The Forrester Blog For Security & Risk Professionals

NAC Market Overview: Landscape Stabilizes And Musters More Features

Usman Sindhu — Thu, 05 Nov 2009 13:46:52 -0500

I just wrapped up the NAC Market Overview and it’s now live. This is the first Forrester NAC market overview and builds on the work I did for the original NAC Wave last year. I must say that the market overview is far less strenuous and we know it delivers almost as much value. It’s fair to say that I enjoyed this research piece, but I still need to gear up for refreshing the Wave next year. Until then, we can share a lot of good stuff about this market overview and I welcome your thoughts on it.

Writing this market overview was a great learning experience. And it’s even better when you can have meaningful conversations around the research. For example, I saw that someone started a discussion about the NAC solutions on LinkedIn’s “Network Security - IPS and NAC” forum. And very timely that someone referenced this market overview in the discussion — good to see readers benefit from these reports.

Following the space for the past year and half, I’ve noticed that solutions are maturing rapidly. And credit infamously goes to customers complaining about NAC’s complexity and breadth which makes it difficult to scale to multiple scenarios. Hence, vendors have to mature their offerings to survive in this thorny market. There is good news in all this — vendors strive to bring better solutions that help organizations solve specific problems and scale to bigger ones. I’m a big fan of theoretical physics and one concept states that entropy (disorder) is good for the universe. Disorder is good for the NAC market to a certain point and it will be one of the forcing functions to flatten the market out at some point. Fortunately, we’re reaching the flat curve in this space. And the end result: Customers are able to select solutions that are mature and more stable than their predecessors.

I don’t plan to overload you with much detail about the report here, however here’s a list of key takeaways if nothing else:

NAC landscape is stabilizing. I like to paint a rosy picture on this one, even though critics would be skeptical. We’ve seen many vendors exit this space in the past 2 years. And this will continue to some extent as vendors shift their strategy and form more partnerships. It’s a good thing for customers, who can now leverage more with less. The goal is to utilize their existing investments and deploy overlay solutions that work much better than their predecessors. And they provide more deployment options for customers in the form of hardware appliances, software management consoles, integrated IPS and vulnerability scanners, and much more. Bottom line: it’s much easier to take a NAC solution and deploy it in your environment today than even a year ago.
Customers cherish better deployment architecture. Ok, so maybe I went a bit overboard here with cherish. But ask a customer about their NAC deployment and the underlying architectural blueprint and you will be looking at blank faces. Reason being, not many vendors actually help with a well constructed design and a phased deployment path. In fact, few vendors even provide a reference architecture. Fortunately enough, vendors have gotten better at this and now they provide customers with a phased roll out (one that goes from monitor, to deferred enforcement, to full enforcement) that spans anywhere from six to 12 months.
NAC Solutions finally have useful features. As I mentioned, NAC solutions are gaining breadth, which means integrating features with products across the board. NAC works with adjacent technologies like IPS, vulnerability scanners, asset discovery, IAM directories, and so on. In turn this provides better ROI. I’ll suggest taking a peek at Figure 3 of the report to get a full list of features.

So, this is it for now. Don’t forget to leave your thoughts about NAC in general or about the market overview. I’d love to hear your deployment experiences as well.

I’ll leave you with a quote from Albert Einstein, which applies fairly well to NAC:

“We can't solve problems by using the same kind of thinking we used when we created them.”

[Posted by Usman Sindhu]

MIT's attack on EC2 an academic exercise

Chenxi Wang — Tue, 03 Nov 2009 07:51:19 -0500

Virtual infrastructure has become the backbone of cloud computing, particularly in the area of infrastructure-as-a-service. This is why the latest attack on EC2 demonstrated by MIT researchers garnered a fair amount of attention in the press.

This is an attack against virtual computing resources, not necessarily against EC2 per se. In fact, this attack can potentially work against any virtual infrastructure, private cloud included.

Does this mean that there is a security vulnerability within EC2? Yes.

Should you be concerned? Not really.

This is an example of a "side-channel" attack. For this attack to be feasible, certain conditions must be true a priori. These conditions include that the attacker has knowledge of when the victim virtual machines would be launched. Some of these conditions, though not entirely impossible, are on the impractical side. While the author concedes that it is possible that an espionage attack with high-valued stakes may very well undertake such a method, it is hardly a concern for run-of-the-mill computing tasks running in EC2.

