At a recent PC show in the US, IBM staged a computer-security breach to whip up interest in its security products.
Big Blue used a team of "ethical hackers" from its research division to perform a live break-in of a willing company's systems. An obvious gimmick, the demonstration was designed to raise the concerns of business managers and IT managers alike - and, obviously, to spark security-product sales.
Perhaps deserving a congratulatory nod for its theatrical merit, IBM's ploy nonetheless broke no new ground.
"The IBM approach demonstrates how little the marketing of security products and services has changed over the past two decades," says David Geer, vice president of certification system architecture with CertCo in the US. "IBM is selling security on the basis of FUD, which is short for fear, uncertainty, and doubt. Security technology should be viewed as an enabling technology that lets businesses enter into new application areas, like e-commerce."
Indeed, most customers won't spend a dime on new applications like e-commerce unless their worries about security are addressed first. But once potential clients are reassured, the payoffs can be huge.
Geer has been involved in the security field for nearly 20 years. In the late 1980s he worked as the systems-development manager for MIT's Project Athena - a wellspring of technologies for distributed-computing environments, including Kerberos, an authentication system that is still widely used today.
Geer regards the advent of the Internet and e-commerce as the "golden age" of security technology. A recent study completed by New York-based UBS Securities LLC bears out Geer's claims.
According to the firm, the total worldwide revenue from the information-secu-rity market will be $US16.6 billion in 2000, with $9.9 billion derived from security services. This represents a growth rate of 72 per cent from 1997 to 2000, driven largely by e-commerce and Web-related information-security-technology spending.
Geer says that estimates of market growth cannot be solely attributed to FUD: "The arrival of e-commerce, as well as virtual private network (VPN) technology, changes that," he says. "Security can now be represented as a technology that enables companies to pursue new and profitable lines of business."
At the same time, says Geer, e-commerce and VPNs have opened doors for integrators as purveyors of security solutions. In the past security was largely the domain of a few specialised consultants. Now integrators can deliver effective security solutions for the entire enterprise by weaving together different best-of-breed products.
Although it's clear that the Internet has played a major role in raising security awareness, some industry pundits assert that the catalysts for security sales predate the Internet boom. More precisely, the deployment of networks within companies in the late 1980s is what really began to drive sales.
"With the delivery of technologies for remote access to internal networks, companies quickly discovered that they had to restrict access to authorised users only," says Dave Fowler, vice president of sales and marketing for Gradient Technologies, a security vendor. Dial-back devices and firewalls were developed to address those new needs. New encryption products also entered the market around this time, replacing hand-coded algorithms built into earlier applications.
Although tackling security problems one by one with such point solutions works, it isn't the most efficient model.
"It became like the house that Jack built: lots of rooms added on, but no doors for moving from one room to another," says Fowler. He says that the Internet and Web not only have created markets for new "bolt-on" security products but have also underscored the inefficiencies of point solutions.
Thus Fowler views the security-integration-services market as a very profitable one. "It is up to resellers and integrators to weave the point products together to provide a true security solution," he says.
This view is shared by Brad Erlwein, chief architect and Jan Pachl, chief scientist at MCI Systemhouse in California. Ideally, security is an integral part of the architecture of corporate technology infrastructure. "The better the low-level integration, the more flexibility for security," observes Erlwein.
Erlwein argues that a comprehensive security solution is best delivered as part of an overall distributed-computing framework such as that offered by the Distributed Computing Environment (DCE). DCE, he argues, delivers a measure of tight system coupling that was lost when IT moved away from the monolithic mainframe computing environment.
DCE's security component, Kerberos, provides the means to authenticate end users seeking access to privileged systems and data, delivering what Erlwein claims is the tightest degree of security within the corporate perimeter. Without an underlying security framework, adds Pachl, companies are often left with "a collection of technologies that are nearly impossible to consolidate".
Re-engineering all systems to deploy a DCE framework is a daunting undertaking, according to Ed Glover, manager of marketing and business development with SunService's global security practice in the US.
Glover notes that in the absence of a unified framework, opportunities "to deliver work-arounds" abound for integrators. He's also encouraged that some problems associated with incompatible security products may be surmounted by the major shakeout in the security-products industry.
