March 10, 2011
—
CSO
—
For Symantec Corp. CEO Enrique Salem, the three critical issues facing IT leaders today -- and the three biggest opportunities for his 'information protection' company -- are cloud, virtualization and the consumerization of technology. In this installment of the IDG Enterprise CEO Interview Series, InfoWorld Editor-in-Chief Eric Knorr and IDGE Chief Content Officer John Gallant caught up with Salem shortly after his RSA Conference keynote describing Symantec's cloud-focused security strategy,dubbed 03.
In this discussion, Salem outlines why 03 is such a critical initiative for the company, and discusses how cloud and virtualization change the security threat landscape and the business opportunities for Symantec. He also talks about why Symantec isn't overly concerned about Intel Corp.'s purchase of McAfee, Inc. and what it means for Symantec to be on its own in a market with competitors like Intel, IBM, Cisco and other giants. Salem also outlines what's ahead for Symantec's non-security businesses in storage and systems management, and how collaboration and social networking will change everything for organizations in the years ahead.
Q: What is 03 and why is it such a critical initiative for Symantec?
A: In computing, there are big transitions that happen every few years. We are in that next transition. I predict that the five years starting from 2010 to 2015 will have the most significant technological change that we've seen in the last 25 years. The reason I say that is that we are going to see a big move to the next generation of what I call distributed computing. Cloud computing to me is just the next generation of distributed computing; it is taking distributed computing one step further. I call it hyper-distributed computing.
What you don't want is different systems in IT for each of these different things. You don't want one system for your on-premises technologies, a different set [of tools] for mobile computing, another set of systems for dealing with cloud-based services. That is a nightmare. Also, IT is always trying to be more efficient with costs.
With 03 we said, 'let's create a layer that can be an integration point for a number of things'. One, you need a policy engine that lets you set policies. What devices do I trust? What information can go on those devices? Should this user have access to that information? Then you need to have enforcement, something that actually says 'yes' or 'no' based on the policies. And then you need to have audit and governance that reports against what actually happened. As the ozone is the layer that protects the earth from the harmful rays of the sun, we believe you need something similar in business. The ozone is made up of three oxygen molecules. So that is O3, and we have three layers. We have a policy layer and an enforcement layer and then an audit or governance layer that can be used broadly across enterprise computing.
Q: Define how that works within the enterprise, but how it also ties in with cloud providers.
A: Take the following example. Today you have corporate legacy identities. Our goal is to have those same IDs, those same credentials now be used in the cloud. Our direction is to simplify a lot of things that you do today. IT can't afford more complexity.
Q: Is 03 something that has to be implemented at the service provider and in the enterprise in order to work?
A: No, our goal is it can be independent of the service provider. Now we expect some service providers will want to resell and integrate it themselves, but it won't be required. The model is VeriSign's security business, which we acquired. The way our VeriSign identity protection works is you go to a Web site, it checks whether you should have access. It goes back to our hosted authentication service, says you're a valid user and lets you go to the Web site. The idea is we'll be able to integrate the technology and the goal is not to have to modify what the cloud providers are doing.
Q: For enterprise customers, how does the movement to private cloud and use of public cloud change the security landscape?
A: These services are creating new opportunities for leaks and places where information can leave your organization. We call it the borderless enterprise. In a private cloud, you still control the services yourself but you build them in a shared service model. As soon as you go to the public cloud, you're now outside your four walls. You really need to understand what information is going where. Who are you going to trust? Our goal is to have a very information-centered view. When you go out to a public cloud service, you better really understand what you are putting in that cloud. You also need to have the right controls in place. Our goal is to help you in that transition.
Q: How does it change the business model for Symantec? Does it make the service provider a more likely customer for the future? And do you see more of your products moving to become cloud-based offerings versus packaged software?
A: We think about how to do two things: Deliver our services from the cloud, and that means take our capabilities and move them to the cloud. That is message filtering, data loss prevention, backup, recovery, encryption - all as cloud-based services. We actually call that Symantec.cloud. So if you want to take any of those services that you are doing today on premise and you know that they are not core competencies, trust Symantec to do them.
The other thing is how do we help people build their clouds? Today, Symantec has got 60 petabytes of data backup. We've got seven billion messages filtered, five million IDs that we manage. Our goal is to help cloud providers, service providers, build out their capabilities so they can do this securely and cost effectively. We have integrated our end point protection technology into Amazon EC2. Folks like eBay are using our VeriSign identity protection. We are infusing our technology into these cloud providers. We'll deliver services to you as an end customer and we'll also integrate with the cloud providers. From a business model perspective, I expect this to be much more of a subscription-based model, not buy a license and pay maintenance. More pay as you go.
Q: Let's talk in more depth about mobile. Do you think the mobile security thing is being overblown now? And what is Symantec's approach to mobile security?
