Competing Effectively in the Information Security Market

Market Definition: The information security market is rapidly evolving. While some market segments have reached relative maturity, others are just emerging. Overall, the market is extremely dynamic with new vendors continuously entering and leaving the market. The three most dynamic market segments of information security are identity management, intrusion detection systems/Antivirus, and security management.

The identity management market segment encompasses the technical and service infrastructure that allows companies to create, manage, and authenticate user identities and broker services based on those identities for use within an enterprise or in an Internet-based context. Identity management involves four major tasks: authentication, authorization, access control, and audit. Identity management thus includes established market segments such as directory servers, certificate authorities, certificate management servers, password management, and single sign-on solutions.

The markets for intrusion detection, intrusion prevention, and antivirus systems are characterized by systems, both hardware and software, that aim to either prevent or detect intruders on a network or prevent viruses from causing damage, respectively. The two traditional types of IDSs are network-based and host-based, although leading solutions today provide hybrid systems that integrate both network- based and host-based protection. Antivirus systems are similarly either desktop-based or network-based, and there is an increasing movement of antivirus security to servers and gateways.

Security management is the combination of hardware, software, and services that aggregates, normalizes, and correlates data from disparate security products. While solutions will eventually encompass identity management as well as the management of perimeter protection systems, current products chiefly deal with event management of perimeter threat detection data.

Market Review:

• Inclusionary and Exclusionary Security: The information security market consists of a complex mix of products and services that provide two related but very different types of security. The trick is too make sure that everyone that should have access to network resources does, and everyone that should not, does not. Under these constraints identity clearly becomes key.
• Consolidating Market: Consolidation is taking place across several segments of the information security market. For example, pure-play provisioning vendors are being acquired in by larger IdM vendors while anti-spam vendors are increasingly being acquired by antivirus vendors.
• Consolidating Products: Vendors in several InfoSec segments are consolidating product sets. Several vendors have introduced products that combine traditional VPN/firewall, IDS, and antivirus functionality. Examples include Computer Associates, Network Associates, and Symantec. Traditional antivirus vendors are expanding their suites to include anti-spam and content filtering.
• Microsoft: The software giant is increasingly active in the security space. It officially entered the antivirus market in June 2003 when it acquired the Romanian software vendor GeCAD. The repercussions of this move, although still unclear, could be significant. In July 2003 Microsoft released a significantly more functional version of its metadirectory product, now called Microsoft Identity Integration Server (MIIS).
• Complexity: Security solutions are increasingly complex because of organizations’ desire for both in-depth defensive strategies and best-of-breed approaches to purchasing decisions. This complexity and heterogeneity (in device types and vendors), especially in perimeter defenses, is a major driver of event management sales.
• Regulations Helping Drive Opportunities: With the requirements of HIPAA taking hold in medical practices and Gramm-Leach-Bliley Act (GLB) mandates now impacting enterprises, clients are turning to security companies for help and support. Since security is a measure of insurance and risk tradeoffs for end users, the added factor of government compliance will help stoke industry growth.

Near-Term Market Drivers:

• Defining the Space: Companies are pursuing aggressive partnering strategies as the market continues to evolve and the functional expectations for identity management, managed security, and intrusion protection systems continue to expand. This is readily seen in the current rush for identity management vendors to acquire provisioning vendors, IDS vendors to claim IPS credentials, and antivirus vendors to acquire anti-spam vendors.
• Regulatory Compliance: In the United States especially, businesses are dealing with a host of new access control and audit requirements that derive from newly enacted or newly implemented laws and regulations. These include GLBA, HIPAA, Sarbanes-Oxley, and the USA PATRIOT Act. The regulations affect companies across the economy, but are especially important to the financial services and health care industries.
• Manage or Prevent: The chief driver of event management solutions is the continuing and hugely annoying number of false positives pouring out of intrusion detection systems. The problem is so bad that some industry watchers contend that it could lead to the demise of the IDS market. A counter driver to growth in the managed security segment is the emergence of intrusion prevention systems, particularly in-line solutions that can perform real-time data blocking. Widespread adoption of IPS could inhibit spending on event management systems and security management vendors should consider these products competitive to their own.
• Perimeter Management: Security management solutions are evolving to integrate data from a host of perimeter products. Event management systems have often evolved along separate lines with products for firewall, antivirus, and IDS.
• Correlation is Key: The near-term IDS market contenders will largely be determined by those vendors that can best correlate and visualize the huge amounts of information captured by the IDS. Proper filtering and correlation reduces false positives, which will allow improved monitoring of entire networks. Event management across heterogeneous security environments will increasingly become a requirement.
• Federated Identity Standards Emerge: One key way to ensure trusted communities is through federated identities, whereby user identity information is passed or shared. Although friction between Sun and Microsoft and their respective standards camps (i.e., the Liberty Alliance and the Web Services Interoperability Organization) has raised concern that a fragmented market would chill the growth of identity management and Web services, a thawing in relations has begun. IBM’s pragmatic peace-making efforts and Microsoft’s distaste for more public questioning about “anti-competitive practices” indicate that a détente among the rivals is on the horizon. These standards for sharing identity information will drive new products and even new vendors.

