A Long Conversation About Security

“The world sucks”

You’ve probably heard the old phrase that aspirin is easier to sell than vitamins. So go where the pain is.  One of the tasks that we at Acuitive take on is assessing the pain threshold of potential target customers.  This is to determine whether they feel enough pain to encourage spending on solutions that one of our clients or a company we are performing due diligence on is proposing to build. 

The search for pain can be a bit macabre.  Not so much the search itself, but the fact that there are always drooling entrepreneurs and venture capitalists looking over our shoulders, trying to see pain in every statement, shoulder shrug, and stutter customers make.  The result is that the definition of pain can get diluted if you are not careful.

But late last year and earlier this year, Tom Garland and I participated in a series of projects that identified the most severe, broadly felt, and viscerally articulated pain point I have seen in my entire career.  The introductory sentence to this Musing pretty well paraphrases the customer feedback.

The issue was (and is) the impact of hackers, viruses, worms, Trojan horses, spyware, and other malware on IT operations. 

Basically, protecting against, reacting to, and recovering from such attacks have come to dominate the daily life of many IT personnel.  And they don’t like it.  There is nothing fun here.  There is no way to be a hero.  If you aren’t attacked, the users just think the system is working in the way it is supposed to.  But every attack that causes an outage, every clock tick as the outage is diagnosed and remediation implemented, every pro-active system change that requires a planned outage, and every new procedural precaution that users must participate in, just makes IT look worse and worse.  And sooner or later, a business-critical or business-embarrassing incident occurs that grabs management’s attention, and no one is empathetic when IT says “we’re doing the best anyone can!”

Meanwhile, other projects stall or slow down considerably as IT puts more and more of its resources on the daily ritual of securing systems and responding to an increasing frequency of “all hands to the fire” alarms as infections occur and spread. 

It has been a bad time for IT people to try to give up whiskey, cocaine, and cigarettes.  They are better off just giving up sleep.  Worst of all, at least up until now, there hasn’t seemed to be any viable solutions emerging for these problems while the issues have become increasingly more frequent and virulent. 

Many IT organizations have worked their tails off to create state-of-the-art perimeter security at the LAN/WAN boundary and have delayed the deployment of WLANs within their sites, thinking that would get them out ahead of these issues and give them room to breathe.  But it hasn’t worked.  These efforts are totally defeated by firewall “briefcase bypass” where employees (or contractors, visitors, or business partners…) take laptops home, to customer locations, or on trips, they get infected, and then are brought back to a corporate site and plugged into their docking station.  This path of infection will get orders of magnitude more prevalent as usage of other networked devices such as PDAs, cell phones, tablet PCs, etc. becomes more prevalent.

So what has been discovered is that perimeter security is great – but the perimeter isn’t just the LAN/WAN edge.  It is every wireless and wired connection point with-in the enterprise! 

Vendors have been observing the increasing pain point for some time now and licking their chops.  They see lots of opportunity in providing high-priced solutions.  If you thought you were having fun before, now it’s really going to get fun. 

A large number of solutions from the biggest vendors in the world to small start-ups and everything in between are or are going to be promoting their solutions as the magic elixir for all security-related aches and pains, and more.  We’re going to need to sort through all of the rhetoric and figure out what is real and what is not, and what early approaches, although flawed, are on the right trajectory to become part of future best practices. 

The way this plays out will heavily influence the fortunes of many companies and individuals in the coming 2-3 years. We’re going to see full-contact marketing by many combatants, some trying to create new product categories (e.g. Internal Firewalls, Identity Management Systems, Secure Switches), and others focusing on enhancing existing products and systems architectures to meet the need. 

I don’t know exactly how this will play out, but I have a few clues.  I’ve been immersed in examining the various approaches for more than a year now and have started to develop some opinions that I would like to share with you.  But with all of the different angles, approaches, and conditional logic, this is a long conversation.  So I am going to lay this out to you in an extended series of Musings (probably interrupted now and then to talk about interesting issues-on-the-moment). 

My wife and I are expecting our third child on or around April 25^th next year.  So I have two short term goals to complete by the end of April next year:

1)     To welcome this new baby into the world.

2)     To finish this long conversation about security.

So you have been warned. Now is the time to cancel your Acuitive On-Line subscription, change your e-mail address, put info@acuitive.com into your spam filter, or take other counter-measures if you want to avoid being sucked into this extended conversation.

If you hang in there, however, you’ll see that I will to start out by talking about Cisco and their approach to these issues.  They have been very pro-active and have a huge initiative called the Self-Defending Network (SDN).  If this initiative is successful, then perhaps there won’t be much opportunity for other vendors other than those who operate within Cisco’s constructed ecosystem.  If not successful, the magnitude of the marketing around SDN will, whet people’s appetite for solutions from someone, which could open the door for a lot of alternative players.  Therefore establishing Cisco and SDN as context for ensuing discussions seems appropriate.

So, the next couple of Musing’s in this sequence will focus on the good, the bad, and the ugly of SDN. 

(volume 7, number 10)