As the security market continues to mature, services continue to become a more important piece of the puzzle. ARN, in conjunction with Lan Systems, brought together some of the industry's leading figures to talk about where the market is headed and what resellers should be doing in order to make the most of opportunities. Taking part in the roundtable discussion were (pictured below, from left): ARN editor, Brian Corrigan; Volante's national security manager, Ajoy Ghosh; Check Point Australia's managing director, Scott Ferguson; Lan Systems' general manager, Wendy O'Keeffe; Cisco A/NZ's security partner manager, Bruce Munro; Lan Systems' security business development manager, Rohan Wilkinson; and Nortel's security product marketing manager, Matthew Syme.
Brian Corrigan (BC): What are the most significant security problems facing your customers today?
Ajoy Ghosh, Volante (AG): Everyone is worried about child porn. In recent days I have probably fielded a call every half-hour from customers who are concerned that whatever they have in place at the moment may not be filtering appropriately. Volante primarily services the small end of town and its sweetspot is customers with 200-2000 seats. The smaller customers read the newspapers and are very reactive. Security comes to the fore when they read about it and when they hear about it. It's been a very interesting time responding to media hype.
BC: From a distributor's perspective, what pain points are your resellers telling you that their customers are facing?
Rohan Wilkinson, Lan Systems (RW): I think it's the movement in the network. We once had a single point of entry to the network from the Internet but now we have moved to laptops being taken home and plugged into broadband. This means we are susceptible to a wider range of problems outside of the workplace. There are also storage devices such as USB keys that we can attach straight back into our network. This causes the spread of viruses and worms and the like.
BC: Is that a similar picture for organisations of all sizes?
RW: I don't think it matters how big an organisation is but obviously in a larger one there is more chance for that to spread more rapidly and out into the contacts that are in the email system. It comes back to the security policy and what they have adopted internally. Whether they run with standard operating environments, whether they lock down the applications that they use and whether that is enforced or not.
BC: What technologies are you pushing to tackle these problems at the moment and what can we expect to see coming down the pipeline?
Matthew Syme, Nortel (MS): Access control is key and it's something we are working hard to put in place. The philosophy is to mirror the physical security you have in an organisation. You need to protect in multiple layers, control access, authenticate people depending on who they are and what department they come from.
Internal intrusion detection mechanisms ensure people connected to a network are also running the correct personal firewall and antivirus software and have been patched to the correct operating system. Those are where we see the biggest drivers for our organisation.
That's on the data side but then there's things such as toll fraud on the voice side that are still massive - hacking in and selling those external trunks on for thousands and thousands of dollars. It can cost a company a lot of money. With voice moving over to the IT world, customers are aware of their security because suddenly they have got that single network that could potentially be hacked. Then, obviously, there's wireless LAN, which is making people fairly nervous because effectively it's like hanging thousands of Internet cables out of your window and saying to the guy walking past 'go on plug in, have a look'.
Scott Ferguson, Check Point (SF): The market's huge and from the largest enterprise to the consumer I think it's absolutely right to say there's a high degree of awareness. But as you move down the market the awareness of what to do decreases significantly so there's a much higher dependence on trusted partners to be able to advise that portion of the market.
From a technology perspective, we have refreshed our whole approach to the market since last year and have segmented into perimeter, internal and Web security. We have done that for some very good reasons.
There is no longer a fixed perimeter to a network like there used to be. People take their laptops home, use a PDA to synch up with their mail or might even use a 2.5G or 3G phone for some Web browsing. Each of those devices, regardless of the communications mechanism, becomes a perimeter to the network so one of the challenges that our customers have had has been the ability to address all of those different elements of the perimeter of the network.
Internal security is a major issue - the single highest cost issue that corporate Australia has had to deal with in the security landscape this year. I saw an article the other day that said the top 200 enterprises by IT spend have an average cost of $427,000.
There's a quandary here because a big organisation that has spent a fortune on building a network wants to bring in partners and customers, and wants to make communications ubiquitous but needs to be secure as well. There is a whole bunch of technology that looks at the traffic within the network and stops the propagation of worms. Now it's quite different technology from firewall technology because the environment is entirely different. A firewall by definition blocks everything unless you say it is allowed; in a LAN environment you want everything open unless it's suspicious; in the wide area network there are a very small number of well-defined protocols that you would expect to see. In a local area network there are thousands of protocols and lots of homegrown applications that are very specific to one environment. We built some tool sets to help customers define these protocols and therefore enforce them.