Long-Term Market Drivers:

• Consolidation of Functionality: Currently disparate market segments will continue to merge as information security products increasingly are managed as integrated solutions. Technological advances will continue to shift the industry from simple detection and monitoring to a much more proactive protective defense and control posture.
• Data Control Concerns: The flip-side of the benefits of highly integrated services is the loss of control of proprietary data. The authentication, access control, and audit aspects of identity management infrastructures in particular will continue to be a hot-button topic for businesses. Enterprise wariness about linking too closely with supply-chain partners and potential competitors chilled the growth of B2B trading networks and likewise will play an important role in the adoption cycle of federated identity management systems.
• Privacy Concerns: Consumer awareness of privacy issues and concerns about control of personal information continues to grow, particularly with regard to the sharing of health and financial information among affiliated businesses. The same service arguments made by supermarkets and credit card companies – that knowing more about an individual enables providers to offer more tailored services – is proffered by some proponents of Web services. And the same emerging regulations will govern the sharing of consumer information within and among businesses. Identity management systems need the flexibility to ensure varying levels of information control and meet prevailing standards and regulations.
• On-demand Computing: The availability of ubiquitous computing resources on demand will further drive the need for sophisticated, highly flexible security management solutions that combine both identity management and event management. Starting with Web Services, but including more esoteric offerings such as GRID computing, these offerings will be a major long-term driver for security management solutions.
• Managed Security Services: Managed security services will increasingly be an attractive option for organizations that want to offload the management headaches that can accompany the deployment of security solutions. As MSSP better addresses some of the traditional concerns confronted by all ASPs, this segment will continue to grow and displace software license sales.

Offensive vs. Defensive Responses:

Defining the Space

Offensive

• Vendors attempting to deliver an end-to-end Identity management solution will emphasize the benefits of working with one supplier, including cost, interoperability, service, and completeness. These companies will continue to look for attractive acquisition targets.

Defensive

• Vendors taking a best-of-breed approach to the market will emphasize the benefits of working with a group of providers, benefits which include cost, features, and functions. These vendors should emphasize that this is an extremely large and dynamic market and that no one vendor can yet provide a complete solution.

Regulatory Compliance

Offensive

• Vendors that have granular data control capabilities should highlight their ability to provide vertically-specific security solutions. These vendors should highlight their flexibility in adapting to changing regulations or market demands for data controls and audit.

Defensive

• Vendors with weaker data control capabilities should trumpet brand-name customers and their successful implementations of identity management solutions. Wherever possible, vendors should publicize compliance with governing regulations or industry standards.

Manage or Prevent

Offensive

• A major driver of current security management interest is the need to better understand, control, and prioritize data coming out of intrusion detection systems. Vendors should emphasize their ability to aggregate, normalize, and correlate data from numerous IDS products. IDS vendors moving into managed security, such as ISS, Network Associates, and Symantec, should especially highlight their ability to integrate with third-party devices.

Defensive

• A counter trend to managed security solutions for event management is the emergence of intrusion prevention systems that support inline deployment and data blocking. Interest in these systems is also being driven by frustration in the current generation of IDSs.

Perimeter Management

Offensive

• Security management solutions are evolving to integrate data from a host of perimeter products. Event management systems have often evolved along separate lines with products for firewall, antivirus, and IDS. Vendors that can manage data from across these systems will increasingly have a competitive advantage.

Defensive

• Vendors currently limited in the amount of pre- built connectors to third- party products should promote the ease with which custom connectors can be built with their solutions and the flexibility that it provides to end users. Increasingly, however, end-users will demand out-of-the-box integration with a wide range of products.

Correlation is Key

Offensive

• Vendors with strong correlation and visualization tools in their IDSs need to market those features actively. Moreover, if the strong correlation features support third-party products, the capability should be brought even more to the forefront in terms of sales strategies.

Defensive

• If a vendor lacks sophisticated correlation and visualization capabilities, then it should either investigate enhancing its product’s capabilities or advocate that such advanced capabilities are better done by third-party vendors focused solely on developing interoperability. NetForensics, Bindview, NetIQ, and Intellitactics are some of the current pure-play leaders in the enterprise security management market.

Federated Identity Standards Emerge

Offensive

• Members of standards bodies can promote themselves as market or technical leaders with advanced access to emerging standards and technology. Vendors in either camp should leverage relationships with other consortium members to build pilot projects and make joint sales calls. Members in multiple camps should work to moderate and mediate efforts between these groups.

Defensive

• Non-participating vendors should paint the consortiums as political bodies rather than sources of technical innovation. Non- participating vendors can make the case that their products are flexible enough to support any emerging standard and that their resources are put to better uses while the standards battles rage.