Interestingly enough, I tried to register for Clear this morning on my way out to Vegas. They are rolling out the service in ATL and given the amount I fly, I figured it would be a good investment. The folks at the desk were kind enough to tell me the computer systems were down and that I'd need to come back later.

Upon arrival, I connected to via my EVDO card (no WiFi in Vegas with all the haXors around) and tried to do the online registration (so I could finish up when I get back to ATL). But the application was being upgraded. 

Actually no, the TSA has put the kibosh on Clear while they mop up the mess of a lost laptop. Thanks Breach Blog, now I know what is going on. How about that laptop encryption? I can see the commercial now:

• Cost of laptop encryption: $100 per agent
• Lost revenue from a data breach: $zillions
• Reality that the TSA is putting you in the penalty box for years for violating their trust: Priceless

And for those already in the Clear. You've been pwned! Now the bad guys have your retinal scans and fingerprints. They don't even need to chop your fingers off anymore to beat the biometrics. Actually, I'm kidding, I'm not sure what data was stolen.

It never ends.

Yep, even in a crappy macro environment, there will always be sectors that are doing well. As I pointed out during the Incite Redux series, endpoint encryption is certainly one of them. The rising tide definitely lifts all boats. But more importantly, the second part of the Incite is all about the consolidating market.

We saw a bunch of deals happen in this space last year and things went quiet for a little while. Until this morning, that is. Sophos has announced a deal to acquire Utimaco for 217 million Euros. That's about $341 million. Utimaco did a touch under 50 million Euros last year. Their last quarter was 14.4 million Euros, growing about 25% YoY.

Interestingly enough, Sophos' offer was literally a 92% premium to Utimaco's trading price on Friday. If you look at 30 and 90-day moving averages, the premium is a bit less, but it's still a HEFTY premium. Seems the German investors didn't quite get the need for endpoint encryption.

It's a big check, but a necessary check to write. Sophos wants to play on the big stage with Symantec, McAfee and Trend. They need to control the technology because it's a feature of a broad endpoint suite. Yes, it's a FEATURE. But a necessary feature. The endpoint is all about how much crap you can stuff into the bag now, and that means it's not a market for start-ups. It's a big is the new small market.

It also makes Symantec's decision to OEM GuardianEdge, as opposed to either acquiring them or someone else, that much more perplexing. Unless they built a pre-negotiated acquisition price into the OEM deal, they are seeing their price rise dramatically because it's not if, it's when they need to acquire this technology.

So all of you end users out there looking at 2H renewals for your endpoint suite. Use these deals and the need for endpoint encryption to your advantage. If your incumbent doesn't have the technology, poke them in the eye and force big price breaks. If they do, poke them in the eye and make the bundle it in for little to no additional price (which is effectively a big price break).

This is a competitive market folks, which means at a minimum you should be poking your vendor in the eye and also getting a big price break. Now is not the time for inertia or brand loyalty.

Photo credit: "Manure for sale" originally uploaded by sloejoe

Good Morning:
Today I need to send a shout out to my father-in-law Sandy, who turns 75 today. SEVENTY FIVE! Wow, that's a long time. I'd say something about spring chickens and being old, but he's one of the youngest guys I know. Sure there is a lot of mileage on his motor, but it still runs pretty OK. There are 75 year olds that are more like 90, waiting for their call to the great beyond.

And there are the 75 year olds that are more like 50-somethings. The difference? Engagement. It's as simple as that. Those that aren't engaged with hobbies, activities, maybe even a job are just waiting to die. Maybe it's because they have health problems or whatever, but there is clearly a correlation between someone's activity level and how young they appear.

Sandy is a stock broker and he loves it. He "works" pretty much every day. Not because he has to, but because he wants to. He would chart stocks even if it wasn't his living. In fact, he did chart stocks on nights and weekends before he became a full-time broker in his late 40's. It's his passion and his passion keeps him young. I can't tell you how much I've learned from watching someone actively engaged day after day, year after year, doing something they love. These are lessons I weigh every career decision against.

Happy Birthday Sandy. I'm looking forward to many more.

Have a great day.

Incite #8: Protect the Vault (that's where the money is)

The hackers continue to go where the money is by increasingly targeting the databases storing private information. Database vendor’s disdain for security doesn’t help, and creates an opportunity for database monitoring and security solutions to gain a foothold before this capability is subsumed into the DBMS and/or network fabric. Encryption infrastructure makes little to no progress in 2008, despite regulatory pressures – largely due to complexity and the nebulous compensating controls clause. 

Read the original Days of Incite post on this topic.