The emerging issue that we are seeing, particularly among enterprise, is Web security. If you take the notion of this infrastructure with loads of applications, and want to move more and more of these operational functions onto a Web-based environment, that again brings a whole bunch of different problems. VoIP is an example of a Web-based application that is absolutely vulnerable and needs to be protected.
Bruce Munro, Cisco (BM): Attaching to a network is ultimately about people getting access to applications and business productivity benefits from the flow of information.
The cost of damage is very high. The message we got from clients was that we have infrastructure with security features built in but there's another big problem called antivirus. Some of this stuff is so fast - you can see a Slammer move around the whole world in 11 minutes - and we need to lean more towards having automated systems than having people involved with remediation. Clients have asked Cisco to work with the antivirus vendors to get network intelligence working with the antivirus technology. They simply cannot afford to clean out a virus or a worm and have somebody come back from a two-week holiday with a virus on a machine and bring it back in again. That is a really painful event and remediation costs go flying up.
Cisco has a concept that a network needing to be self-defending and needs to provide 100 per cent compliance for devices attaching to the network. Who is attaching to the network, what are they attaching to it and how do we control from a security policy perspective what they are able to do? That is the big picture.
BC: What does a security reseller need to do today in order to be successful?
SF: One very healthy change is that the whole security business is maturing. No longer is it a business of selling locks. The opportunity for the reseller today is to build some significant expertise in at least a couple of areas of security and wrap services around it. There's a huge requirement on the reseller's part to understand the technology, to understand the issues a customer is facing and then put something together.
For every dollar of technology spend there's probably three dollars of services and consulting and support.
BM: Security is a process not a product. For a security reseller to be successful they must be able to talk the talk and walk the walk. It is a different language that takes you out of the IT shop talking to CEOs and CFOs, who are the risk owners in an organisation. Resellers need to understand the level of risk that a company is prepared to take and put in place a solution of products plus services to meet that risk appetite.
The technical resources to do this sort of work are starting to come into short supply. So, if you are a reseller, your choice is to hire one of these expensive consultants who could be poached by someone else in six months time or develop your own people, which is a longer term thing but has to happen. There have to be more skills in the market. Hopefully as vendors we can try and make this solutions easy to build.
MS: If you think technology can fix your problems then you don't understand technology and you don't understand your problems. That's exactly the point with security. We talk to the customers and they are looking for the holistic approach to give them a security foundation that they can then build on top of. That has got to be easy to manage and that is where the reseller can make available the services to go in there and offer a fundamental solution that is manageable instead of selling point product after point product after point product.
BC: If it is one dollar of product to three dollars of services, what are the most important services a reseller should be offering?
BM: Everyone has these security models and circles. Cisco's is prepare, plan, design, implement, operate and optimise - basically build it, get it going, keep it going, check it and make it better. The issue for resellers is that they need to have a conversation with the customer around that whole cycle. If you leave a bit out it's going to break. Resellers should aim to offer these steps and hopefully the customer will follow them. The customer must own the whole cycle and there's an opportunity there to provide these services on an ongoing cost basis and that one quarter/three quarters that we spoke about is going to become heavier on the services side.
SF: Security is a cultural issue before anything else so if an organisation doesn't have a security culture then all the technology in the world isn't going to address some of the issues that you will come across on a day-to-day basis. There's another cultural issue as well in that there are some very good technologies out there that will fix problems for major organisations but those organisations cannot implement the technology because they haven't grown in line with the problem. Traditionally, network security was very much the realm of the network manager and the threat was to the network layers but that threat has changed pretty much with the Slammer a couple of years ago.
The threat today is in the protocol, the operating system, the application layer and the data layer. When you start to look at what it is protecting and who bears the brunt of an attack then all of a sudden the technology has got nothing to do with it. At a bank, for example, you end up talking to risk management, you talk to the business owners. For sure you need to talk to the network people and the developers but the challenge for an organisation like that is to get all of those people away from protecting their own turf and actually communicating with each other.
