In a move that surprised many, but will make a lot of sense to regular readers of this blog, Intel announced today that it has entered into a definitive agreement to buy diversified security vendor McAfee for $7.68 billion, a significant premium over McAfee's share price at yesterday's market close.
Echoing many of the same issues that Proofpoint CEO Gary Steele noted in his recent guest blog post at Byron Acohido's "Last Watchdog" blog (see "Why Wall Street is Boosting Investments in Tech Security"), Intel and McAfee gave the following rationale for the acquisition:
First, security is fundamental to today's computing environment. Intel CEO Paul Otellini is quoted as saying, "In the past, energy-efficient performance and connectivity have defined computing requirements. Looking forward, security will join those as a third pillar of what people demand from all computing experiences."
And those "computing experiences" are becoming more and more pervasive. The explosive growth of Internet connected devices—not just PCs but smartphones, tablet computers (like the iPad, the rumored Google Chrome OS pad, etc.), even ATMs, medical diagnostic equipment and on and on—requires better security for those devices to prevent exploitation and protect private data held and processed by those devices.
As security vendors regularly point out, security threats continue to proliferate rapidly and are becoming more complex and more costly to remediate. In the email security space, for example, targeted attacks such as spear phishing, the use of multiple attack vectors (combining email, web and social media components) and more clever social engineering are now commonplace. "The cyber threat landscape has changed dramatically over the past few years, with millions of new threats appearing every month,” says McAfee CEO Dave DeWalt.
McAfee's online announcement also notes that, "The current cybersecurity model isn’t extensible across the proliferating spectrum of devices – providing protection to a heterogeneous world of connected devices requires a fundamentally new approach to security." Which I think is a rather verbose way of saying that network security in today's world needs a major "re-think" and that certain security functions and controls need to migrate further down the IT application stack and be more of an integral part of the hardware and firmware that power new devices.
Additionally, Intel notes that this acquisition is part of their ongoing effort to broaden its IT footprint, delivering not just hardware but software components. Notes the Intel announcement, "Intel has made a series of recent and successful software acquisitions to pursue a deliberate strategy focused on leading companies in their industry delivering software that takes advantage of silicon. These include gaming, visual computing, embedded device and machine software and now security." (Intel's acquisitions of embedded/mobile software vendor Wind River and gaming AI/physics vendor Havok are cited.)
Expect this news to spur ongoing M&A activity in the security space. And, more importantly, the trend toward making security more of a core component of computing devices—rather than an afterthought—will make for a safer computing world.
Byron Acohido at USA Today has an interesting article out today (see "Cybersecurity Stocks Look Hot in 2010") positing that tech security companies are "poised to become Wall Street darlings this year, thanks in part to Google's tiff with China."
Quoting an analyst at FBR Capital Markets, he says the Google-China row has underscored the already positive outlook for stock price performance of diversified security vendors such as McAfee, Symantec and Check Point and that the security sector is underinvested. As we point out at Proofpoint quite often, IT security (including email security and data loss prevention) solutions simply aren't optional and large enterprises and government organizations can't delay purchases of such solutions.
Statistics from IDC are also quoted, noting that worldwide spending on IT security rose 6% in 2009 and is expected to grow another 9% in 2010.
The article notes that prospects for privately-held security companies are also looking very positive:
"Meanwhile, the rising incidence — and visibility — of cyberattacks also is boosting prospects for privately held tech-security firms, says Asheem Chandna, a partner at Greylock Partners, a leading Silicon Valley venture capital firm.
Private firms with strong balance sheets and good growth prospects that might be viewed as viable candidates to float an initial public stock offering include Sophos, Barracuda Networks, Qualys, Proofpoint and Tripwire, Chandna says. He estimates 30 to 50 tech firms could go public this year, including three to five tech-security companies."
I sat down recently with Dave Champine, Proofpoint's product manager for our SaaS email security solutions for an extensive interview about the security of cloud computing-based solutions and the issues enterprises should consider when moving security functions "to the cloud." I'll be posting excerpts from that discussion over the next few days.
First up, Dave had some really interesting things to say about specific features that enterprises need to look for when buying "in the cloud" security solutions (or any other type of SaaS solution, for that matter). As Dave notes in this video, large enterprises have different concerns that, say, small businesses or consumers when they are looking at deploying a cloud computing-based (or SaaS) solution.
To summarize the main points that Dave discusses in the video, there are four interrelated characteristics of an enterprise-quality cloud. He describes them as:
Isolation: Look for solutions that offer both physical and logical separation of your data and the application itself from other customers. This helps to ensure that your enterprise's capacity and performance needs being met, regardless of what's going on with other customers of the same solution.