A detailed description of the attack and possible countermeasures can be found on my personal blog. Check http://chenxiwang.wordpress.com/category/cloud-security/.

What this attack highlights is that the security of cloud computing has everything to do with security within the virtual infrastructure. What does this mean? Providers of IAAS must take extreme care when it comes to security and privacy of their operations, or risk facing far-reaching consequences.

Here at Forrester, I’m starting a study to investigate the security and privacy practices of leading cloud providers. I’ve identified Salesforce.com, Google, Microsoft, and Amazon as the four vendors that I would study initially. I have yet to make Amazon commit to an interview, but the former three have all expressed willingness to participate in this study. I will write more as the study gets underway. Until then stay tuned and let me know what you think …

Your new client security analyst

Andrew Jaquith — Mon, 02 Nov 2009 12:19:46 -0500

After seven years, my colleague Natalie Lambert is leaving Forrester. In the year that I have been at Forrester, she has been a good team-mate, sounding board for ideas, gleeful mischief-maker, and collaborator on shared research topics. I will miss her insights and energy, and I wish her the best as she begins her next adventure.

Natalie covered quite a bit of ground: client security, client management, endpoint virtualization, Bring-Your-Own-PC programs, full disk encryption and several other topics. While it would be impossible to fill her shoes, I am strapping on my hip waders and immersing myself in several of her research topics.

Specifically: henceforth, I will cover all client security topics for Forrester. These include:

data leak prevention (DLP) on the client
full disk encryption
client security (anti-malware and anti-virus)

I am pleased to cover client security topics again. I wrote extensively about client security for three-and-a-half years before coming to Forrester. Among other things, I correctly predicted that Windows Vista would have no effect on the Windows security aftermarket — six months before Vista launched. And in 2006 and 2007, I anticipated the rapid move of anti-virus to the cloud, which we see today in Panda Security’s “collective intelligence,” in McAfee’s Artemis project, Trend Micro’s Smart Protection Network, and in new startups like Immunet. For cloud coverage of client security, I will partner with Chenxi Wang, but security topics that have anything to do with stuff sitting on endpoints, I will be your analyst.

I will not take on any of Natalie’s IT operations topics, such as BYOPC, mobile management, client management. These areas will be covered by other analysts on the infrastructure and operations (I&O) research team, chiefly Chris Silva and Ben Gray. Rather than speak for them, I will let them speak for themselves. I will collaborate with Ben and Chris on security strategies and best practices as it affects their topics.

I will also retain my coverage of data security topics, notably data leak prevention (DLP) and enterprise rights management. A few subjects will transition to my other colleagues on the Security and Risk team. We will likely announce details after we conclude those discussions.

In the meantime, Forrester customers who would like clarification on what the shift in security coverage means for you should contact their client services representative. I would be happy to speak with you! But the short answer is that not much is changing. You will talk to me rather than Natalie. She provided excellent coverage of client security topics, and I will strive to do the same.

[posted by Andrew Jaquith]

The GRC Groundswell

Chris McClean — Thu, 29 Oct 2009 07:53:16 -0400

As GRC practices continue to gain traction, I’ve had a lot of great conversations lately with clients about the importance of peer interaction for professionals in governance, risk, and compliance roles. With his finger apparently on the pulse of all major technology trends, Forrester’s Josh Bernoff must see this as well. This week he announced the winners of the 2009 Forrester Groundswell Awards, with two top GRC vendors among the winners. (For those of you not familiar with Josh Bernoff or Groundswell, check out the book info here.)

MetricStream won in the “B2B Spreading” category for the company’s ComplianceOnline portal, a community with 500,000 members who are all there to find content, training, and services related to risk and compliance. Archer Technologies won in the “B2B Embracing” for its Archer Community and Archer Exchange, the former a peer networking site for customers and the latter a site where customers can share, download, or recommend application for the company’s platform.

MetricStream and Archer have both done a great job offering additional content and value to customers who are often facing very difficult and unprecedented challenges. Other vendors have taken a similar perspective by hosting user conferences focused more on best practices and lessons learned than on technology.