BC: What are you pushing your customers to get their house in order with?
AG: Volante sells a lot of product and the security practice has got off to a flying start by selecting a couple of areas where we think we can play above our weight. Forensics and litigation is one area where we are getting huge traction and as a result of that we are getting a lot of services pull through. Not just in the security space but probably a quarter of the forensics engagements we have translate to outsourcing arrangements of one sort or another. That is also what makes us a partner of choice for our customers - we can address a range of IT needs, not just security.
BC: There is a trend at the lower end of the market for more and more security solutions to be housed in a single box. Is that driven by an increased proliferation of blended threats and how far can it go?
MS: We see that at the smaller end because customers want something they can centrally manage with all those protection mechanisms in a single device but you have to ask what happens if that box gets compromised?
SF: I don't believe there's any one product that has the best of breed technology. If as a consumer or a small business you buy a product that has a firewall, antivirus, content filtering and anti-spam in one appliance, believe me you have got to be making some compromises somewhere because those won't be the five best-of-breed technologies available in the market.
One of the most important things a reseller can do is work with the customer to identify the specific threats, the affect those are likely to have on the business and then prioritise. Some things are given - you have to have a firewall but do you have a perimeter firewall, do you extend it to all of the end-points? Is that the most important thing to do or do you secure a Web server that you have where 80 per cent of your customer orders are placed? You can start to look at the business applications and take a fairly pragmatic approach to prioritise where security has to be applied first. From a reseller's perspective, that adds business value and, more importantly, it gives him a customer for a long period of time rather than selling one box for one function.
BC: So no matter how much money you spend on technology it is important to have the policies in place to make them work effectively?
SF: The policy management of devices and the technology you have deployed are important but much more important are the policies that an organisation implements in work practices. You can have the best security in the world but if everyone is using one, two, three and admin as the password then it's wide open. Evolving a culture of security that is supported and practiced by senior management is really important.
RW: As we start to see service providers come more and more into the fray at the high level we are seeing some going back to the all-in-one appliance. You put in a product and there you go you've got all your solutions covered. The problem with that is that one individual then has to have six different hats to understand the technology in that one device. There is probably a bit of a hole for a service provider-cum-reseller to provide some sort of lower end service that fits that model because the customer needs the policies behind that as well as the technology that's doing the job.
BC: There's no doubt there's a need to talk to customers about putting these policies in place, but how do you stop them being thrown in a drawer and forgotten?
SF: Security is not a one-off event - it evolves every minute of every day and there needs to be a review mechanism in place to ensure that it is being kept up to date.
BM: I am always talking to clients about what percentage of IT budget is spent on IT security. Most people give an answer of one or two per cent when three to eight per cent should be spent on IT security. There needs to be more enforcement at senior executive level and we are seeing the creation of a CSO - a chief security officer - more and more among big companies in the US. I haven't seen a lot of that here yet.
MS: We are seeing more people talking about governance. There are certain laws and regulations that companies of a certain size are going to have to adhere to. It is coming down the line and boards need to be educated about why they need security policies - not just technology but the systems and procedures that need to be in place so they are ready when these governance requirements are brought in.
They can then adjust quite easily and effectively. Organisations in Australia should be looking at what is happening in terms of legislation across the rest of the world and make sure they are thinking about how they are going to do that. They need to track who is accessing what and when changes took place over a period of months. That doesn't start with the IT manager, it starts at board level.
SF: There are two principal drivers in changing that board behaviour - one is governance issues and our interpretation of Sarbanes-Oxley; the other is stock price. The value of an organisation's stock is absolutely a function that the board reviews and gets involved with on a regular basis.
We have seen instances where there have been major security breaches in large corporations that have had an affect on the stock price.
Never mind security and the disruption to business and the fact that you could go to jail, stockholders are going to be very unhappy and that is the best reason in the world to get board members engaged in this whole conversation.
BC: Looking at mobility, it's an area that is still on the growth path but people still don't trust it, particularly at the top end of town. How is the vendor community tackling those issues?
BM: It is firstly an attitude thing. From a business perspective, it is often that fear that stops them deploying a mobility application. The line we use is to ask a customer - "what would you do if you could do it securely?" We definitely have the technology that can make that whole thing secure now so we need to shift attitudes. There's a raft of solutions including VPNs, two-factor authentication methods to ensure you are who you say you are, good password practices, Web-based access to the network. That's not the issue - it's more about the business decision.