6-month grade: B+

In Incite #6, I talked about a hot market (full disk encryption), even in a crappy economy. Database monitoring is neither high profile nor particularly exciting - but it's happening slowly but surely. As opposed to the overheated NAC hype that set unmanageable expectations, database monitoring (for the most part) has flown under the radar. To be clear, this is still a very early market and the buying dynamics are still rather complicated (does the DBA or the security guy own/buy it?), but enough folks are looking at and interested in this space - that it'll end up being larger than another over-hyped market - DLP - this year.

But I don't want to get ahead of myself here, we talk about DLP tomorrow. Now the good news for the stand-alone database monitoring folks is that the big database folks have their respective heads in dark places. They are all focused on becoming something else, and a security vendor isn't high on the list. Oracle is an apps vendor, Microsoft is an everything vendor and it's not clear what Sybase is - but it's surely not a database vendor. So all these guys do offer their own flavors of database security, but it's clearly not a focus - which creates opportunities for the start-ups.

Is this a top priority issue? Does it need to be solved right now (like full disk encryption)? Nope. Unless you auditor has specifically required you to do so, as part of a compensating control for secure applications. So a lot of organizations will defer this purchase for a while. But I'll make the case for why it's important to do this sooner, rather than later.

Surprisingly enough, it gets back to REACT FASTER. Remember, we want to monitor as much as we can because we don't know where the next attack is going to come from. The network is really the first place we want to monitor (because the network doesn't lie), but after that I want to see what's happening in my database - that is where the money is, after all. Monitoring is good. So as you are looking at your priority list, keep that in mind.

What about the second half of the Incite, which is about encryption infrastructure. You know, that centralized key management function that allows those pesky little keys to be managed across applications. Kind of like a utility. Well, that's still nowhere. Encryption can and should be relatively transparent to developers, users, and pretty much everyone. In big environments, I get the value of centralizing management and escrow of the keys - but those use cases are few and far between. Most folks don't need it, and should focus on something that will yield more value in the short term. Like monitoring. :-)

Photo credit: "Bank Security Guard" by madaboutshanghai

Good Morning:
Week 2 of "vacation" is on. The last time I took off more than a week was back in 1997. The Boss and I took a 3 week trip to Australia and New Zealand a few months after we got married. It's been a long time. I guess part of me should feel bad about not really taking vacation and totally unplugging. I probably should just not work at all, not do any reading, not plug in and answer a few emails every day. Not work on any of my super-secret projects. But I don't feel bad. Not at all.

Why? Because I love what I do. I don't spend a portion of every day reading because I worry I'll fall behind. I do it because it's what I like to do. I'm an information junkie and I've found a profession that lets me indulge that. I love writing and inflicting my opinions on all that will listen. I love building new things, so my new projects keep me engaged.

The fact that I have enough back-up to "work" a few hours a day is lucky. So I can get my info fix and then spend the afternoon with the kids at the beach. And a couple of hours of beach time is about all I can handle anyway. Especially since I have no pool to lounge by and no one to bring me drinks in a pineapple.

Yes, I'm spoiled. I don't feel bad about that either. Have a great day.

Incite #6: Laptop encryption hits the big leagues

Since remote employees insist on losing laptops and the Government insists on notifying customers when private information is lost, security teams respond by rolling out full disk encryption far and wide. Within two years, this market disappears, first because every endpoint security suite will include a FDE option (2008) and later because the operating system makers (Microsoft and Apple) do a good enough job (2009) to kill stand-alone offerings.

Read the original Days of Incite post on this topic.

6-month grade: A-

Yep, this one seemed very obvious when I wrote it. Though in a time of macro-economic chaos, and even the mighty (like VMWare) proving that trees don't grow to the sky, good old fashion disk encryption continues to do well. Well enough to keep big security afloat and announcing good earnings? That I'm not sure about (remember I wrote this about two weeks ago before many of the public security players announced their earnings), but I can tell you it would be a lot worse without the ballast of this hot category.

And why is it hot? Well, just read the Incite. People keep losing laptops and disclosure laws mean customers need to be notified. It's a lot easier to just encrypt the disk and most companies are realizing that. Of course, you see datapoints from a few months ago that the US Government is about 1/3 of the way through their deployment and you realize how many friggin' devices there are out there, and that there is still plenty of running room for this category.

I'll also pat myself a bit on the back by saying the longer term prediction part of the Incite seems on track as well. There are precious few stand-alone device encryption companies left and many of them have shacked up with Big Security to OEM their offerings through a bigger distribution engine (like the Symantec/GuardianEdge deal). Of course, the good news about long term predictions is that they are longer term and thus I can just say it's right. Right?

