Good Morning:
Today I need to send a shout out to my father-in-law Sandy, who turns 75 today. SEVENTY FIVE! Wow, that's a long time. I'd say something about spring chickens and being old, but he's one of the youngest guys I know. Sure there is a lot of mileage on his motor, but it still runs pretty OK. There are 75 year olds that are more like 90, waiting for their call to the great beyond.

And there are the 75 year olds that are more like 50-somethings. The difference? Engagement. It's as simple as that. Those that aren't engaged with hobbies, activities, maybe even a job are just waiting to die. Maybe it's because they have health problems or whatever, but there is clearly a correlation between someone's activity level and how young they appear.

Sandy is a stock broker and he loves it. He "works" pretty much every day. Not because he has to, but because he wants to. He would chart stocks even if it wasn't his living. In fact, he did chart stocks on nights and weekends before he became a full-time broker in his late 40's. It's his passion and his passion keeps him young. I can't tell you how much I've learned from watching someone actively engaged day after day, year after year, doing something they love. These are lessons I weigh every career decision against.

Happy Birthday Sandy. I'm looking forward to many more.

Have a great day.

Incite #8: Protect the Vault (that's where the money is)

The hackers continue to go where the money is by increasingly targeting the databases storing private information. Database vendor’s disdain for security doesn’t help, and creates an opportunity for database monitoring and security solutions to gain a foothold before this capability is subsumed into the DBMS and/or network fabric. Encryption infrastructure makes little to no progress in 2008, despite regulatory pressures – largely due to complexity and the nebulous compensating controls clause. 

Read the original Days of Incite post on this topic.

6-month grade: B+

In Incite #6, I talked about a hot market (full disk encryption), even in a crappy economy. Database monitoring is neither high profile nor particularly exciting - but it's happening slowly but surely. As opposed to the overheated NAC hype that set unmanageable expectations, database monitoring (for the most part) has flown under the radar. To be clear, this is still a very early market and the buying dynamics are still rather complicated (does the DBA or the security guy own/buy it?), but enough folks are looking at and interested in this space - that it'll end up being larger than another over-hyped market - DLP - this year.

But I don't want to get ahead of myself here, we talk about DLP tomorrow. Now the good news for the stand-alone database monitoring folks is that the big database folks have their respective heads in dark places. They are all focused on becoming something else, and a security vendor isn't high on the list. Oracle is an apps vendor, Microsoft is an everything vendor and it's not clear what Sybase is - but it's surely not a database vendor. So all these guys do offer their own flavors of database security, but it's clearly not a focus - which creates opportunities for the start-ups.

Is this a top priority issue? Does it need to be solved right now (like full disk encryption)? Nope. Unless you auditor has specifically required you to do so, as part of a compensating control for secure applications. So a lot of organizations will defer this purchase for a while. But I'll make the case for why it's important to do this sooner, rather than later.

Surprisingly enough, it gets back to REACT FASTER. Remember, we want to monitor as much as we can because we don't know where the next attack is going to come from. The network is really the first place we want to monitor (because the network doesn't lie), but after that I want to see what's happening in my database - that is where the money is, after all. Monitoring is good. So as you are looking at your priority list, keep that in mind.

What about the second half of the Incite, which is about encryption infrastructure. You know, that centralized key management function that allows those pesky little keys to be managed across applications. Kind of like a utility. Well, that's still nowhere. Encryption can and should be relatively transparent to developers, users, and pretty much everyone. In big environments, I get the value of centralizing management and escrow of the keys - but those use cases are few and far between. Most folks don't need it, and should focus on something that will yield more value in the short term. Like monitoring. :-)

Photo credit: "Bank Security Guard" by madaboutshanghai

2007 Incite: The Information Strikes Back
2007 finally brings acknowledgement that data/information security is different than protecting the network and servers. Yet, there is a major skills shortage in folks that understand how to protect applications and databases, resulting in accelerating interest in application and database security product offerings. But history will repeat itself, as a “fool with a tool” is still a fool, which doesn’t help customers solve any problems.

2008 Incite: Protect the Vault (that’s where the money is)
The hackers continue to go where the money is by increasingly targeting the databases storing private information. Database vendor’s disdain for security doesn’t help, and creates an opportunity for database monitoring and security solutions to gain a foothold before this capability is subsumed into the DBMS and/or network fabric. Encryption infrastructure makes little to no progress in 2008, despite regulatory pressures – largely due to complexity and the nebulous compensating controls clause.

In the second half of the application/data/information security Incite, let’s dig a bit into database monitoring and security. The hackers are a lot of things, but stupid isn’t on the list. They know the database stores most of the information they want, so that’s what they target.

Most organizations haven’t done much in terms of protecting their databases, mostly because they figured the attackers couldn’t really get to the database – so they focused on other things. Unfortunately they are wrong. External bad guys are very good at compromising web applications giving them unfettered access to the data store. Even more potentially damaging are the insiders, since they already have access to the database server, and from there it's not brain surgery to get access to the data.

Now you have auditors coming in and pointing out that very issue. So lots of the larger database security implementations have been a direct result of an audit finding, and the natural response follows – buy a product and make the problem go away.

