The utility vertical has interesting security problems that are quite different than the other major verticals because the computing systems control the physical infrastructure that affects millions of people. Once a utility application is proven to do the job there is great resistance to making any changes at all. If IT is sensitive to applying patches to a database, imagine the care required in applying patches to an electrical power plant! This creates an environment reliant upon legacy applications that were not designed with today's security threats in mind, and modifying the code in the applications is often not an option. With DHS pushing to secure our infrastructure there are two security approaches that can help:

• Whitelisting is one approach to enforce a 'no changes allowed' policy. Application whitelists fingerprint the approved environment and ensure that no unapproved applications can execute. This is particularly effective with static configurations that need to be locked down, such as those found with utilities. Whitelists can help protect legacy applications while the utility extends use of public networks.
• Virtualization allows legacy systems to be moved to faster servers for performance and enhanced supportability. Taking advantage of Moore's law for compute power, new servers can share multiple virtual machines. Fewer servers means the utility saves money on support, IT labor, and power. It also can give performance boosts as the new server will undoubtedly be faster. Virtualizing the application allows the utility to gain these benefits without touching the application code.

Finally, there is a security company that specializes in the needs of utility customers - Industrial Defender located in Foxboro, MA - that has custom IDS, SIEM, and other programs designed for the utility industry. The utility industry is unique and does not receive a lot of attention from the security industry. Hopefully, new approaches in whitelisting and virtualization can help secure our nation's infrastructure.

Web application firewalls will soon be a PCI requirement. With the upcoming deadline in mind, Imperva announced a collaborative effort with web application scanners (Cenzic, HP, IBM, NT Objectives). The capability that users would get as a result of this effort are scanners communicating new attacks to the firewall so they can be blocked, and the firewall communicating changes in the application so they can be scanned anew.

This is a bizarre announcement by vendors struggling to create a market niche. Web application firewalls are designed to interpret application traffic, and intelligently block attacks from reaching the application. This is based on research into web application vulnerabilities. Application scanners are used to drive security fixes back into application development where the problem can be fixed permanently, and the fix replicated in similar applications. This is also based on research into web application vulnerabilities. And major application web sites frequently change, so the value of discovery by the WAF is questionable as is the value of an extra set of research teams.

The true value of this relationship may be for network appliances that want to offer PCI-compliant Web application security without having to invest in a research staff. Thus traditional firewall vendors such as Check Point, Cisco, or Juniper could filter traffic based on directions given by application scanners. Similarly, Web application accelerators such as those from Blue Coat, Cisco, or Riverbed could add this capability for the application farms they service. That's probably not what Imperva intended, but it makes a lot more sense to me.

First of all, PCI should be investing in changing its entire credit card handling business process to make it more secure - reduce storage of sensitive information in the first place and use technology to change the way cards are handled at the point of sale, amongst other things. Now with security VISA is forcing its customers to throw more money into technology that doesn't solve the data loss problem. WAFs are all about transaction auditing - they're good at that. IT decided long ago to fix vulnerabilities in the code, and that practice should continue.

IT often turns to deployed security products to determine performance issues with deployed applications. Security is usually placed on the application transaction path, deeply inspects everything it can for "what might go wrong", and then maintains detailed log data to support future forensic studies. Security products are well positioned in the network to provide insight into the performance of the technical infrastructure - time and again I see security products bringing operational value to IT. The simple examples showing the discovery and logging capabilities security delivers as a side benefit include:

Data Leak Prevention is marketed as a tool that inspects network traffic to identify intellectual property in transit with the intent of blocking unauthorized transmissions. IT is finding that the true value of DLP is discovering how data is being used by various business segments. This security information also helps IT optimize the technical infrastructure - data services or application delivery - to enhance the user experience.

• Firewalls are traditionally thought of as security devices to keep intruders out of the network. However, when application performance degrades, the first call made is to security to scan firewall logs for signs of traffic anomalies.
• Database Activity Monitoring inspects SQL traffic to databases for attacks or for user behavior that violates the relevant policies. The first thing that IT tends to notice with these products are application performance issues such as high numbers of dropped connections, direct SQL using out of date procedures, or locating sensitive data they did not know was on the network.
• Virtual Desktops keep data in the datacenter to reduce the risk of data loss. IT now looks more at the reduced costs of applying patches, software updates, and help desk support that virtual desktops provide as a direct results of fewer configurations to support.

Security is just a fraction of total IT spend, well less than 10%. Those security vendors that want to grow their market share would be well advised to include information in their reports and marketing collateral that address the needs of IT and the CIO. Those people are responsible for business operations, of which security is just one element. To have meaningful conversations with the operations side of the house you have to show them how you add security and how you may help them support the business. There are lots of technologies that stalled because they couldn't figure this out - can you say IDS or SIEM?