But what about having the embedded OS capabilities kill stand-alone offerings by next year. That's the difference between A- and A. Microsoft's Vista is every bit the train wreck we thought and a lot of big companies are just going to wait for the next version of Windows. That means no BitLocker, which means continued demand for 3rd party offerings. And as many inroads as Apple is making in the enterprise, it's still a rounding error. So 2009 may turn out to be a bit optimistic. But to be clear, good enough will prevail in this game. It's not a matter of if, it's a matter of when.

Photo credit: "Laptop Stolen" by Bahi_P

2007 Incite: The Information Strikes Back
2007 finally brings acknowledgement that data/information security is different than protecting the network and servers. Yet, there is a major skills shortage in folks that understand how to protect applications and databases, resulting in accelerating interest in application and database security product offerings. But history will repeat itself, as a “fool with a tool” is still a fool, which doesn’t help customers solve any problems.

2008 Incite: Protect the Vault (that’s where the money is)
The hackers continue to go where the money is by increasingly targeting the databases storing private information. Database vendor’s disdain for security doesn’t help, and creates an opportunity for database monitoring and security solutions to gain a foothold before this capability is subsumed into the DBMS and/or network fabric. Encryption infrastructure makes little to no progress in 2008, despite regulatory pressures – largely due to complexity and the nebulous compensating controls clause.

In the second half of the application/data/information security Incite, let’s dig a bit into database monitoring and security. The hackers are a lot of things, but stupid isn’t on the list. They know the database stores most of the information they want, so that’s what they target.

Most organizations haven’t done much in terms of protecting their databases, mostly because they figured the attackers couldn’t really get to the database – so they focused on other things. Unfortunately they are wrong. External bad guys are very good at compromising web applications giving them unfettered access to the data store. Even more potentially damaging are the insiders, since they already have access to the database server, and from there it's not brain surgery to get access to the data.

Now you have auditors coming in and pointing out that very issue. So lots of the larger database security implementations have been a direct result of an audit finding, and the natural response follows – buy a product and make the problem go away.

This is another case where we’ve seen this movie before. I expect database security to continue rolling out like most other security functions. First came the scanners. Most organizations won’t spend money on solving a problem they don’t know they have. So the initial step is usually to do a vulnerability assessment on your databases. They are checking for vulnerabilities and configuration errors.

Next they tend to monitor what’s going on. Who is accessing what? Should they be there? What changes are being made? It’s the whole separation of duties thing. The auditors want someone to watch the watchers. So some kind of monitoring is usually the next capability that gets rolled out. Per usual, I have no dogma or religion about monitoring via an external appliance or a software layer on the DBMS. There are use cases for both models.

Finally there is blocking. If the device were to detect a clear attack, it wouldn’t be a bad thing to block it. Yet, this capability is very similar to IPS. A lot of customers have it, and a lot of them don’t use it. Not to overdramatize, but you need to be able to explain to your COO why a multi-million dollar transaction was blocked by the database security gateway. That doesn’t mean you shouldn’t be blocking anything, but you better make sure you are blocking the right stuff.

Like everything else (or so it seems), over time this capability is subsumed into the database and/or network infrastructure. But that “over time” will be measured in years, probably 5-7 of them. That gives the database security market plenty of running room over the next couple of years.

Yes, you will see consolidation. But I don’t think that will happen in 2008. The database vendors are still in denial that it’s a problem (or that their over-priced, under-functional solutions aren’t good enough) and the market isn’t big enough to make it a must-have for a big security aggregator. Truth be told, this is something that IBM and HP should have. It would be very complimentary to their application dev and security tools, and should be wrapped into big application infrastructure projects as a preventative measure. Net-net, this is not a stand-alone market for any length of time.

What about encryption? You can’t really talk about data/information protection without mentioning good ol’ crypto. There will be little change in the crypto business in 2008, if anything things may slow down a bit – given macro-economic headwinds and the fact that no one wakes up and says, “I gotta get me an encryption infrastructure!” So we’ll continue to see the same user and vendor dynamics.

Users will continue to not understand why they need an encryption infrastructure and the vendors will continue to focus on making encryption disappear in other application initiatives. And that's where is should be.

To wrap up, we are on a multi-year journey for customers to understand that protecting data is fundamentally different than protecting networks or even servers. 2008 sees us continuing to understand. We aren’t there yet, but we are getting closer.

Photo credit: sigma

2007 Incite: Patching the Leaks
More high profile privacy train wrecks force many customers to just buy something to address the information leakage problem. Laptop encryption turns out to be far from a panacea, while multi-protocol leak prevention gateways remain in high demand. Users demand integration at both ends (client and perimeter), foreshadowing more consolidation. Users finally figure out data protection is more of a process issue, forcing Pragmatic CSOs to ask tough questions of senior IT managers on how data is handled and who has access to it.