Flexibility: Look for solutions that can support the high level of complexity found in the large enterprise. For example, in the email world, large enterprises can have very complex policy environments due to regulatory requirements, best practices for data protection and corporate governance concerns. So that means being able to do things like set and enforce different email disposition policies for different business units, support secure transmission to business partners, support policy-based encryption, etc. Flexibility also means having flexibility in terms of how things are deployed (e.g., could I deploy some things "in the cloud" but leave other features on-premises).
Control:Large enterprises need SaaS solutions that let them maintain the same level of control as they would get with an on-premises solution. That includes having what Dave calls "transparency of operations," including visibility into logging, auditing and alerts so administrators can ensure that systems are operating as expected.
Distribution:Enterprises should look for cloud-based solutions that use distributed components. For example, make sure that the architecture includes geographically distributed datacenters, redundant components, etc. The goal is to go beyond the usual "five nines" availability goal and ensure 100% availability if possible. Dave suggests that enterprises should think not just about disaster recovery, but about disaster avoidance as well.
If you're interested in this topic, you'll also be interested in the next Proofpoint live web seminar, happening on Wednesday, November 18th. We'll be discussing the pros and cons of Security-as-a-Service and how next-generation SaaS solutions can actually deliver superior security, better performance and lower costs compared to on-premises approaches. To register, please visit the link below:
So the big IT news this week is, of course, the launch of Microsoft's Windows 7 operating system tomorrow (Thursday, October 22, 2009). While the jury's still out on whether widespread Windows 7 adoption will improve security in a global sense, it does look like there are some solid new security features that could definitely help decrease malware propagation as well as preventing data breaches from lost or stolen devices (with the inclusion of BitLocker drive encryption that can now support USB removable devices, i.e., "BitLocker to Go").
PC World has a nice overview of some of the core Windows 7 security features including a short primer on how to protect drives with BitLocker. This seems like one of the most dramatic improvements to me (as our own research found that more than 20% of large enterprises investigated a data breach due to lost or stolen devices and media in just the past 12 months). Find that overview here:
CNET's download.com site has a slideshow tour of some of the security-related interfaces in Windows 7 including shots of the security Action Center and User Account Control panel with some easy-to-digest commentary:
Of course, some things haven't changed over previous versions of Windows. Our friends at F-Secure have previously pointed out that the Windows Explorer default of hiding file extensions for known file types represents a security problem because that makes it more likely for users to inadvertently run malware executables that are masquerading as document or media files (e.g., GIFs, JPEGs or WMVs).
This default continues in Windows 7. Personally, I don't know how folks can even deal with Windows when you can't see file extensions and this is one of the first things I change on a new system or fresh Windows install.
I haven't had much time to mess about with Windows 7 yet, though I've been pretty impressed with it based on my experience installing the 64-bit version of the Win 7 beta on a new drive. It definitely offers snappier performance over XP on the same hardware and the ability to address huge amounts of memory is a huge win for folks like me who do a lot of multimedia work.
That being said, as with any new install of Windows, your first stop should after installation of Win 7 should be to install a good desktop anti-virus solution. I was pleased to find that F-Secure's Internet Security 2010 already supports Windows 7 (both 64-bit and 32-bit versions) and installed with no hassles. I'm sure that many of the other major anti-virus solutions offer the same support, but I continue to be a big fan of F-Secure because it's very effective, doesn't hog system resources and has a slick user interface.
Tip 'o' the black hat to biztech writer George Hulme who pointed out on Twitter today that videos of presentations from the 2008 Black Hat security conference are now online here:
For the truly hardcore security types out there: Seeing a lot of interesting tweets today coming out of the sessions being held at the SOURCEBoston security conference. This looks like one to watch.
NWW notes a really dangerous new practice dubbed "swatting" (making phony 911 calls about hostage or similar situations) as well as recapping the Microsoft bounty on the creators of the Conficker work... which has apparently also spawned a new version. NWW also recaps their top 2008 tech crime stories. Interesting stuff!
We regularly warn consumers and enterprises about the dangers of email-based phishing attacks and provide tips for staying safe online, but it's easy to forget that phishing emails are really just an evolution of the classic confidence scam. The social engineering techniques that are behind every sort of phishing scam (whether it's a Nigerian "419" scam or a more sophisticated spoof aimed at online banking users) have analogs in the real world.
A friend in the travel and tourism industry told me about an identity theft scam that hit one of their hotels—and a hotel guest—in the last couple of days:
During the night shift, the hotel received a phone call asking for "Mr. Jones." The night auditor working the font desk transferred the call to a room where one "Mr. Jones" was, in fact, staying.