A: Any device can have corporate information on it and you want to have some level of control over it. Today, more corporate information is on Blackberries. It's starting to be on Android devices and iPhones and iPads, among other things. That means that they will become targets over time. You've got 1.4 billion PC's out there and those are the current target. As you get more critical mass on this range of new devices, they will become a target. It is really only a matter of time.
We think about this in a couple of ways. First, you've got to manage these devices. You want to know it's up to date, that it's current - the same sorts of things we did on the PC platform, including things like anti-malware. It's the mobile device management space and it is a very important space. But more important than that for me is how you control the information that is being put on the device. Today, this thing (he points to his iPhone) is a companion device. It's not my primary computer device yet. So what that means is I am going to synchronize information out to this thing. But what my corporation wants to do is make sure the stuff that I put on there isn't the source code of the company. You need to know how to protect [critical] information from being delivered onto that device.
Q: What about the other big trend corporations are dealing with, both in a positive and a negative way: Social networking? What things need to be approached differently in security because of social networking?
A: I am a huge believer that the way we collaborate needs to change. We have been in a very email-centric world, but it's not as effective as it once was. We are all overwhelmed with the amount of email we get on a given day. So we are big believers in the social enterprise. I had a customer who said [their company] created its own internal LinkedIn where people could find the appropriate subject-matter experts inside the corporation. They don't have to send six emails to find out who's the person who understands de-duplication at the company.
So, we are absolutely believers in this notion that collaboration will change. And many of the habits that people have in their day-to-day consumer life -- leveraging Facebook or Twitter or other types of social technologies like LinkedIn -- are going to be very relevant for how the enterprise works. The companies who don't embrace it will be at a competitive disadvantage. They will be less productive in my opinion.
What does it mean for security? Let's say you have engineers working on a collaborative tool, they are sharing information amongst people in the group. Well, they may put some intellectual property out to too wide an audience. Even if it's internal, that's a problem. Social networking creates the opportunity for a lot of corporate information to leave the organization. You have to have the right controls in place. Our job is to provide the enterprise with the tools to control what content is going to leave the organization to the public Internet. It is a combination of things. One is broader use of certain capabilities that we have, but we also have to apply them to the different tools, whatever their social platform is, SharePoint, Chatter [from salesforce.com], etc. We've got to make sure we are integrating that capability. We work on all the Internet protocols, so we can always see the data in motion through any of those protocols. But they've got to use it in that area.
Q: What challenges do you see with Intel's purchase of MacAfee and what opportunities?
A: We had looked at all the scenarios. We've looked at HP buying them. We looked at Cisco buying them. We looked at Oracle buying them, or IBM. Intel wasn't on the list. Intel is a quality company and they know what they are doing. But this feels like a diversification play. It really feels like they were saying, 'Hey, we've got a core silicon business but we also want to do some other things and try to diversify our business'. So, quite frankly, for us that was probably the best place [McAfee] could have landed because [Intel] is not known as an enterprise software company. They sell to businesses through third parties, through OEM's, but not through their direct sales force. Oracle or HP have massive go-to-market capabilities. They are very different than Intel. So if there was a place for it to go, that was probably the best place for us. You took a focused security company and wrapped it in a $40 billion silicon company. There is no way it can have the same focus. Because when you sit around the executive table and you've got a $10 billion fab you are putting in, you're thinking about the $10 billion fab, [not security].
It creates an opportunity for Symantec to go into the marketplace and say we are a company that is the market leader in security, focused on security and here is all our innovation. You don't have to worry that we're going to wake up tomorrow and decide to be a game company. I think that message is resonating.
Customers do ask the question about what Intel can do in silicon and we tell them silicon is a great accelerator. You can enable many things in silicon. But having a complete solution, especially in security where there is so much change going on, you're not going to do that. Anything that they put into silicon will have to have open interfaces that they will have to allow third parties to use. I am not worried about that. Silicon moves way too slow. Think about the rev cycles in silicon versus what we do in software every day. Imagine that you want to protect against Stuxnet with a reputation-based system. It's going to take you three years with silicon.
Q: So you don't feel that is something that could fundamentally change the security game?
A: We take Intel very seriously. They are a big company, smart people. But we think it's a distraction and it causing some amount of disruption to the McAfee team.
Q: Is it something of an awkward position to now be the one remaining, big standalone security company?
A: No, it's a great position. This morning, I was on CNBC and they called me Mr. Security. That is a good thing, right? As a company you want to have an identity. You want people to know you for certain things and usually people know you for one or two things. When you think about Cisco, people think about networking, routing, maybe a little bit of telepresence now. You think about Oracle: Databases and apps. I don't think people are going to associate Intel with security. They're going to say Intel is a silicon company. They are going to say Symantec is into information protection. That is we do, we think about securing information, we think about managing information. Love that. I want to be that company.
