June 27, 2006

Good Morning:
Symantec is front and center in today's news and the news continues to be muddled and inexplicable. They are retreating from the UTM appliance business, which makes no sense. Sure their technology wasn't really competitive, but they've got like billions of dollars. Why not just buy WatchGuard, SonicWall or Fortinet and become an instant player in the market? But to retreat, it's just another example of playing defense and giving up ground on every battle front. The Big Yellow just seems to be without a real strategic direction. First they say they do everything, now not so much. Appliances are good, now not so much. A lot of customers are going to be saying "not so much" when it comes time to renew their AV subscriptions unless Symantec fixes stuff pronto.

I also want to highlight an interesting blog post from James McGovern about the intersection of Enterprise Architecture and Security. I'm doing some work on how security relates to large scale outsourcing engagements, and the inability for IT architects to grasp security is apparent. I believe it's our problem, not theirs and we need to do a better job of "selling" the benefits of thinking about security in the planning stages, not as an after-thought two days before a production deployment.

Have a great day.

Top Security News

Symantec Just Says NO to UTM
So what?- Symantec is out of the UTM business. Shoot 80 folks, and say you aren't going to invest in a product line and you are exiting the business. Who is going to renew maintenance on a product that isn't going to be "invested" in? Right, no one. Isn't UTM hot? It is with the folks I talk to. Is it a functionality based game? No, it's about ease of management and procurement. Don't customers want appliances? In their perimeter you bet. So I REALLY don't understand this decision. And they are continuing to push their mail security and NAC appliances, so the statement that they are focusing on software is a red herring. I think focus is good and Symantec is clearly spread thin, but something about removing focus from the UTM space doesn't sit well with me. I continue to wonder what the hell is going on with Symantec, amongst all of these strategic blunders.
http://www.networkworld.com/news/2006/062306-smb-symantec-to-exit-security.html

Symantec's Confidential stop-gap
So what? - While their millions of customers wait for the new Norton 360 service offering, Symantec is trying to keep them happy by adding functionality. I guessed the missed the memo that customers want functionality added to the stuff they ALREADY have. By selling this new "anti-phishing" technology separately, they muddle the positioning of the desktop security suite. It also feels like a lot of the stuff they already do - so what is new about this? It detects keyloggers and Trojans. Doesn't my AV product already do that? And if not, why not? They also positioned the new product as "transactional security." What the hell is transactional security? If you couldn't tell, I remain dramatically underwhelmed by pretty much everything Symantec is doing.
http://www.symantec.com/about/news/release/article.jsp?prid=20060626_01

The Genie provides Aladdin with a broad patent
So what? - Patents are usually uninteresting to me, but this one piqued my interest this morning. Aladdin rubbed the magic lamp for 9 years to be awarded a patent on what seems to be a very broad content security technology. Aladdin's patent covers a protection process that "is done by providing a definition table identifying the types of access and actions that the application is allowed and preventing it from carrying out other types of access and actions." Seems like that would apply to pretty much any kind of positive security approach, including web application firewalls and endpoint application control technologies. Of course, if they don't enforce the patent then it's not worth the paper it's written on, but it does seem like they could rattle some cages.
http://www.aladdin.com/news/2006/eSafe/Sandbox_Patent.asp

BioPassword takes on the Enterprise
So what? - No, BioPassword is not doing some wacky Star Trek promotion. Basically, they announced their Enterprise technology, which adds integration with Active Directory and Citrix. Priced at $19/user per year, I think the subscription model is interesting, but the price is still too high to really be deployed in the house. But piggybacking on the Citrix access engine (and channels) is exactly right, and they also announced an equity investment by Citrix, which solidifies the relationship. Seems to me that Citrix is kicking the tires before they make a bigger commitment to the technology, but that seems like a logical outcome given Citrix' focus on most things security now and it would be a big differentiator on their SSL VPN offering.
http://www.biopassword.com/BP_enterpriseedition.php

