StillSecure, After All These Years

So despite his promises to the contrary, my bud Mike Rothman has been a blogging MIA pretty much since RSA. Hey I am sure he has a good reason, like some journey for self-awareness or something that is keeping him away.  Not even a Social Security Blogger award could get his juices flowing again.  So in Mike’s absence I am going to do another in my incite series with a bunch of short stories and even shorter commentaries.

Truth be told, I had too many things to write about today, so I blamed it on Rothman!

Have a great day.

1. InfoExpress does a press release on managed NAC – Last night I banged on InfoExpress for claiming a managed NAC service as reported by Tim Greene. It just didn’t sound like a managed service to me.  Well not sure if Tim jumped the gun or not, but today IE put out a press release on their service (though they still have nothing about it on the web site). To be fair the press release talks about more management of NAC than Tim’s article did.  But here is a bit of advice for the InfoExpress PR team: If you are going to have customer quotes in a press release, it may be worthwhile giving their name and title.  Just having quotes attributed to anonymous customers is a bit unbelievable. Something I would expect from NAC used car salesmen.

2. Mystery Virus plagues FBI and US Marshalls – It seems that a mystery computer virus (no not swine related) has hit both the non-classified FBI network and the US Marshalls network.  The FBI had to take down their network from the Internet, but it has now been reconnected. The US Marshalls service reportedly had 140 machines hit with the virus. They had to be taken down and are being disinfected as you read this.  I don’t have any more information on this, but there are rumors of a one-armed man being seen in the vicinity.  Where is Tommy Lee Jones when you need him?

3. Microsoft puts the heat on security vendors – Looks like my friend Charlotte Dunlap has herself a regular gig over at Forbes writing an infosecurity column sponsored by Juniper.  This time Charlotte writes about Microsoft rolling out a hosted email security solution as part of Stirling-Forefront. Charlotte is right on when she says that Microsoft clearly has Symantec and McAfee in their sights with Forefront.  I have written about this before as well. Go ahead and make fun all you want, Microsoft is serious about this and will keep at it till they get it right.  Of course I love the fact that they are partnering with forward looking security vendors (like StillSecure) and think there is a real opportunity to shake up the security world here.

4. How much work can you do on an iPhone?  Earlier this week I wrote about an iPhone being a Prius to Blackberry being Pinto (hey not my words, but some other author). In continuation of that story, Galen Gruman writes about using an iPhone instead of a laptop for a few weeks. I don’t know but I find it near impossible to write more than a sentence or two with my iPhone. Maybe my fingers are too fat or I just don’t have good hand to eye coordination, but I find it painful compared to my old HTC Windows Mobile phone to type longer then that.

Anyway, that is a wrap on this incite.  Good day to you Mike Rothman, no matter where you are!

I know you may not be feeling this way depending on where you live, but Spring is in the air.  How do I know? Easy, my anniversary has just passed.  For the 19 years I have been married, I know that once my anniversary is over it will soon be Spring.  Sort of my own bird like instinct maybe.  When we were first married we used to go to Maui every year for our anniversary.  It is always Spring in Maui, but by the time we would come home in early March, Spring was certainly on the way. Of course with the kids we don’t get to Maui much, but I watched a pre-season baseball game today, what more proof do you need then that?

So what does Spring have to do with anything?  Spring represents a rebirth. I think we need a rebirth.  We need to stop dwelling on the negative and start making our own luck and our own positives! To quote a greater thinker than I, “we have nothing to fear but fear itself”.  So take my word for it, Spring is on the way.  Start thinking about how you are going to break out of the winter/economy doldrums and attack your job, your life and your problems head on. 

Good luck with that!