This is another case where we’ve seen this movie before. I expect database security to continue rolling out like most other security functions. First came the scanners. Most organizations won’t spend money on solving a problem they don’t know they have. So the initial step is usually to do a vulnerability assessment on your databases. They are checking for vulnerabilities and configuration errors.

Next they tend to monitor what’s going on. Who is accessing what? Should they be there? What changes are being made? It’s the whole separation of duties thing. The auditors want someone to watch the watchers. So some kind of monitoring is usually the next capability that gets rolled out. Per usual, I have no dogma or religion about monitoring via an external appliance or a software layer on the DBMS. There are use cases for both models.

Finally there is blocking. If the device were to detect a clear attack, it wouldn’t be a bad thing to block it. Yet, this capability is very similar to IPS. A lot of customers have it, and a lot of them don’t use it. Not to overdramatize, but you need to be able to explain to your COO why a multi-million dollar transaction was blocked by the database security gateway. That doesn’t mean you shouldn’t be blocking anything, but you better make sure you are blocking the right stuff.

Like everything else (or so it seems), over time this capability is subsumed into the database and/or network infrastructure. But that “over time” will be measured in years, probably 5-7 of them. That gives the database security market plenty of running room over the next couple of years.

Yes, you will see consolidation. But I don’t think that will happen in 2008. The database vendors are still in denial that it’s a problem (or that their over-priced, under-functional solutions aren’t good enough) and the market isn’t big enough to make it a must-have for a big security aggregator. Truth be told, this is something that IBM and HP should have. It would be very complimentary to their application dev and security tools, and should be wrapped into big application infrastructure projects as a preventative measure. Net-net, this is not a stand-alone market for any length of time.

What about encryption? You can’t really talk about data/information protection without mentioning good ol’ crypto. There will be little change in the crypto business in 2008, if anything things may slow down a bit – given macro-economic headwinds and the fact that no one wakes up and says, “I gotta get me an encryption infrastructure!” So we’ll continue to see the same user and vendor dynamics.

Users will continue to not understand why they need an encryption infrastructure and the vendors will continue to focus on making encryption disappear in other application initiatives. And that's where is should be.

To wrap up, we are on a multi-year journey for customers to understand that protecting data is fundamentally different than protecting networks or even servers. 2008 sees us continuing to understand. We aren’t there yet, but we are getting closer.

Photo credit: sigma

Dealing with Oracle when you are an analyst is loads of fun. There is no more arrogant company out there. I asked for a briefing on their identity management stuff early this year, and I got the "read our white papers, they'll tell you everything you need to know." It was clear, they didn't have time for analysts that don't have a G or F in their company name.

But that's OK. Oracle has never really been taken seriously in the security space, so it's not like I have a lot of folks asking me about what they are up to. But given the amount of money they've spent on acquiring a space in the Identity Management space and the fact that data security is becoming more real (EMC/RSA being a pretty significant data point), I'll need to suspend disbelief and take another look at what Oracle is up to.

So I was pleased when a little birdie gave me a sneak peek at Oracle's "security strategy" briefing for 100's of analysts customers around the world. Shockingly enough, they claim to be the "leader" in security. That's a laugh. But I'll get to that.

First, what does Oracle consider security? Basically it's the stuff they sort of have. Access Control (but they mean Identity), data privacy (database encryption), and compliance (whatever that means). So they are hovering around in what I call information or data security and Identity in Pragmatic Security lingo.

They make a number of bold claims, including integration amongst the products and that their security works consistently across all of their applications. Huh? So they've gutted PeopleSoft and JD Edwards and Siebel and now have a common security model. Maybe on the PPT, but not in reality. Oracle does have a bunch of crap in a bag. But to say it's integrated is insulting the intelligence of the folks that buy stuff from them. Though I know that Oracle holds their customers in high regard. Kind of like CA in the days of yore.

Basically, all of this cool integration and the like is on a Fusion roadmap. Due to the wonders of federation and standards, many of the products (at least on the IAM side) can work together. But that ain't integration, to be clear.

What about data privacy? Well anyone that's even tried to do sophisticated logging on a high transaction production database knows it kills performance. And to try to do field level encryption? No way. Unless you are running at 10% utilization that is. Then you've got plenty of headroom to drive your DB to 90% utilization. Performance has never been their strong suit. But that's what bigger servers are for, no?

And compliance? As I've said a million times, compliance is a process not a product. It's very easy for Oracle to make it a pillar of their security strategy because it doesn't mean anything. So if you can get logging to work, then you can pull a report on it and BAM! You are compliant. Did I mention that I hate compliance lately?

Now that I've rained all over their parade, I'll begrudgingly admit that Oracle will be a factor in data security. If only due to their market presence. Whether we like it or not, Oracle controls much of the data in the largest enterprises in the world. That's a pretty powerful position to be in, but it's far from a mandate to control information security.

To date, no one has a compelling "big story" as to how data security evolves over time. And that creates opportunity for other big players (like EMC, IBM, Symantec and Microsoft) to codify that story and take the thought leadership high ground. It also creates a window for smaller data security players to gain a foothold and thus become acquisition bait.