Q: Recently in The Wall Street Journal a columnist was speculating about mergers he or she thought might be possibilities in the tech industry. One of those was HP buying Symantec. I know you won't tell us if you're going to be acquired, but it goes back to this issue of being a standalone security company and whether that makes you a target.
A: There are some forces at work in the marketplace right now. One force is that customers, especially big customers, want to do business with fewer vendors. Even in security, they've got too many point security products. So there is a market-driven factor: How do I simplify the number of people I have to deal with and have a few strategic vendors.
The other side of this is that companies like us want to scale up, get more breadth in our portfolio so we can be a better provider to the customer. We do expect to see over the next several years a lot of consolidation and I think we'll see this split where you'll have very big companies five billion plus, six billion plus, 10 billion dollars - and then a bunch of startups. But not a lot in between.
Our goal is to focus on information across all the stack vendors. So if it's an HP stack, an Oracle stack, an IBM stack, a Microsoft point of view, we think there is an opportunity. And I think there are two camps out there. There is what I will call more of a distributed camp - NetApp, Symantec, VMware. Then there are the stack vendors - HP, Cisco, IBM. Our goal is to work across those various platforms and deliver our capabilities. We think there is a place for a company that works across all of them. Same thing on mobile devices.
Q: It's interesting that they called you Mr. Security because you do have a broader range of products than that. Do you feel that people still don't recognize all that you've put together from the earlier acquisitions, including the storage and other management products?
A: Yeah, absolutely. I think that people still see Symantec associated more with security than they do with our storage business. Part of my job is to really make it clear to folks that we are in the information protection business. Now if I went to storage conference, they might call me the storage guy. But maybe not.
Q: I don't think so.
A: Probably not. You're probably right. What I want to do is make sure that people understand the vision of the company, which is this information-centric view. With some of the new products we've launched we are starting to get momentum about why the integration of the storage and backup capabilities with security makes sense. We had been kind of siloed for a number of years, but now with products like Data Insight, which we launched in March of last year, we are seeing that connection. Also, as we go to the cloud with Symantec.cloud, you'll be able to protect all your information. You are going to use our message filtering, use backup and recovery, archiving. Symantec.cloud allows me to deliver that capability, to have another integration point in the cloud.
Q: It still seems like the products have two separate buyers who deal with the company in two very different ways.
A: There are different buying centers for sure. We sell to the CISO and the operations team. Security operations used to be a separate group. But what's happened is that while the CISO role still drives standards and policies, the operation of security is now with the same folks who manage the desktop environments. We, quite frankly, pushed that when we acquired Altiris because we said to people that the only way you have a secured end point is that you have to manage it well.
Q: Being in this position does give you an opportunity to drive standardization, particularly around identity.
A: You are exactly right and we are taking that opportunity in some of the work we are doing. We bought VeriSign's security business and a lot of people asked what we were doing. We believe exactly the identity problem from a corporate perspective on the Internet hasn't been solved. That's an opportunity for us because we've got scale and users. We feel very strongly that there is an opportunity to win, and win big, in the Internet identity space.
Q: Shifting gears, let's talk about the other part of the business. Talk about some of the strategic initiatives underway within the storage and server management piece of the business. What are some of the things that people should expect and what are you focusing on?
A: It all goes back to the same trends that drive our business. There's virtualization, consumerization and cloud. The two that affect our storage/backup recovery business the most are cloud and virtualization. We want to help people optimize their virtual environments. By 2015, 60% to 70% of servers will be virtualized. Today, we're sitting at a third, maybe. The next third is moving from test/dev into real production. One of things Symantec's announced is Application HA, which is Application High Availability. What VMWare can do with vCenter is restart a virtual machine. With App HA, we can restart the application within the virtual machine so you don't have to shut down it all down and start it all over again.
We've been building knowledge about 250 applications for about 10 years with our Veritas cluster service business. We had to understand the applications. What I would like people to associate with Symantec is that if you are putting up a virtual environment and you are trying to move more systems into production, we are the company that can help you optimize that virtual environment. We don't have a hypervisor. We are not going to try to sell you one and I don't plan on buying one anytime soon. Our goal is optimization of that virtual environment and that is what our business is about. Back it up better, be able to recover it better, be more efficient on the security side.
The other side of it is, we've got to deliver services from the cloud -- backup, recovery, archiving -- which we are doing now. And we also want to help people build that cloud infrastructure. So we do both of those.
Q: Is there anything you need from the virtualization companies to be able to improve what you offer?
A: Ultimately, what we are looking for is better access to the interfaces in the hypervisor. We work with the folks in Redmond [Microsoft) and we work with Paul [Maritz] and his team here in Paul Alto [VMware], we obviously work with Mark [Templeton] and his team [Citrix] for Zen. Our goal is to be platform agnostic. We work with VMware and others to understand the interfaces that enable us to provide security on the platform. They are very open minded because security is one of those things that every IT buyer takes seriously.