While some internal practices will continue to be seen as competitive advantages, I encourage those of you in GRC-related roles to find ways to share ideas and experiences with peers. We have seen enough massive risk and compliance failures affect entire industries and markets to realize that improving GRC practices can be collectively beneficial.

Posted by Chris McClean

Another acquisition in the Web security service space — Cisco Systems acquires ScanSafe

Chenxi Wang — Tue, 27 Oct 2009 17:05:07 -0400

Cloud security service is hot, hot, hot. My last blog post highlighted the acquisition of Purewire by Barracuda earlier this month. Today, Cisco Systems announced the intention to acquire ScanSafe, another Web security services company. Cisco’s entering this space shows that Web security services are now on the radar screen of enterprises.

At Forrester we are seeing a definite rise in interest in Web security services, partially fueled by the general interest level in cloud services. Many IT managers told me that they are being asked by their management, “Why not consider cloud services (to fulfill this IT function)?”

Is cloud Web security service for you? A good answer to the “Why not consider cloud services?” question requires examining the pros and cons of outsourcing to the cloud, which should cover, at a minimum, the following decision points:

Cloud benefits: Outsourcing to the cloud comes with the common benefits, which include self-servicing features, lower upfront investment, lower ongoing management overhead, and easy scaling to demand. You need to understand how important these aspects are to your organization.
Total cost of ownership: In terms of TCO, however, it is not always a clear-cut argument. In fact, sometimes a three-year term with a cloud solution may cost you more (in total) than an on-premise product. You must tradeoff TCO with the other cloud benefits, such as lower upfront investment, to make an informed decision.
Compliance: For folks who have rigorous compliance requirements, using cloud services can be a complex decision. For example, if you are using someone like Akamai to accelerate your content, and if the content contains regulated data (e.g., customer login info, credit card data), you need to not only ensure that Akamai is compliant, but also the numerous third-party data centers that Akamai uses to host their servers. If you are a global player, this could amount to examining over 100 datacenters around the world — a truly complex undertaking. The same goes for Web filtering service offerings.
Cloud vendor’s security/privacy practices: In addition to what’s required in meeting your compliance goals, you need to understand how the cloud vendors handle various security and privacy issues. See my “How secure is your cloud” report for more details on this discussion.

What does this mean for Cisco? Cisco already has its own email filtering services in the cloud. Getting into Web security services is the natural next step. This is another signal that Cisco is stepping away from the on-premise-only security vendor image and casting itself as a “we have all the form factors you can possibly want” vendor.

This is a move that Cisco needs to make. Look at their competitors: Symantec has MessageLabs. McAfee has their own Web filtering services, in addition to MxLogic. Their SMB competitor Barracuda now has Purewire. Websense, the Behemoth in the Web security space, has its own hosted offering. To stay healthy in the Web security market, Cisco needs to show their conviction in the service space. Acquiring ScanSafe, the most mature player in Web security service, is the quickest way to do so.

What will happen to ScanSafe’s partners/customers? ScanSafe is arguably the first company in this space; they were the only company in this space for a number of years before it became a hot new market. ScanSafe has a relationship with Google as well as a number of large Internet service providers—they OEM ScanSafe’s services. The word from Cisco is that they will maintain the existing partner relationships, at least for the foreseeable future. In the short term, I don’t anticipate any changes in ScanSafe’s existing relationships. However, I would not be surprised that in a year or so, Cisco will re-assess the terms of these partnerships. The word from Google is that they are not doing nearly as much on the Web security services front as they are on the email side. This acquisition will undoubtedly change the dynamics of the relationship. I don’t see Google actively reselling Cisco services, do you?

The only pure play Web security services vendor left is Zscalar, another startup from the former CipherTrust folks. How long do you think they’ll last as an independent company? I’d be interested to know what you think. Leave me a comment here or write me a note at cwang@forrester.com.

This post is cross-posted to Chenxi's blog:http://chenxiwang.wordpress.com.

Information Asset Value: Some Cold-Hearted Calculations

Andrew Jaquith — Wed, 21 Oct 2009 10:05:13 -0400

Many readers know this already, but about five years ago (long before I came to Forrester) Dan Geer, Kevin Soo Hoo, and I founded an organization called securitymetrics.org, devoted to the study of security metrics. I moderate a mailing list that has about 800 security researchers, CISOs, consultants, and managers. Discussions are always lively!