"The consolidation we are seeing, with a few larger vendors buying up the smaller ones, is potentially a good thing," says Glover. "The focus of the products will be better, and there won't be so many vendors going off in different directions."
A "big five"
Many industry analysts and security practitioners predict a "big five" emerging from the current spate of industry mergers and acquisitions. Some integrators, how-ever, are greeting the consolidation with mixed feelings.
"They are wary of mergers and what mergers mean for using third-party products as part of a solution," says Steve Dahill, previously director of channels for Raptor Systems but now performing the same role at Axent Technologies. "However, most would agree that the 60 or so firewall vendors in the market today are clearly more than you need," he continues. "If the mergers and consolidations are successful, resellers will be able to do more than deliver a product - they'll be able to deliver life cycle security solutions."
Axent's plans represent a good example of that strategy. Dahill says the company will provide integrated components, "from a unidirectional firewall to an authenti-cation token product to an intrusion- detection product to a single-sign-on or security-management product - we offer a complete integrated-security line".
Even with the industry consolidation and subsequent product integration, integrators don't need to fear a drop-off in demand for services at the expense of shrink-wrapped products.
"You don't buy a firewall at CompUSA, deploy it, and have Fortune 50 security," says Dahill. "Companies have realised that security products, despite all of the advances in the last two decades, are still not plug and play."
Security vendors get it together
Here's who to watch as consolidation in the security industry creates a handful of vendors better able to supply integrated enterprise solutions.
1. Axent Technologies recently acquired firewall vendor Raptor Systems.
2. Check Point Software Technologies, based in California, has not made any recent acquisitions, but it has extensive alliances and partnerships with other security vendors, providing a high level of product interoperability.
3. Network Associates, a company born from the union of network troubleshooter Network General, virus-detection icon McAfee Associates, PGP, and Helix, is now set to acquire Magic Software Enterprise and Trusted Information Systems.
4. Security Dynamics Technologies recently acquired Intrusion Detection and holds patents on the popular RSA Encryption Engine.
5. Secure Computing, spun off from Honeywell in the 1980s, has acquired Border Network Technologies, Enigma Logic, and Webster Network Strategies, becoming the second-largest security- products vendor worldwide.
Security time line
Here's how IT's evolution, coupled with some key events, has driven technology advances and heightened interest in information security.
In the mainframe world that dominated IT in the '70s, several factors made for extremely secure computing: limited physical access to computers, few remote-access links, dumb terminals, and password/user ID-based security. Tightly controlled systems utilised security facilities provided by the mainframe vendor. The primary risks to systems involved accidental data modifications or erasures by authorised personnel.
The PC revolution begins; security concerns rise. PCs are acquired by departments outside the control of MIS and are used to process increasingly important data. Initially, short shrift is given to both the security of this new platform and its role in business computing. Mainframe security fragments. The first "packaged applications" appear for the mainframe (for example, McCormick & Dodge General Ledger and the like), which use their own password-security systems in addition to the mainframe's native security. The issue of determining who controls security is first raised. A high-profile security breach raises security awareness. The Morris worm infects thousands of systems connected to the Internet. Widespread press coverage alerts businesses to worms, viruses, and malicious programs. PC vulnerability to viruses is identified in the trade press. Client/server shatters the old security paradigm. As distributed computing begins to take hold at the departmental level, MIS loses control of security. MIT develops a robust user-authentication system. Project Athena yields Kerberos identity system, a secret-key system for authenticating end users and systems to host systems.
The Internet goes mainstream. Public-key encryption, another identity system based on asymmetric keys, becomes standard. Client/server adoption and telecommuting increase, as do security risks. As packaged client/server application suites replace legacy systems, risks multiply, because most systems are interconnected by unsecured networks. Remote access booms. Companies use more contractors to cope with downsized staff. Contract employees have access to data and systems, creating additional security risks. Internet-security products take off, but many companies remain lax. The market for firewalls and virtual private network products takes off. However, only a few companies define and articulate security policies. Security suppliers consolidate. Industry shakeout leads to emergence of five leading security vendors, which may benefit integrators by providing more comprehensive, integrated security solutions.