1. Mike Rothman gave me a nice shout out yesterday in his blog about copying his format.  Besides thanking Mike, I want to say that I am thinking of this as just doing a few short blog/comments in one post.  I will of course add my own Shimmy schtick to it, but I like it. I will still do full posts when I see something I want to talk about. I am interested though if you readers like this type of blogging. Let me know.
2. The law of conservation of energy – Adrian Lane over on Securosis has a nice commentary up on the recent Symantec/Ponemon FUD that employees leaving their employment are taking IP and confidential data with them and that this number has gone up drastically.  As Adrian points out, no crap Sherlock! With all of the people being laid off, there are certainly more people leaving work.  The real issue though is how many of these people actually dong anything with this information. It reminded me studying science with my oldest son Landon.  The law of conservation of energy says that the amount of energy doesn’t change, just the form does. So really this is a potential threat, like potential energy. It remains to be seen if it will translate into anything more than that. Adrian says no, I say it desperate people do desperate things.
3. Dead men walking – While reading this story about Nortel laying off another 3200 people today I was reminded of a potential customer call I was on a while back for NAC. They were also looking at Nortel’s NAC solution and the CIO was telling me how good he felt dealing with a company Nortel’s size and the stability it offered over StillSecure. My how the mighty have fallen!
4. Its not a product, its a feature – Hoff loves to spout that one. I was reminded of the same thing today reading the article in Computer World by Mark Everett Hall that SaaS is not a market, just another channel. I actually agree with that statement and is one of the driving forces behind StillSecure’s recent ProtectPoint acquisition.  While many folks including Rothman question an organizations ability to sell service and product, I view the service offering as just another distribution channel.  Customers can buy our products as a hardware appliance, software or as a service. I think long term that view of SaaS is going to proven correct.
5. Firewall tools – I recorded a great podcast earlier this week with Secure Passage CTO Jody Brazil.  Jody is the former CTO of Fishnet and Secure Passage was originally spun out from Fishnet with the Firemon product. It is totally independent of FishNet now and is coming out of stealth mode.  My recording equipment messed up and am waiting on Mitchell to send me his file to edit. In the meantime Brian Prince of eWeek has a good interview with Jody. My view on this one is that PCI is totally driving this market.  The issue is will it be a victim of its own success. If it becomes big enough the firewall vendors will do a better job of packaging management tools with the firewalls and the 3rd party tools will find it hard to compete.  But who knows, maybe they get bought out by then.

Related articles by Zemanta

Came across a bunch of articles yesterday with a common theme of SaaS and cloud computing.  First was Mark Evertt Hall’s column in ComputerWorld calling for the government to adopt SaaS as a way cut inefficiency and waste. The column attracted a visceral response from some people who commented, their comments in line with how many in the government feel. The thought of depending on someone else keeping their applications and data available and secure is anathema to them. You would think that they do such a great job of keeping stuff up, running and secure that no one else could match it.  But that is not true. In fact I think many SaaS platforms are probably more scalable and robust than the average government agencies infrastructure.  Now, don’t get me wrong, there are some government activities which are just too sensitive and critical to outsource to SaaS.  But for the most part, I agree with Hall that the government can save money and effort by adopting some SaaS type of programs.

The second article was in C/net by James Urquhart about a recent study by Rackspace that showed up to 75% of small and medium business were unaware of cloud hosting and how it can help them.  Like James I wonder if the term cloud hosting is as well known as cloud computing.  But the bigger point by Urquhart was that the mid and SMB market’s are ripe for the advantages of cloud computing.  Again I agree with the author.  I think large companies have the resources to put up and maintain their own infrastructure.  Mid market companies can greatly benefit from the efficiencies of volume that cloud computing can bring them.

The last piece of news I read was that McAfee has actually combined all of the net delivered products into a SaaS unit. That would seem to go against having a lot of the old Foundstone stuff in their GRC unit.  Does this also then spell the end of the GRC unit? Is this just a case of McAfee hopping from one fad to the next?  It wouldn’t be the first time they have done that.

Saw this recent release on two new board members joining the board of the Jericho Forum and it sparked a synapse in my brain about a good panel discussion I caught during the SC World Congress in December by several Jericho Forum members.  You can watch two of the presentations delivered that day here.  Getting away from all of the rhetoric around de-perimertization and talking about securing the cloud and other topical security subjects made the Jericho folks much more relevant to me.

One of the new board members is Phillipe Courtot, CEO of Qualys.  Of course Qualys's SaaS vulnerability management solution is more of a cloud solution and not about perimeters.  For me anyway, I think this is welcome change in focus by the Jericho Forum.

I don't think there are too many people who disagree agree that the MSSP model of providing security is a valid and growing segment of the security business.  Recently, I have been giving a lot of thought as to whether this is just a pendulum type of swing that will soon swing the other way or if it is more fundamental. I am coming to the conclusion that it is more fundamental.  To be clear I am not talking about SaaS.  I think there is a big difference between what a company like Qualys does in SaaS and what a true MSSP does.  When I say MSSP, I mean actively managing the security, not just providing software over the web.

Here is a great illustration of why I think the MSSP model is fundamentally here to stay and right for a certain segments of the market. Last night we went over a friends house for a social gathering. I was speaking to one of the guys there who I see maybe once or twice a year.  He again asked me what it is I do for a living (how many security people get that question often).  That brought up the whole topic of computer security. 