But Oracle always has Plan B, just in case they can't tell the big story and their roadmap falters - it's the checkbook. There is the old saying that "the enemy of your enemy is your friend." Well over the past few years, Oracle has bought both their friends and enemies until there isn't much left standing.

But these were mature markets. Very much like the CA of old. They are milking the acquired revenue streams. But data security ain't mature. There are no revenue streams to milk.

So Oracle can crow all they want about being the leader of this or the leader of that. Soon enough they'll figure out that security is different. They'll need a more compelling vision for the customer. They'll need to get some application security technology (like a web app firewall). And they'll need to be more respectful of a heterogeneous world.

Oracle is not Cisco or Microsoft. Applications have inertia, but it's nothing like the inertia of the network or the desktop. With the advent of SOA, applications and data can be and will be anywhere and everywhere. A strong disruptive application is much more likely to be adopted than something new in network plumbing or on the desktop.

Maybe they can learn a lesson from CA, which proved that what goes around, comes around. Even if it takes years. But probably not.

Today Oracle announced a number of security products including "Database Vault" (link here) to protect and limit access to sensitive data and applications. Now administrator access can be segmented and protected to ensure that DBA's don't have free reign. They also announced "Secure Backup" that interfaces directly to tape drives, presumably without requiring 3rd party products (release here).

Oracle has been doing security stuff within the database for years, and it hasn't been enough. That created a market opportunity for folks like Application Security and Protegrity to provide more focus on vulnerability scanning, controlling access and encrypting to specific database elements.

This is another example of Oracle's Microsoft envy. Microsoft perfected the art of sucking more and more functionality into the core platform. So as Microsoft has over time subsumed security capabilities into the OS (and that will accelerate dramtically with Vista and Longhorn), now Oracle is doing the same thing on the database.

The impact to the 3rd party vendors could be significant. 3rd parties will survive based on how well end users understand what they do vs. what Oracle does. And priced at $20,000 per CPU, Database Vault is not really priced to move. Nor does Oracle support other DBMS platforms, so that is a point of leverage for the start-ups.

The backup offering also seems a bit strange in that maybe I'm missing something, but backup is usually taken care of on a broader data center basis. So just doing it for Oracle databases seems a bit restrictive.

But these moves validate what we already know, which is what Pragmatic Security calls "information security" (of which database security is a subset) is important. Certainly enough for Oracle to think they can sell a lot of it. And the fact that they are selling distinct capabilities (like label security, encryption, virtual private database, and secure backup) separately indicates the immaturity of this security category.

We'll see more of this security being subsumed into the database. Adding security is an obvious direction for someone like MySQL to continue adding value to the open source database.

End users should be focusing on whether Oracle's death by
1000 (or millions depending on the number of CPU's in use) cuts is the right approach as opposed to going with a start-up that won't have a similarly broad product set, but will be multi-platform.

There were clearly pockets of strength in the security space demonstrated at RSA. Here's a quick list of the hotties at the show (and I'm not even focusing on the return of eye candy to RSA):

• Identity Management - There was lots of activity at the show, validating the choice of IdM as the subject of the first battle plan (available at the end of the month). All of the big guys (Microsoft, IBM, Sun, HP, et al) where there in force and lots of other network-security oriented vendors were talking about the linkages between IdM and network access control (NAC) in an effort to differentiate. My checks with resellers and users indicated the IdM strength is not vendor push. It's happening. Another data point was the overflowing sessions on IdM during the conference - I'm talking standing room only. IdM is hot.
  
  
• Network Access Control - A bit further off is NAC, but there was tons of activity in this space as well. The big (Cisco, Microsoft, Symantec, McAfee) and the little (ConSentry, ForeScout, Lockdown, Mirage, StillSecure, Vernier) were well represented and NAC will be the next big thing. The clear challenge for the start-ups will be to focus on clear differentiation to remain relevant. I can't recall a hot market space where the big players are delivering products, mostly home-grown, in the same timeframe as the start-up. Big is clearly the new small.
  
  
• Encryption - Scarily enough, this may actually be the year that encryption happens. Sure, there is still confusion as to what you really can do, and it's not nearly transparent enough. But the rising tide is lifting all the boats (PGP, PostX and Voltage notably) and it seems that a decent portion of that compliance budget is being allocated to rolling out crypto.
  
  
• OATH - The stand set up to demonstrate the Open Standard for Authentication seemed to be packed the entire show. There were something like 10 vendors in there demonstrating their OATH compatible solutions, and this standard is taking root. Given the momentum for IdM and NAC, the need for continued focus on the authentication part of the equation is clear.
  
  
• "Leak Prevention" - It's not clear what this category is called quite yet, but it's basically about making sure that private data and intellectual property stays where it belongs. There was a lot of activity in this space.
  
  
• Web/Application/Database Security - There is a lot of interest in boxes (and software too, I guess) that protects applications and databases from targeted attacks. This market is poised to be big in 2007, so figure next year's RSA show will have this as a prominent theme.
  
  

Clearly this is an unscientific analysis of what was going on, but by roaming around the show floor a bit and talking to lots of people you get a pretty good feel for what is going on.