong and centralized IDM provides “good enough” authentication and authorization for compliance purposes, accelerating market growth in 2H 2006. Yet, identity federation continues to lag in a cloud of useless vendor bickering and standards immaturity until mid-2007. Token-based authentication finally hits the wall, as passwords remain good enough and no compelling alternative appears.

6-month grade: B

The first part of IDM Incite (link here) was pretty close as well. Funny was, back in January what I knew about IDM consisted of password management and SSO. Yes, I was getting my sea legs back and it’s clearly didn’t happen overnight.

I was right in saying IDM will be a major beneficiary of compliance budgets. Lots of smart customers are using that money to implement strong provisioning environments to facilitate the access controls required for compliance.

Now, the federation statements were a bit off the mark. It’s not technology and not even really the standards that have been the constraint. Federation is starting to happen, albeit at a snail’s pace relative to the adoption of other IDM technologies. The challenge has been in setting up business relationships to share critical information, which takes probably 90% of the effort. It’s just like EDI and yes, I should have seen the similarities.

I was also a bit off relative to authentication, as the market is hot - largely driven in the financials by the FFIEC mandate. Tokens are clearly not exciting anymore, and US institutions are looking at different ways to solve the problem. But international banks (especially in Asia) are still issuing tokens to consumers. Go figure.

RSA has been a big beneficiary of this renewed interest in authentication, and by moving on to more sophisticated “contextual authentication” and two way authentication afforded by their Cyota and Passmark acquisitions, they have become more strategic. This is having a positive impact on token renewal rates as well. You do have some new technologies (like BioPassword) appearing to potentially provide alternatives, but those are early in both maturity and adoption.

So overall, I believe this Incite was a good assessment of what’s going on in IDM. And once again, it’s better to be lucky than good…

Classic Security Incite Rants

The Farce of Market Sizing
This was my first real rant, as it took me about a week to shake out the cobwebs and say something really nasty. At issue here was the asinine NAC market projects from Infonetics, but I also rail about how these projections are used by vendors in a very predictable, very textbook use of the hype cycle. So if you are interested in how this part of the game is played, check out this post or a follow-up post about anti-spyware market size numbers.
http://securityincite.com/blog/mike-rothman/the-farce-of-market-sizing

Information Week on Analyst Credibility
This series of posts focused on an "expose" that InformationWeek did on the analyst business. The first puts my opinions on why analysts are important to end users and the second is my analysis of their article. I think what they were trying to do is exactly right, but they didn't take it far enough. There are a lot of whores in my business, and I wish they would have called a few of them out. And worst of all, they were so focused on chasing after the smoking gun (with mediocre results), that they didn't really help their readers understand how to most effectively use analysts.
http://securityincite.com/blog/mike-rothman/informationweek-to-put-it-analysts-on-the-hot-seat
http://securityincite.com/blog/mike-rothman/information-week-on-analyst-credibility