2008 Incite: Laptop encryption hits the big leagues
Since remote employees insist on losing laptops and the Government insists on notifying customers when private information is lost, security teams respond by rolling out full disk encryption far and wide. Within two years, this market disappears, first because every endpoint security suite will include a FDE option (2008) and later because the operating system makers (Microsoft and Apple) do a good enough job (2009) to kill stand-alone offerings.

As I look at the 2007 Incite on leak prevention, it was broader and focused on the broader DLP space. This year, I’ve decided to break the Incites up. The DLP piece will hit in a couple of days, but in the meantime I want to focus on laptop encryption.

When I did the dry run of the Incites to a group of my trusted colleagues, the universal feedback on this was DUH! Everyone already had thought of laptop encryption was already in the “big leagues” and kind of a foregone conclusion. Unfortunately, there is a large part of the world that isn’t there yet.

Just think about the market numbers. Check Point’s PointSec group did something like $80 million in 2007. McAfee’s SafeBoot did a bit less. There are a bunch of other players with significantly less revenue. The firewall business is billions, laptop encryption is not. Yet. Laptop encryption is not a universal thing by any stretch of the imagination. My message here is that it needs to be.

If you have laptops, you need laptop encryption. It’s a simple as that. I don’t care whether you get the big enterprise package or just mandate the use of the built-in O/S tools. You need to do something. Why? Because laptops go away. They are stolen. They are lost. And they have private data on them.

One other thing before I jump into the market dynamics. If you have service providers (outsourcers, contractors, et al) that store your data, then THEY need to do laptop encryption as well. How many organizations are pulling splinters out of their butts because their auditor or their on-site contractor lost a laptop? That should be a requirement for continued business and put as a standard term of professional services contracts. OK, off soapbox now.

What about the market for laptop encryption? Basically, it’s going away. The first wave of this has already happened. Check Point and McAfee took out the two biggest players in the laptop encryption market. There are others and they will be spoken for in 2008. Symantec needs something. So does Trend and every other company that wants to play in the endpoint space. Check Point and McAfee will use the encryption as a wedge and differentiator in a market with precious few differentiators. That means the others are sure to act.

But over time, that capability within the endpoint suite goes away as well, or it's value is marginalized at a minimum. The capability will be subsumed into the operating system. Windows Vista already has BitLocker, but it’s not there yet from a centralized management standpoint. Once it plugs into Forefront or maybe just SMS (or whatever they call the management thing nowadays), then it truly becomes a feature. Apple has had FileVault for years as well. That works great, but doesn’t really have central management capabilities.

This is another market where the standalone vendors better find a partner pretty quickly. The window won’t be open for long. They better enjoy the fresh air while it’s there.

Photo of the Enigma machine: chris_malcolm

OK, we've passed the half-way mark. Here is the Incite on Leak Prevention.

Incite #6 - Patching the Leaks

More high profile privacy train wrecks force many customers to just buy something to address the information leakage problem. Laptop encryption turns out to be far from a panacea, while multi-protocol leak prevention gateways remain in high demand. Users demand integration at both ends (client and perimeter), foreshadowing more consolidation. Users finally figure out data protection is more of a process issue, forcing Pragmatic CSOs to ask tough questions of senior IT managers on how data is handled and who has access to it.

Days of Incite Link: http://securityincite.com/blog/mike-rothman/2007-doi-day-6-patching-the-leaks
Incite Redux Link: http://securityincite.com/blog/mike-rothman/incite-redux-july-11-2007

Final grade: B

“More high profile privacy train wrecks…” Have any truer words been spoken over the past year? The list goes so far beyond just TJX and a lot has to do with lost laptops, but there have also been insider thefts, compromised machines and lost backup tapes. So the only thing you can pretty much count on is that if you think your private information is actually private, you are mistaken.

So you do you address the issue? The 2007 Incite talks about laptop encryption and DLP. Let’s pop the DLP bubble first. That market is early, and it’s also small. Symantec paid more than 3 times the entire market size for Vontu, but there is certainly a lot of precedent for Symantec paying up when they think they need something (Brightmail anyone?). EMC also bought Tablus, which means there aren’t too many independent DLP vendors left.

But that’s the simplistic vendor view of the world. What about customers? Basically, they still need to figure out what they are watching for. The current generation of tools does a decent job of checking against dictionaries and regular expressions. Catching stuff you don’t know about is still pretty dicey.