Safend is a device control vendor, founded in 2003 and based in Israel with US headquarters in Philadelphia. Device control is an approach to reducing the risk of data loss by enforcing IT policy for approved use of removable media and wireless connectivity. I have heard stories of enterprises caulking their USB ports closed to prevent local copying of data - there are better solutions now for those who were tempted by "hardware" solutions. The Safend Protector software runs in the kernel where it can pass judgment, or at least audit, data transfer activity as part of a comprehensive endpoint data leakage prevention program.

• IT can transparently disable the wireless radio when the laptop is tethered to the network, reducing the risk of unauthorized access points. While IT can also specify allowable devices (white list) or explicitly deny use of undesirable devices (black list), it is the control of wireless connectivity while in the office that gathers interest.
• When removable storage devices are used, IT can implement policies to protect the business by file transfers, automatically encrypting data to removable media, and even retaining a copy of the transferred data to support future investigations. Sometimes just knowing that there is a record of how removable media is being used is enough to encourage secure behavior.
• Management capability delivers intelligence on device usage to IT, to make sure that policies stay current with usage trends. Safend not only audits use of a USB device, but also the specific vendor and product being used. IT can periodically monitor user needs to proactively provide better service.

Controlling laptop and desktop devices is an approach that has gained more traction in government and healthcare markets where it is easier to classify sensitive data. The ability to leverage Active Directory for associating endpoint policies to existing users eases administration when adding device control security. The trend in white list approaches - in this case specifying approved devices - does not require constant signature updates.

There is some splash in the technology news that Vista is a dead OS walking. This view is fueled by the slow market penetration rates of Vista, and an increasing awareness of the benefits that can be achieved with virtualization at the desktop. While it is a little early to forecast the doom of Windows, there are interesting concepts in this crazy talk.

Most people only utilize a small portion of the huge Windows footprint - typical users need a browser, email agent, printer, file system, wireless network and not much more. Against that backdrop, Vista does not obviously improve the user experience enough to warrant the time and expense of an upgrade. If a hypervisor could execute a streamlined desktop, then a lightweight desktop environment can be supported. Extensions could be delivered by on-demand streaming of applications or perhaps on-demand portions of Vista, with a great cost savings to IT staffs and service providers. Since a hypervisor mediates the sharing of hardware resources as a next generation OS, it is not a stretch to see hypervisors executing a bare-bones operating system to execute Windows applications in basic environments.

Windows and Vista are not going away anytime soon. There is a reason that Windows is ubiquitous - it does a good job against a wide variety of requirements. The problems with Vista in the enterprise start with the missing features due to skewed development cycles with the tardy Windows Server. Microsoft does need to look at its development cycles - it should not take years to get software products to market.

Now let's get actionable. If you are in IT there are two things to become aware of while others chat about Vista over the water cooler:

Virtual desktops. Citrix XenDesktop offers interesting personalization and provisioning features that can really help you manage endpoints. If your endpoints are reasonably static then you should also familiarize yourself with VMware and Sun's virtual desktop infrastructures. This can simplify the administration and security of Windows.

Windows security. I was impressed by what I saw of ForeFront at last week's RSA conference. It truly takes advantage of a corporate environment (network and servers) to make it easier to manage security for large communities of Windows users. ForeFront Beta 1 is moving rapidly along a path of a comprehensive integrated security approach designed for the needs of a harried IT staff. Microsoft is doing good things here.

OPSWAT, founded in 2002, is a mature company compared to other Early Vibe previews I have written about here. This is a security technology company that most enterprises haven't heard of before. OPSWAT's business is licensing endpoint assessment software to NAC vendors. That is, the NAC agent software that validates that endpoint security defenses are active and signatures are current, has likely been provided by OPSWAT. You would recognize Cisco, Symantec, TrendMicro, F5, Fiberlink and Juniper within their client list.

If you are developing custom applications that need to assess the endpoint environment, then OPSWAT is one of the companies you should be looking at. It does not make sense to re-invent the wheel here - focus your energies on your special expertise and leverage someone else's supply of solid fundamentals. In the case of the above NAC vendors, look for network treatment of correcting, auditing and quarantining as the key differentiators (and not so much the endpoint software). OPSWAT is firmly focused on the security market, helping security vendors manage endpoint anti-malware and configurations.

My recommendation for OPSWAT is that the grow into more general endpoint management toolkits, moving past NAC-specific features. The toolkit has solid capability to assess the environment, deliver updates to align the endpoint with policy, and to dovetail administration into the enterprise capability. Security is just one critical element for IT, so expanding their portfolio to include any endpoint-resident application software will pay dividends. This may include agents for remote application access, application virtualization, or even virtual desktop software. Security looks at NAC as a means to identify unhealthy endpoints; IT looks at NAC to help bring endpoints into policy compliance with the least amount of IT overhead. OPSWAT has a chance to expand its base by extending policy compliance to include non-security software as the need to reduce IT overhead is there for all endpoint software.