When the guest answered the call, the caller identified himself as the night auditor and explained that the hotel was having trouble with the guest's credit card... and could he please verify the card number, expiration date, etc.
The next day, Mr. Jones was contacted by his credit card company because they had seen suspicious use of the card -- to the tune of several thousand dollars.
Now, if you received an email like this, you wouldn't answer it, of course. But I wonder how many of us—awakened in the middle of the night—might not bat an eye at providing that info over the phone.
The hotel has since adopted stricter phone screening measures to avoid this type of thing in the future, but it's always good, as a consumer, to be reminded of how scams work... and that, really, you can't be too careful when it comes to protecting personal information. Security begins with education.
Security remains one of the biggest concerns that IT professionals have when a considering Software-as-a-Service solution. As a result, one of the most significant challenges that a SaaS provider must overcome is establishing a high degree of trust that customer data is safe in the vendor’s hands. There are a number of ways to do this, but one of the most important metrics that customers look for is the Statement of Auditing Standards No. 70, Services Organizations ("SAS 70") Type II Certification.
At Fortiva, we formally announced today that we achieved the SAS 70 Type II certification. SAS 70 is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants that validates that a service organization has been through an in-depth audit of its control activities, and demonstrates that they have adequate controls and safeguards when they host or process data belonging to their customers.
As anyone who has gone through this knows, it’s a long, drawn-out process that takes a serious commitment on the part of the service provider. However, it is one of the only independent/third-party metrics a customer can look for in order to establish a level of confidence. As a result, it’s an invaluable tool for SaaS providers and one that is worth every bit of the time and effort required to achieve it.
At Fortiva, we always say that maintaining the integrity, privacy and security of our client’s data is our most important goal. To achieve this, we are constantly reviewing our processes and improving them – but most of this happens “behind the scenes”. Achieving the SAS 70 Type II Certification is an important way for us to demonstrate the care and attention we place in this area.
This
attention is well-deserved; there's much to be said about security in
general. There’s no question that securing infrastructure and the
processes that surround it requires diligence on the part of both those who
administer systems as well as those who use them. However, more importantly,
it requires technology vendors to continue to take steps to move the state of
the art forward to address these threats.
Our mailboxes are a
testament to this - on a daily basis we all receive some amount of Viagra Spam,
Stock Scams and Phishing Attacks that the tech savvy know how to avoid and
ignore. It is clear though, that by their sustained volume, there
still must be a large number of users that fall prey to these attacks.
For the average end-user
dealing with this deluge, we've seen technology move forward to address the
issue. It started with simple junk mail filters, then Bayesian filters to
the current advanced suite of content analysis tools that seem to be keeping my
inbox fairly palatable.
So
what does this have to do with SaaS security? I think that there are huge
opportunities for SaaS providers to deliver technology innovations that move
the security of SaaS solutions forward to overcome some of the kind of attacks
described in the article above.
I've written here
several times about DoubleBlind Encryption™ technology as we've
implemented it at Fortiva. It allows us to provide a SaaS-based email
archive where we store and provide access to the data for our customers. At the
same time, DoubleBlind Encryption makes it impossible for us to view the
content of any of the data we host. It also means that if someone
actually managed to breach our infrastructure, they would only see encrypted
information. To access unencrypted archived information requires a user to have
access to their company network and authenticate with their network user name
and password (through Active Directory) before viewing the archive. Assuming
the customer has appropriate security in place to protect their network, the
SaaS archive is protected too.
We've taken one approach
here, and there are others. The point is that SaaS providers need to move
their technology towards ensuring that they have less access or visibility to
their customer's data. At Fortiva, we go so far as to provide our
customers with a Data Privacy Guarantee.
A
clear opportunity for improvement lies in managing user authentication
and permissioning, especially since phishing scams are usually focused at
weaknesses in this area. For SaaS solutions targeting the enterprise, it just
doesn't make sense to introduce another layer of user administration and
authentication that lives outside the corporation.
Most corporations today
manage all of this user information in Active Directory. Savvy SaaS consumers
are starting to see the value of having their SaaS providers integrate with
this permissioning data in the corporation. It allows them to unify their
security policies and manage permissioning in a cohesive way. As a simple
example, consider what happens when an employee leaves a company. As they
are removed or disabled in the corporate infrastructure, their account is
locked out of email, vpn and other internally managed solutions. How
likely is it that their corresponding accounts in corporate SaaS solutions will
be locked out at the same time?
Paying attention to SaaS
and the security implications that come with it are critical. There's
certainly room for improvement, but there are clearly innovations to come that
will move SaaS forward on this front.