This gentleman runs a business that signs up people for satellite TV services among other things and than is certified installer for these services.  Some of us I am sure have received spam from some of the less scrupulous in that field.  This guy has been at it for many years and has a very successful business. He told me because he "takes credit cards and all that" he was told he needed to have security.  "You know firewall and intrusion prevention and all that", was what he told me. He looked into using open source security tools that were "free".  His tech people couldn't make that work.  He looked at commercial products too.  Besides the cost of buying the product, the time and expertise needed to make them run was beyond his IT people and not really what he wanted them working on.  Through the data center where he hosted his web servers he was turned onto an MSSP.  For between 500 and 1000 dollars a month "they protect him 24/7 and he doesn't have to worry about it".  For this businessman, it was a no brainer.  You know what, given this set of facts, it is a no-brainer. Unless or until something fundamental changes in that equation, the MSSP model is here to stay.

Related articles by Zemanta

• SaaSy Security Suits SMB
• Symantec hedges bets with large stake in hosted security

Its easy to dismiss Don Dodge's asking "Do you really want your data in the cloud" as a Microsoft guy defending their turf. Don uses some recent uptime problems at Amazon, Twitter, Disqus and Typepad to show that keeping your information in the cloud and relying on the net to deliver your applications gives you less control, less security, less scalability and less reliability.

Don has a point, even though net access and SaaS services are much more mature than they were in the past, there is always the times when it does not work. For that matter, cell phones, blackberries, and cable TV don't always work either. An indication of how vital something has become is how much we miss it if it is not available. But to the point, I remember when the personal computer first came into being. The idea of your data and the applications being "portable" to your device was revolutionary. The idea of keeping your data on those big floppy discs was so empowering. But even than, problems accessing data on a disk or an application not behaving or security problems could render you just as frustrated on your non-networked device as an Amazon or twitter being down does now.

Ultimately I think these things go in cycles and we are entering a centralized cycle now. However, I think this turn of the cycle could be different. Never before has net access been so ubiquitous. Never before have we seen the depth of optimized applications for the net. The infrastructure is finally in place to recognize the dreams of many of "thin clients" and net terminals. But I think the best model is a hybrid model. I like the Microsoft solution where I can work on stuff online and off line on my computer, than sync up later. Ultimately when it comes cloud versus local computing, I want my cake and eat it too.

Matt Hines over at InfoWorld has an article up on the inevitability of software as a service becoming more prevalent. I don't want to rain on anyones parade and I do believe we will see more SaaS, but there are a few things in this article that bear correction and comment.  So here are my three biggest lies about SaaS.

1.SaaS is the way to sell "security by subscription. That is the title of Mat's article, "Security by subscription".  The fact is the companies Matt mentions, Symantec, McAfee and Trend have been selling security by subscription for years. They don't need SaaS to do so.  In my definition subscription is when you buy their AV or similar product and if you don't re-up at the end of the license period you stop getting updates.Without the updates the software is useless.  Over the years the entire AV industry moved to this model including Microsoft when they entered the market.  In fact they automatically renew your subscription and it can be a pain to get them to stop.  So though SaaS is one way of selling security by subscription it is not the only way or even the dominant way. It is not novel or a particularly big driver for the SaaS model.

2. SaaS is cheaper with a better ROI.  I say bull crap to this. Another company I helped create was called Interliant and we were one of the top 3 ASPs back in the day.  We did a ton of analysis on this and I can tell you that while SaaS can deliver a high level of coverage, it is not cheaper. In fact SaaS actually winds up being more expensive over an extended period of time.Generally it may be slightly less over time for the service itself, but when you factor in the total costs it most often is not.  So lets not start saying that SaaS is a way to deal with shrinking budgets and downturns in the economy.

3. SaaS is not channel friendly.  The problem is that a channel partner can easily sell the SaaS, but at that point is cut out of the picture. They have nothing to with the delivery or other ways for value add.  Once they don't own the customer and have been cut out of the delivery of the product there opportunity to monetize the customer is diminished and this is bad business for the VAR.  SaaS is a great way to cut out the middleman and the middlemen are smart enough to see this very quickly and reject it.

All of the above not withstanding I do think SaaS and security in the cloud will become more of a factor. The trick is that there is more to SaaS than a Symantec live update service.  That is not SaaS.  As Matt correctly notes, there are certain types of security technologies that lend themselves well to SaaS and there are some that do not. Figuring out which is which is the key. Also outsourcing versus in house is a consistent pendulum that swings first one way and then the other. People will start complaining about not having enough "control" over the process and not enough customization options to do it they way they want. They start complaining about the cost, when they find out it is more money. Just as the trend appears to be swinging towards SaaS now, it will inevitably swing back the other way.