One of the list’s most active members, Meritology’s Russell Cameron Thomas, just posted a thoughtful essay on how to value information assets. I liked his post very much. Russ describes an eminently sensible way to calculate business asset value. At the risk of being reductionist, it involves: 1) figuring out the value of those assets that even the coldest-hearted business analyst would agree contribute to the top line and 2) then figuring out the value of everything else. The sum of those two numbers is the total value.

In practice, though, the assets in the first category (the cold-hearted analyst’s favorite ones) are also the scarcest. A key question would be, “did you build security into the business effort this asset serves from the start, because it was critical to customer acceptance?” I can think of exactly one example of this in my entire career where this is true. Everything else has been some flavor of bolt-on.

Because security-as-business-enabler sightings are as rare as the Abominable Snowman, that means just about everything defaults into category #2. As such, to me, the easiest way to value those assets is to apply what (if I remember correctly) was Pete Lindstrom’s test: the value of the asset must be worth at least what you are willing to spend to keep it secure. Lindstrom’s Razor (if I can call it that) identifies a floor value of the information. It doesn’t require interviews or any sort of guesswork, just a spreadsheet and a few defensible ideas about how to allocate costs that are known and can be measured.

In my book, “Security Metrics: Replacing Fear, Uncertainty and Doubt,” I recommended a similar strategy for quantifying and allocating security cost:

Tying back security costs to business units or revenue-generating systems is more difficult. Cost allocation is, for most organizations, a black art. In fact, given the degree of political wrestling that occurs when figuring out chargeback formulas, one might more profitably call it a full-contact sport. Regardless, security organizations should try, to the best of their abilities, to associate specific expenditures with business initiative.
Certain security costs are easy to allocate, such as outsourced security monitoring services for a demilitarized zone, single sign-on systems (SSO), application monitoring tools and external audits:

Outsourced security monitoring services for a demilitarized zone (DMZ). (Strategy: pro rata allocation based on user sessions or bandwidth)
Single-sign on system (Strategy: pro rata allocation based on deployment of SSO agents on business servers, plus labor allocation)
Database and web application monitoring tools/firewalls (Strategy: chargeback of per-agent software costs, plus labor allocation)
Intrusion detection
External audit fees and consulting: (Strategy: direct chargeback if audit is for a specific application; otherwise, pro rata allocation based on issues found)

Other costs may be more difficult to allocate, especially those that are incurred by all members of the organization. Security awareness, training and coordination costs, for example, don’t obviously relate to specific business initiatives; neither do directory synchronization and maintenance tools, anti-virus or other ubiquitously deployed security software. In these cases, it might be best not to allocate them at all (thus relegating them to everyone’s favorite nebulous category, “infrastructure”). Alternatively, if costs have clear and obvious per-employee expenses (such as anti-virus), then pro rata allocation to each business unit based on headcount represents a fair and transparent method.

Ultimately, nothing I write or say is going to settle the argument of how to value all this intangible stuff. If you have the time and discipline, Russ’ approach is a good one. But if you don’t, use the ’Razor to calculate the floor value of your information assets based on what you are spending to protect them.

Barracuda acquires Purewire, jumps into cloud computing

Chenxi Wang — Wed, 14 Oct 2009 15:23:40 -0400

Barracuda Networks, the networking appliance vendor headquartered in Campbell, CA, announced today that they entered into agreement to acquire Purewire, a Web security services startup in Atlanta, in a cash/stock deal.

I have to say this announcement came as somewhat a surprise to me. Barracuda is a known networking appliance vendor, selling low-cost, on-premise network security appliances from firewalls to antispam devices. When I spoke to the Barracuda folks a few months back, they remained skeptical about the whole cloud computing craze. This move to acquire Purewire, unexpected as it was, serves as another testimony that cloud computing has reached mainstream status.

Barracuda made a name for themselves in industry by targeting small to medium businesses. Their SMB-oriented sales strategy has paid off, as Barracuda were able to make a number of acquisitions in the past two years. In 2007, they acquired NetContinuum, a Web application firewall company. Following that, they acquired BitLeap and Yosemite, which form the foundation of their cloud backup services, and now Purewire.