Q: Going back to the storage and server management area, you recently introduced some appliances. What is your expectation for that market and what do you bring to the table there that the other appliances folks aren't delivering?
A: It's about customer choice. Customers get to decide how they want to deploy our capabilities. Some of them want to have software that they run on their own hardware. Some of them want appliances that they can plug into the network and just have them work. Some of them want services delivered over the Internet. We see enough momentum in both appliances and the cloud that we've we got to participate [in both] actively.
We took our software capabilities and we just didn't put them on hardware. We built systems. For example, with our new net backup appliance, the new de-duplication appliance, it was not only how do we put the software on the box but add new capabilities as well. How do we harden, secure the box? What we bring to the party is the best software capability in the world in this area and we are the market-leading systems builders. We didn't just go buy a server and put software on it.
Q: In the past quarter, your storage and server management group showed fairly slow growth of about three percent. Why the slow growth in what seems to be a hot market for others?
A: I would tell you it was one of our better quarters. The business was declining over the last several years because we built that business on the high-end Sun hardware. Over the last three years that Sun business has contracted. That put pressure on us because we used to have a very high attach rate. When you bought a Sun box to put into production you bought Storage Foundation and you bought Veritas Cluster Server. But as those machines lost momentum in the market that had an impact. We told Wall Street the growth rate would be zero to negative for the next several years in that business, so they were actually reasonably happy with three percent. That is because what we have been able to move to more of the virtualized Web solutions and we also have been able to move to other platforms effectively. HP's a big OEM of our capabilities. Red Hat is doing a lot more with us now. That growth rate is really indicative of what has happened on the Sun platform.
Q: What is Symantec's play in security information management?
A: We have a SIM product that is being used fairly broadly. But we don't just think about SIM on premise. We also think about MSS [managed security service]. Symantec has a unique capability in that we can do both. We can provide the on-premise SIM technology, but we can also manage and monitor events coming off your firewall, your network devices. Some people say 'I want some level of control of my environment, but I want you to do the day-to-day monitoring'. Our SIM products are actually doing fairly well, we've had some very nice wins over the last several quarters.
Q: What aren't IT leaders worried about today that they should be really worried about when it comes to security?
A: We touched on it earlier. I think it's the move to the social enterprise. Also, this is an information economy. IT has to get much more focused on how they deal with the [growth of] information and how they are thinking about the security of that information. The biggest thing they have to do is grok the reality that it's an information-centered world. They need to know how to get rid of things, how to make sure it doesn't leave their organization when they don't want it to. Attacks like Wiki Leaks should be a big wake-up call. I have seen some of them wake up to it, but not all of them. Enterprises have to think about two things: Your computing architecture and your information architecture. If you get those right, you are going to be able to run your business much more effectively.
Q: When you look at reports about the growth of malware, which is staggering, you wonder whether there comes a point at which the way we deal with these threats just can't keep up. What will we do then?
A: To give you some stats, in 2008 we produced 1.6 million signatures. In 2009, it was just under three million signatures. The number in 20O8 was more than the previous 17 years combined. What you've got now is micro-distribution of threats. Seventy five percent of the attacks are now hitting fifty or fewer systems. That means the conventional way of seeing an attack and providing a fix is no longer good enough. We have created a new system that is called a reputation-based security model. It's not IP reputation where you took an IP address and you knew its reputation and you identify that that IP produces a lot of spam so I'm going to throttle it and traffic shape it. We are doing application reputation and what that means is that 175 million endpoints that Symantec currently has visibility into are providing us telemetry on 2.5 billion files. We now have the ability to use attributes like download source and age and then combine all that in an algorithm that gives you a safety grade. Instead of having a white list or black list, you can say this program doesn't have a good reputation, I'm not going to let it run. That capability is shipping for the enterprise space later this year. It's already in our consumer products. This is what you need because the old model is inefficient, insufficient and not going to be the solution for the future.
Q: Do you anticipate maybe a tipping point at some point where people might want to go to white listing instead?
A: White listing works in very tightly controlled servers or platforms. But any platform you're constantly adding new capabilities, it won't work. Too much overhead. You will spend a lot of time maintaining the white list. That's why white lists have limited adoption. We've got a white listing capability but it's not that prevalently used. It creates more overhead for IT and IT is not looking for more work.
Q: Final question: You've got one minute with the CIO and you want him to know what about Symantec?
A: You can trust us with your information. Our goal is to help you secure and manage your identities and your information.
Read more about cloud security in CSOonline's Cloud Security section.
You are previewing premium content. 
More Salted Hash with Bill Brenner