Perhaps the greatest challenge for OPSWAT is in marketing. It is difficult to create explosive growth with an OEM software business model. The very nature of the business is that OPSWAT can only ever get a fraction of the revenue that their customers get. OPSWAT will have to find a way to brand its technology, and develop a way to extend its revenue. Perhaps an open source approach with a product embedding the toolkit would be interesting.

I found it interesting that a single San Francisco based company is supplying so much of the endpoint infrastructure for major NAC vendors. No wonder so much of NAC looks alike to me!

VMware announced VMsafe - a set of ESX Server APIs allowing security vendors to protect virtual environments. The idea is that approved security vendors will offer their technology as virtual machines that use the APIs to peer into data structures and procedures of the hypervisor. These 'privileged VMs' would be able to control traffic to guest operating systems and applications to detect and block malware from running rampant in a virtual environment.

Yes, this is patterned after Microsoft's Kernel Protection Interface (nee Patchguard) that grants security programs access to the innermost secrets of Vista. In this case, VMware is using the same approach to give secure access to the hypervisor. VMware has not publicly committed to an availability date, so this is to be treated as a marketing exercise for now. There is still much to learn about VMsafe, but here are my early vibes:

+ This is a good way to protect legacy applications that are running in a virtual server. Security that may not even have been invented when the application was developed can be added to the enhance the integrity of the virtual environment without application side-effects.

+ Integration with VMware management. Security is always about performance and becoming intrinsic to the technical architecture. Supporting security interfaces through the VMware management system simplifies the training and daily operations of IT.

- It is not clear how VMware will vouch for the integrity of this extended circle of trust. If security programs can inspect the hypervisor and block ESX procedures, then so can a good piece of malware. Much like a layered product on Windows cannot protect Windows, a layered product on the VMware hypervisor cannot protect the VMware hypervisor.

- VMsafe only applies to the ESX Server hypervisor. While this is the lions share of VMware revenues, most ESX deployments apply to servers. While security is always good, it is not clear to me that IT generally runs anti-virus products on application servers. IT may want to look at virtual and even physical appliances (Stonesoft and Reflex are recent companies I've talked with virtualized features) to form a virtual perimeter.

It is good that VMware is addressing the foundation for securing virtual environments. VMsafe details will be coming out over the next few weeks, and then we'll be better able to determine if VMsafe has teeth or if it is just a marketing exercise.

Two factor authentication has long been regarded as a minimum requirement for remote access to networks and applications. The theory is that passwords (something you know) are easily guessed and need to be augmented by a token (something you have) or a biometrics (something you are) for a reliable identification. The world has spent a lot of money on technology and IT operations associating second factors of authentication with end-users.

One of the better approaches is brought to us by Intel with its Trusted Platform Module (TPM). This was originally designed to keep keys and crypto logic secured by hardware and has found limited uses in transparent disk encryption for laptops. However, it has a more compelling use as a form of two factor authentication for laptops and desktops.

The TPM can securely store an authentication key, or software that generates a one-time password. The endpoint becomes the security token, the something you have, that a user combines with a password for the generally acceptable two factor authentication. The authentication will identify the user and the endpoint that is being used. Taking advantage of Intel's TPM features have to be a whole lot easier than fumbling with tokens for corporate users relying on connectivity from home, office, and the road.

Auditors should be easily convinced that the authentication credentials are secure on the processor, and that there are greater benefits in authenticating both the user and the endpoint. Ask your remote access security vendors about TPM support. It just might save you a lot of money that would otherwise be spent on tokens.

GTB Technologies is a new company in the Data Loss Prevention space. Founded in 2004, their GTB Inspector appliance product applies high performance algorithms to detect the presence of confidential data in outbound network traffic. GTB's deep packet inspection, based on the concept of "invariant segments", promises to prevent data leakage across all protocol types.

The key to any network appliance is performance - if the product cannot keep up with peak traffic, then it simply cannot do the job. This is true of firewalls, intrusion prevention, anti-malware, and data leak prevention. All of those technologies must be able to serve inline if they are to perform blocking functions, or even if they are deployed out of band.

The heart of GTB Technologies is a unique packet-inspection approach that offers performance benefits over classic file-inspection methods. This allows GTB to perform fewer fingerprint comparisons before making a pass/fail decision, and all packets are inspected. Agent software audits use of local devices, and communicates with GTB Inspector for real-time checking of outbound data.

