Data Security

It was good to see the topic of data security enter the conversation in 2007, it's the next frontier of security and a really big, nasty, hairy problem. There aren't any good answers to the issue quite yet, but a lot of smart folks are working on it. This is one of the areas to definitely keep your eyes on in 2008.

Incite #7 - The Information Strikes Back

2007 finally brings acknowledgement that data/information security is different than protecting the network and servers. Yet, there is a major skills shortage in folks that understand how to protect applications and databases, resulting in accelerating interest in application and database security product offerings. But history will repeat itself, as a “fool with a tool” is still a fool, which doesn’t help customers solve any problems.

Days of Incite Link: http://securityincite.com/blog/mike-rothman/2007-doi-day-7-the-information-strikes-back
Incite Redux Link: http://securityincite.com/blog/mike-rothman/incite-redux-july-12-2007

Final grade: B+

A funny thing happened on the way to the final grade for this Incite. The industry started to acknowledge the fact that securing data is different, and that applications are the path of least resistance to your data. Given the imminent chaos around virtualization, SOA, and continued focus on private data driven by PCI (more on that later), security professionals no longer have an option in trying to figure out how to secure their information/data.

I think we all acknowledge that the right answer is to build secure applications that aren’t subject to simple XSS and SQL*Injection attacks. Of course, that requires that our developers get religion about secure coding practices and that our executives get comfortable with the fact that applications shouldn’t ship unless they are secure.

Right, it’ll be a cold day in hell when that happens. So what’s Plan B?

Basically we have to continue working around the issue, by doing application scans, pen tests, and maybe even implementing some database and web application defenses to try to work around the fact that our developers don’t care about security.

If there was ever a space that is crying for some disruption, it’s the data security market. The current methods are band-aids at best. Not that I’m talking about 2008 yet, since we haven’t put 2007 to bed – but we need to think differently about data security. Fundamentally differently. That means we’ll need to think about how to secure the fundamental element of data, wherever it is because we can no longer assume that we only need to protect the data within our environment.

I gave myself a B+ on this one because I was largely right, we’ve got a lot of acknowledgement about the depth of the data security issue – but precious few idea on how to really solve it.

Check out the other posts in the Report Card series.

At long last, those consolidation watchers can finally exhale, since SYMC has finally gotten the Vontu deal over the finish line. The deal was announced this afternoon as a $350 million dollar cash deal. It's a pretty decent multiple, which I estimate to be about 7-8x trailing twelve month bookings. Not as expensive as Brightmail, nor as cheap as Whole Security.

You can also read SYMC's "rationale" on how Vontu fits into their Security 2.0 strategy and introduces a new tagline "information-centric security."

The reality is Symantec needed to have some type of presence in the DLP space. Their big competition on the storage side is EMC and they have a widget in Tablus. Their main competition in the security space are also well represented, as McAfee, Websense and Trend have acquired companies in the space as well. I've been saying for a while that DLP is more of a storage and information function, than it is core security - so the fit with Symantec is pretty good. The question is whether this provides the "glue" that finally makes Symantec's security and storage capabilities kind of hold together.

And that brings up the huge blind spot in this deal, which is whether SYMC will be able to maintain Vontu's momentum in the large enterprise. They say Vontu will be run as a stand-alone entity, but I'm not sure if that's a good thing or a bad thing. They also plan to integrate Vontu into all of SYMC's existing offerings, given there is a piece of DLP in every aspect of SYMC's business. But to be skeptical (I know it's shocking for me), it hasn't happened in Big Yellow land with any other deal, so there is nothing that leads me to believe it will happen now.

Of course, there is always risk for existing Vontu customers that the deal won't go well and there will be a huge loss of Vontu brain power. But those are always risks in any deal.

Those most exposed are storage folks like Sun and NetApp, and big tech like Microsoft, Oracle, IBM and HP - who currently have no DLP strategy and may get left with 3rd tier pickings if they wait too long. Since DLP is clearly a feature of a bigger data security strategy, any player who says they manage data needs to have a story around DLP. There are also risks for start-ups who have not been spoken for, like Vericept, Code Green and Reconnex. You know the story of the company that holds on too long, waiting for that bigger, better deal. It usually ends as a fire sale. Though anyone independent now has some running room as the inevitable integration hiccups will provide a small window of opportunity.

So to net it out and not belabor the point, strategically the deal makes sense. Now it's all about executing the integration well and that really hasn't been Symantec's strong suit over the past few years.

2007 finally brings acknowledgment that data/information security is different than protecting the network and servers. Yet, there is a major skills shortage in folks that understand how to protect applications and databases, resulting in accelerating interest in application and database security product offerings. But history will repeat itself, as a “fool with a tool” is still a fool, which doesn’t help customers solve any problems.

Read the rest of the 2007 Incites here.

It was back in February of 2006 that I first published a skeleton construct that I called the “Pragmatic Security Architecture.” [link] I basically spelled out that data/information security is different than protecting infrastructure (servers, networks, etc.) and should be treated as such.