Even with their cloud backup services, Barracuda is still largely a vendor for on-premise security products. Switching from selling appliances to selling services is a non-trivial change. Distribution partners who are used to pushing boxes have to be re-trained to sell services. Incentive models have to be changed to entice them to sell services, or new distribution partners have to be acquired. Barracuda will do well to bring in more experienced personnel in service marketing and sales.

The technical brains behind Purewire are fairly well respected in the industry. By acquiring the company and retaining the expertise, Barracuda gains research credentials, which are needed in order to enter a new market (e.g., cloud services). It is therefore crucial for Barracuda to retain the founding staff of Purewire. The formation of the Barracuda research lab, made up largely of former Purewire personnel, is seen as a positive sign. One would expect the research lab to, in addition to performing threat research, drive innovation to turn Barracuda’s other on-premise products into service offerings.

But what is in this deal for Purewire? Won’t it be better if they were acquired by someone like Symantec? Additionally, why is Purewire looking for an exit so early? The company was only established in November 2007. I suspect this deal came at the right time for Purewire, who probably needed an additional infusion of funds in order to scale. Is Barracuda the right company to take Purewire, who already has a slew of industry awards and recognition, to the next level? Barracuda certainly has the financials to do so, but can they execute as well in the cloud space as they did for on-premise security? It remains to be seen.

In the mean time, this is positive news for Barracuda customers — they now have the option of buying appliances or services. For the larger industry, Barracuda’s ferocious marketing engine will now be tuned to promote services, which means more competition in the cloud security service space. Ultimately, that is a good thing.

This blog entry is cross-posted to Chenxi Wang's blog at: http://chenxiwang.wordpress.com.

Data Security: One of Forrester's Top 15 IT Technologies to Watch

Andrew Jaquith — Wed, 14 Oct 2009 12:41:35 -0400

My colleague Alex Cullen recently released a report for Enterprise Architects called “The Top 15 Technology Trends EA Should Watch,” which describes some of the key technologies that will have the greatest impact over the next three years through 2012.

A key security trend, one which I was interviewed for, described how security will increasingly move from being perimeter- and container-centric towards being data-centric. In other words, while perimeter security, network access controls, and other security measures will continue to be important, the decreasing importance of physical locale and networks will inevitably mean that the data must increasingly protect itself.

Now, this prediction isn’t exactly new — some noted security professionals have been making the case for data- and information-centric security for a while. And in 2000, while at @stake Dan Geer and I were retained by a Very Large Investment Bank to explore this very question. Some of the things we predicted — more use of client-side cryptography, network admission control, bandwidth throttling based on device “trust” and user authentication assurance, and enterprise digital rights management (eDRM) — have made their way into the mainstream. (Not all have, to be sure.) Many, many others, in the field have made similar predictions.

Three things have changed since the early 2000s that have moved data-centric technologies to the forefront. First, as an industry we have lost our “better living through cryptography” religion. Enterprises don’t believe in cancer-curing, globe-spanning PKI schemes using enterprise certificates whose trustworthiness are absolute, and whose pedigrees come from God (or Stratton Sclavos, if you prefer). Instead, PKI has yielded to “pki” — smaller, point purpose uses of crypto that are integral to solving specific problems, such encrypting laptop hard drives or protecting offsite backup tapes. Cryptography continues to underpin some of the most important security technologies around, but it is now rightly seen as a means, not an end.

Second, enterprises have new tools to help them automate classification and filtering tasks. Data leak prevention (DLP) is a good example. Enterprises don’t have time to burn static security labels into their documents. But if a smartish system can make reasonably decent decisions about information flowing through and exiting company networks, devices, or operating environments, security controls can be applied when needed, rather than when the IT admin gets around to it. The ability to dynamically assign security classifications to information as it is created is better than the alternative.