That being said, it is all about the content, and that means that inspecting the content is critical. It won’t be a standalone function over time, but the algorithms and content expertise required to do DLP right will prove valuable for every major security company to control. So expect more DLP consolidation next year, as the process becomes a more engrained part of security defenses.

What about laptop encryption? The answer is yes. It’s hard to envision how larger organizations can figure out how to protect their data, which increasingly resides on mobile devices, without resorting to laptop encryption. Maybe they are lucky and have all Macs, so they just turn on FileVault. Probably not, who has all Macs?

What about Vista’s BitLocker? Again, it’s pretty unlikely that your organization is all Vista (and given how badly Vista sucks, it probably shouldn’t be, but I digress), so you are looking for something to fill the gap. There are actually lots of choices to buy an encryption widget, and this is another market that will see further consolidation next year. Every endpoint security vendor needs to have this technology as part of their suite – whether they own it (like Check Point or McAfee) or do an OEM.

As hard as most organizations work to do the right thing in protecting your data, McNealy was right. You have no privacy – get over it.

Check out the other posts in the Report Card series.

More high profile privacy train wrecks force many customers to just buy something to address the information leakage problem. Laptop encryption turns out to be far from a panacea, while multi-protocol leak prevention gateways remain in high demand. Users demand integration at both ends (client and perimeter), foreshadowing more consolidation. Users finally figure out data protection is more of a process issue, forcing Pragmatic CSOs to ask tough questions of senior IT managers on how data is handled and who has access to it.

Read all of the 2007 Incites here.

Leak prevention is an interesting market. To day, the total sales in the category is less than the VC funding by an order of magnitude. That will change, but not overnight.

We’ve seen this movie before, lots of times. Big, high profile problem. Frantic buying of anything that portrays to solve the problem, which leads to general customer dissatisfaction with what they bought. Eventual consolidation, then integration and the category is ultimately swallowed up into a larger data or information security function.

The good news is that for most information leakage solutions, the benefits are much clearer than other over-hyped categories (like NAC for instance). But I haven’t found a way to accelerate the market adoption curve (and it’s not from lack of trying), so you’ll have early adopters/panic buyers over the next 12-18 months. This will give way to the mass market (likely in late 2008/09) that figures out what they need and why.

Keep in mind that we are really talking about two different problems here. The first is lost laptops. This is the high profile issue that keeps both security pros and PR people up at night. Just look at the Veteran’s Administration fiascos of the past 8 months and you’ll know why. Lots of whole disk encryption (WDE) will be sold to solve that specific problem. But these are very tactical buys, and vendors that talk about “policy” and integrating WDE with an encryption utility are selling ahead of the requirements.

Separately, you’ve got the problem of private data and intellectual property being sent outside the boundaries of the enterprise. This is another huge problem, with much less clarity on the solution. There are lots of products, but their effectiveness is questionable and the amount of integration it takes to make it work can be significant.

Gosh, kind of sounds like SIEM to me. I wish I was smart enough to have made that analogy, but I’m not. It was my pal Mark Bouchard. But unlike SIEM, there is a real value proposition for leak prevention, and it extends to more than the largest 2000 companies in the world. But only if the technology gets easier to implement.

When the market leaders have average selling prices of greater than $400,000, clearly it’s an early, integration centric market.

As this market matures, we’ll see folks continue to drive for integration (enforcing a common policy for data in motion, data at rest and data on endpoints) and simplifying the implementation process.

Very few markets develop without hiccups and I believe that leak prevention will be a key part of the data security landscape in a few years. But for those that absolutely, positively need a solution today – just understand the inherent messiness of early market technology.

My latest missive in SearchSMB was a tandem piece to the recent email security webcast I did. Detailing why and how SMB organizations can take advantage of email encryption, I go through 5 steps to ensure you have better than a snowball's chance in hell of getting something done.

Check it out: http://searchsmb.techtarget.com/tip/0,289483,sid44_gci1230349,00.html

In this week's column, I go into the EMC/RSA deal - but more from the perspective of why all of the detractors have it wrong. I seem to be one of the only folks that is positive about the deal, but I like it that way. If I agree with everyone, I'm not doing my job.

I'll also note that I have to be more careful about using cliches like "game-changing" in my mass market columns. I do use that term here, but then I went on to say about how the term game-changing makes me want to puke. Surprisingly, that part got edited. Arghhh!

But I guess that is part of the game. We'll see how this deal plays out over the next few years.

http://www.networkworld.com/columnists/2006/071706rothman.html

Technorati tags: EMC, RSA, security, M&A, data security, authentication, identity management