Sentillion tries to vThere
So what? - Sentillion is probably the most interesting company you've never heard of, that is unless you work in a hospital. These folks do identity management and single sign-on specifically for hospitals (and other healthcare providers) and they understand that business very well. As an extension, now they are getting into securing remote access for hospitals to provide a tighter and more controlled computing environment for doctors, etc. that need to connect in remotely. Their vThere technology seems like a virtual machine that runs an isolated instance on a remote computer, which is an interesting approach - and clearly goes after Citrix' server-centric approach. Technical details are sparse, but this solves a big problem for hospitals - which is to provide safe access for lots of folks without having the ability to control the desktops.
http://www.vthere.net/news/unveil.htm

Top Blog Postings

HIPAA needs dentures
As Farnum points out, it has no teeth. Of course, he doesn't exactly say it in those terms, but that's what he's saying. If you can skirt liability because you are compromised by something "unknown" what they hell good is the legislation? Right, not so much. And that's making a big assumption that there would be an enforcement action anyway. HIPAA is becoming a joke. That being said, healthcare organization continue to invest in security, but it's to protect private information (to avoid the negative brand impact of a breach) and also to improve patient care (identity management and SSO stuff), but it ain't because of HIPAA.
http://securityplace.blogspot.com/2006/06/question-about-hipaa_115099042570141694.html

Innovation from Microsoft? - Yeah right!
My old friend Eric Ogren (now over at Enterprise Strategy Group) is surprised by the fact that Microsoft's Forefront initiative is pretty much what would come from other security vendors. Give me a break EO. Show me one other example of when Microsoft has innovated TECHNICALLY, as opposed to achieving success either by packaging or by grinding the competition into dust, and beers are on me. This is Microsoft 101. See a big market that you aren't in, buy some marginal technology, get it out there, and make it better over years. Then the channel might of Microsoft comes into play making them the mass market player. This is right out of the Microsoft playbook and anyone that is surprised by that needs to pay more attention to history. We've seen this movie before.
http://www.computerworld.com/blogs/node/2778

It's the physical layer
Martin Brown on his ComputerWorld blog reminds us of a truism that we usually overlook, and that's the physical layer. Is the door locked? We take that question for granted. Of course there are some downsides to his suggestion about matching components to computers to ensure the data is just quickly taken and put into another shell, namely the whole underlying economic ecosystem of Intel-based PCs. If you can't use standard components (because they are a matched set), then the economic advantage of that hardware choice pretty much evaporates. Now if there was a software layer to do that (match distinguishing characteristics of the hardware components and enforce a policy based upon it), it would be interesting. But not a the hardware level.
http://www.computerworld.com/blogs/node/2844

Security coming to an Enterprise Architecture near you
James McGovern is clearly a guy that does things. I love to read end user rants about the silliness of most big companies and how they do technology. In this post, he questions why Enterprise Architects (the folks that keep the big picture of all computing) don't understand security. First, they should and over time they will. They don't have a choice. Second, this is our problem. We haven't earned a seat at the table, so security is always an afterthought. If your application and infrastructure folks consider you Dr. No, because that's all that comes out of your mouth - then there is your answer. We need to show the IT decision makers how security can fit in and not disrupt the projects. If adding security costs time and money, IT won't do it until it's too late. It's our job to show them why baking security in at the architectural stage will help them SAVE money and time. And I love the idea of a "security architect," who's really a sales person for the CISO - pushing these initiatives.
http://duckdown.blogspot.com/2006/06/enterprise-architecture-and.html

Recently on the Security Incite Rants Blog

Read yesterday's Daily Incite
http://securityincite.com/blog/mike-rothman/the-daily-incite-june-26-2006

Read Incites Redux
Check out my 6 month report card on the Incites I published back in January. What was right, what was wrong, and what was I thinking for some of those statements?
Incites on UTM, Identity Management and NAC
http://securityincite.com/blog/mike-rothman/incites-redux-june-19-2006
Incites on Compliance, Threat Management and Endpoint security

http://securityincite.com/blog/mike-rothman/incites-redux-june-20-2006

Incites on Content Security, Security Management and Security Services

http://securityincite.com/blog/mike-rothman/incites-redux-june-21-2006

Incites on Application Security, Security Education, and Cisco vs. Microsoft

http://securityincite.com/blog/mike-rothman/incites-redux-june-22-2006