Third, and perhaps most important — data security is less and less a “security thing.” The objectives of data security have been winding their way up the stack from network zones and server access control lists to Layer 7 and beyond. Product categories that have historically been siloed, such as DLP, eDiscovery, and enterprise search are starting to merge. Stakeholders other than IT Security increasingly have a say in how data security policies for DLP are created, for example. And the most successful eDRM projects are usually led by business divisions who have their own priorities to protect: inside counsel, the M&A due diligence team, or the research division. As Alex notes in his report, “with content security controls in place, businesses can share data more freely while keeping it secure.” Sponsorship and operation of data-centric security tools are key success factors.

Data-centric security: finally, we are beginning to put the “information” back into Information Security. I'd urge you to read Alex’s excellent report. Data-centric security is just one of the big technologies he touches on. If you found this post riveting, read his report for 15 times more rivets!

[posted by Andrew Jaquith]

What did I learn from the McAfee analyst day? Colin Powell knows a lot about information security

Usman Sindhu — Wed, 14 Oct 2009 08:35:14 -0400

I attended McAfee’s analyst day at its FOCUS 09 Security Conference last week in Las Vegas. It was interesting to see former army general and Secretary of State General, Colin Powell, addressing an information security audience. He attended the same university as I did — City College of New York — so I especially enjoyed cheering on a fellow alum. His speech was very relevant to the security arena, as he discussed the danger of vulnerabilities within any information system and the critical need to safeguard against them. Of course, it fit very well with McAfee’s story, as McAfee CEO, Dave DeWalt did a good job continuing the military theme. However, I still left with feeling of wanting more — perhaps expecting McAfee leaders to say something more concrete about what it all means for them. Do they want to help with cybercrime, cybersecurity, and critical information protection? Will they be working more closely with government in information security initiatives?

(On a positive note, Colin Powell became an unexpected customer reference, as he mentioned recently licensing McAfee antivirus for his personal laptop.)

Along with many executive briefings I had with product managers and marketing folks, there were several highlights for me:

NAC is becoming more ingrained within McAfee’s product portfolio.It’s good to see that McAfee is integrating NAC with products across spectrum. For example, they are combining NAC with the IPS appliance and planning to integrate behavioral analysis technology with NAC.

Verizon Business and McAfee are planning to provide managed security services together.Verizon plans to complement its offering in a variety of ways with this announcement. McAfee will provide 1) premise based security solutions, 2) cloud-based security services, 3) SaaS-based PCI DSS solution, and 4) security operation services.

So what did I learn? It’s still possible to pull off a strong event in Las Vegas (and even bring in a Four Star General and former Secretary of State) despite the tough economy. There were also a good number of customers and partners attending the event. I saw a good storyline for McAfee’s network, endpoint, and managed security business. I also saw a desire from McAfee to get more involved with cybersecurity and critical infrastructure protection (CIP), however, their progress is only in its initial stages. At the moment, McAfee is focused on building partnerships and establishing a broader community through its Security Innovation Alliance (SIA) program. I’m interested to see if these plans will ultimately mean improved value for customer.

Were you at the event and want to share your thoughts? Are you a McAfee customer using any of their NAC, IPS, or other network-based products? We’d like to hear what you have to say.

Back to work and new blog site

Chenxi Wang — Tue, 13 Oct 2009 12:47:58 -0400

Friends, after nearly three months of leave, I am back to work and ready to take on the world again.

While I was gone, a number of notable market movements happened: McAfee acquired MXlogic, AT&T acquired VeriSign’s security service business, and Verizon Business is forming a strategic alliance with McAfee to deliver cloud solutions. Many of the new announcements, which I am busy processing out of my inbox as we speak, have to do with cloud computing. Interestingly enough, in a week or so, I’ll be able to blog about a few more cloud-centric acquisitions and partnership deals. Looks like the cloud bandwagon is as hot as when I left it three months ago.

On the application security front, there have been a few interesting deals: IBM acquired Ounce Labs and HP announced a partnership with Fortify (does anyone not expect HP will eventually acquire Fortify?). More and more vendors are moving towards an ALM platform for application security. HP and IBM are certainly the front runners at this point (here is looking at you, Microsoft!)

I just started my own blog site at chenxiwang.wordpress.com, covering the topics of application security and cloud security. At some point, I may break it into two independent blogs, but at present the two topics are under the same domain. I will be cross posting to the SRM blog here, but please check chenxiwang.wordpress.com for updates as well.

Here is to happy blogging!