I was right. I’m usually not one to gloat, but… Well, of course I am, so I’m gloating.

Just because we know understand the problem, doesn’t mean we are anywhere close to fixing it. Why? Because looking at security from an application view is foreign for most security folks. Looking at the fundamental elements of data is even more foreign.

So what we have here is a business with many folks that are just ill suited to protect applications and data. In 2007, the extent of this problem becomes clear. Jeremiah Grossman did an interesting analysis that shows just how significant our skills shortage is here. That was an “oh, crap” moment for me.

What now? Basically, since we don’t have the people to do the job, we have to rely on tools, which are not a good answer – but probably the only one we’ve got in the short term. So there will be lots of interest in application scanning tools and application firewalls, as well as database scanning, monitoring, and “firewalls” will also be very interesting to folks.

These tools will eliminate the low hanging fruit. You know, obvious configuration, permissions, and cross-site scripting issues. But they won’t solve the business logic issues that plague many applications. There is no tool to solve that problem.

Given the consistent issues around application flaws, developers will finally start to “get it” and begin using more structured secure coding practices. You’ll also see more folks start to use security testing tools (beyond scanners) to make new applications run the gauntlet before they are let loose on the world.

Finally, we’ll see application security as the focus of the next wave of education and training for security professionals. When the skills don’t exist to solve the problem, you can pray for manna from the heavens, or you can go grow your own application security professionals. Let’s just say, I don’t expect to be hit upside the head with a baguette falling from the sky anytime soon, so it’s time to go to class.

Looking at the information security issue is very much like watching The Empire Strikes Back. At the end, you are depressed because it seems like the bad guys are winning, basically because they are. And we don’t get to see the sequel for another 3 years.

This morning Check Point announced a deal to acquire Protect Data, better known as Pointsec, for about $586 million in cash (here). At first glance, this is a good deal for Check Point, a better deal for Pointsec, and puts Check Point right in the middle of one of the hottest markets out there - mobile data encryption.

First, Check Point has done SOMETHING, so that is good. Most have just assumed that Check Point would continue milking their installed base and continue going nowhere fast. This at least shows definitive evidence that Gil and Co. are still working for a living. Acquiring Pointsec, which is headquartered in Sweden, was also a good move because it takes US regulators out of the critical path. It's not clear that regulators would continue to be an issue (since Alcatel/Lucent was just approved by the US President himself) for Check Point to buy US companies, but why take the risk?

Second, the deal feels a bit pricey. $586 million on what will likely be around $75M or so in 2006 revenues is a 7-8x multiple on sales. It represented about a 40% premium to where Protect Data's stock was trading in Sweden (UPDATE: the premium is on the average price over the past 90 days - the premium is nil to where the stock trades now). The Pointsec business (which is about 90% of Protect Data's revenues) is growing over 90% year over year. But we all know that the law of large numbers kicks in (Check Point is only expecting $90 million in 2007 revenue impact), so maintaining that type of growth rate will be hard.

Let's look at the market for what Pointsec does. Clearly, given all the laptop and PDA thefts that resulted in private data loss (and the resultant notification efforts) in the news, this is a hyped-up market. Given Pointsec's run rate, they are moving a lot of units to meet demand. This is one of the few security markets where customers are buying first and thinking (and architecting) second, which makes sense given the pain of the notification effort (VA anyone?). Pointsec's technology has always been well regarded and the market will continue to show good growth.

It was mentioned in the press release that Pointsec gives Check Point exposure to the "data security" market, and that's an interesting thought. Protecting data is different than protecting the infrastructure, and it will be interesting to see how Check Point goes after the data security market. Will they look at application security oriented solutions next? Or something in the database security space? To be clear, mobile encryption is not data security, but it's certainly closer than a firewall.

What about leverage with Check Point's existing business? Clearly there is quite a bit, since I've said for a while that mobile encryption is a feature of a broader endpoint security offering. Well, Check Point already has one of the leading products in that space with the Integrity/ZoneAlarm suite. So the Pointsec solution can be bundled pretty quickly and provide a more compelling (and broader) solution for endpoint security.

On the negative side, Check Point hasn't done a good job integrating Integrity/ZoneAlarm into their bigger set of product offerings. So now, Check Point has two distinct businesses, the network stuff (still dominated by FW-1/VPN-1) and now the client side (Integrity and Pointsec). The buyers are different, since it tends to be the desktop manager that has a bigger say in what solutions get rolled out to the endpoints. But Check Point is talking about a "single framework" for network and data security, which I'm not sure is going to be compelling given the organizational dynamics at work.

Clearly this is a first step. Check Point still needs more pieces to be able to spin a compelling story at the CIO level. The data security angle is an interesting one. But doing security well at both the infrastructure and the data/information level is hard and requires a lot of resources. Ask Symantec about that.

So overall, this is a good move to Check Point, albeit a bit expensive. Given the cash flow machine that is Check Point, if they can drive some better channel efficiencies and bundle Pointsec along with the Integrity endpoint stuff, it could be a bargain in hindsight. But isn't that the case with all deals?