BC: So is it still an education process in trying to break that fear down?
SF: There's an education process and there's also a trick called planning. Let's not deploy mobility for the sake of it - let's figure out what it delivers back to the business, prioritise and work out what you need to spend to provide those mobile solutions in a secure fashion. There is a lot of technology out there that does this. The deployment of mobile computing in any form is not being limited by a lack of technology. It is limited by a lack of understanding of how to do it securely. We spend a lot of time speaking to people about secure, ubiquitous connectivity.
BC: How important is the reseller in breaking down those perceptions?
MS: They need to understand the technology and be able to educate the customer. You can't just go out and say '"how about some wireless LAN? We can provide remote access so your user can work from anywhere." That's ultimately what we all want but it is about establishing what the business value is of something being mobile. Mobile isn't just about working from home. It is working here, next door, walking down the street and seamless roaming between my service provider and my own network when I get to the other side. That's what mobility is really about and finding the business case is where resellers can provide a lot of value by sitting down with a customer and talking about it. We can do it, the technology is there but what value is the customer going to get from it? I think most people around the table would agree that wireless is not going to replace wired networking for a while because you still have to wire that access point back to something and you need power. But you can still reduce the wired network with things like voice over wireless LAN. That technology works today and we have deployed it all around the world. Why do we need lots of wired handsets? That is an education thing so we need resellers to make users realise it is not a critical requirement to wire everything.
BM: There's been a larger adoption of remote access in the commercial sector and among SMEs than at the big end of town. This is a really easy one for the reseller to solve - they've already got Internet access, they've already got firewalls and most of those firewalls probably have VPN remote access capabilities. For me, it's about resellers themselves adopting the technology and using it before getting out there and demonstrating it. Would you buy a car from someone who didn't have a demonstration vehicle in the driveway? You wouldn't, so the resellers have to get into the demo environment. It's a really simple step for resellers to take - do it and then sell it 100 times.
SF: There's a significant event that's going to happen before the end of this year that will have an impact on the adoption rate of wireless technologies and that is Telstra finding a use for the CDMA network to deliver broadband IP services. All of a sudden, we will have a very good broadband wireless service with a footprint that covers all of the major centres and a lot of the rural area as well. That will make a significant difference to the way people view wireless. The change brought about by this service may be good or it may not depending on the experience that people have. What it will do is raise the visibility of the issue of broadband wireless connectivity.
BC: Are we starting to see some more sophisticated users in the home market now as more people get broadband connections, do online banking and realise they are open to threats?
SF: The simple answer is yes but one interesting thing about the consumer market is that there's a lot of nerds out there. There are a lot of young kids who know a lot more about the whole computing environment than the collective knowledge around this table. But it is also highly impacted by what's happening in enterprise and SMB. The stuff you are seeing at work translates into stuff you should be doing at home. There's a rapidly growing market in the consumer space.
RW: You are starting to see a retail push with Telstra coming out and we've already got Unwired doing a huge advertising campaign and iBurst is another one. They are using different proprietary technology and it's getting people enthused about not having to worry if I'm a renter about moving home and having to get disconnected and reconnected at new locations. The technology will follow on so we get our phone calls through that so we don't worry about the house phone anymore. We are already starting to do that with mobile phones anyway. We then need to think more and more abort security. One thing we almost forget because we are always in this space is that security isn't something by itself; it's part of what we should be doing as network companies. It's slotting in with what we do everyday and I think a lot of people who are out there selling networks do us a disservice because they stop and forget about security.
BC: If a reseller was looking to build a security practice, what would your advice be?
RW: They need to understand the business drivers. Having the skills to be able to interpret business drivers into a security practice is partly about having the right engineers to be able to tie that in and partly about understanding business practices. It's not just about having technically driven and focused employees.
SF: It's not just one size fits all either. The security market is many different things to many different people. A good starting point for a reseller would be to decide what markets they want to play in and how they are going to differentiate themselves from all the competition that is already in that market. What do I want to do in that market? Why am I going to be different? If you can't answer those questions you have to question why you are in the market in the first place.