There are still limitations common to DLP solutions that GTB must solve, including discovery of confidential data and administration of detection rules. However, GTB has interesting technology that is new to the market. With proper execution they may be able to make inroads in the operational issues associated with DLP.

Welcome back from the holidays and hope you all had a fabulous New Years!

Most security professionals think of IPsec as good for encrypting network communications. The IPsec protocol has been around for a long time, and it is pretty good for that. However, IPsec has authentication and machine cloaking benefits that enterprises can use today to protect their applications from network spelunkers and attack proliferation. Microsoft calls this Server Domain Isolation (SDI) and it is a capability well worth checking out for Windows Server environments.

The primary value of Server Domain Isolation is that a networked resource is not even visible to a machine that fails authentication checks or violates access policy as defined within Active Directory. This cloaking means that neither the IP address nor the domain name are exposed to computers that have not been granted the rights to that information. With Server Domain Isolation, intruders and attacks do not even know the existence of unauthorized servers and have no means of attacking those resources. This cloaking ability is a great concept that Microsoft should be promoting.

For example, let's say that Microsoft applies Server Domain Isolation to its ForeFront security products source libraries. Developers would have easy access to the source once they have authenticated themselves to Active Directory. Other Microsoft developers, even with all of their skills and tools, would not even be able to verify the presence of these ForeFront servers on the network! Automated attacks, including bot-driven threats, would not be able to attack the ForeFront servers or the data contained within those servers.

Server Domain Isolation is a concept that should be examined closely. The benefits are very real and have been proven to be effective in large organizations. The limitation is that SDI does require IPsec connectivity, though actually encrypting communications is not required. Deployment does require knowledge of switch behavior with IPsec so be sure to check out the documentation from Microsoft and your hardware vendor. If you do have IPsec in your network, Server Domain Isolation is a concept you should seriously consider implementing.

The folks at Cenzic announced a new version of their Hailstorm application scanning product. One of the features is an integration with VMware that may be an inspiring approach for scanning and application penetration testing. Most organizations want to test applications as close to production as possible, without risk of disrupting the business. Applying virtual security scanning centers have many benefits for organizations:

1. Virtual security scanning centers allow IT to avoid to expenses of mirrored application environments. IT can launch an application, scan it for vulnerabilities, and then re-use the server resource for the next application.
2. Virtual security scanning centers permit more complete scanning for enhanced analysis of the application. If the scanning or penetration testing causes the application to fail, the application is just restarted with invading production traffic.
3. IT gains forensic insight into application failures. If an application fails during a security test, all of the evidence can be preserved for subsequent analysis.
4. Automating testing of applications in a virtual security scanning center allows for increased application coverage. Applications can be attested to meet a secure profile before being launched, and changes to that profile can be more readily detected. This is a direct result of requiring lower operating and hardware costs.

IT is true that many organizations are still evaluating virtualization in the data center. Application security is too important to only visit once a quarter. I would suggest that security teams look into piggy-backing on virtual investments to enhance their application security process.

Web application scanning and source code scanning are promising technologies that are related and are in similar stages of market development. Both capabilities point out where corrections can be made in source code to permanently remove security vulnerabilities; both capabilities are finding early adaptors driven by compliance and the need to keep sensitive data from being stolen. Neither web application scanning nor security source code scanning markets will reach $100 million in 2007. Both need to prove their value if they are going to effectively expand their market beyond the early visionaries and avoid roll-up into infrastructure scanning or SDL markets. They should start by demonstrating their effectiveness in securing critical applications, and then differentiating their product lines accordingly.

Demonstrate effectiveness. Vendor marketing messages are loaded with the need to fight against XSS, SQL injection, and other gnarly attacks that should frighten any conscientious security manager, but only one vendor that I've talked with can articulate the security improvements customers have realized after using the products for more than 6 months. For instance, multiple vendors report that about 60% of web applications are vulnerable to cross site scripting, yet not one of them state how their installed base has successfully lessened the exposure.

Differentiate product offerings. Since none of the vendors differentiate on the quality of the job they are bought to perform, prospects give excessive weight to usability and vendor reputation. Features such as compliance reports, quickness of scan, and purchase price are driving decisions more than security quality. For instance, how does a customer decide if one vendor does a better job of identifying security faults in the source code?

Regularly scanning web applications and source code libraries is an important weapon in fighting against data leakage and in meeting compliance mandates. Since the vendors all have different strengths in discovering security weaknesses, CIO's should consider approaches that rotate the leading vendors. For instance, after fixing vulnerabilities identified by one web application scanning vendor, switch to another scanner after 12 months for a new perspective on the security of your applications. Before purchasing a scanning tool, ask references for their specific experiences in how the tool helps them reduce support costs, lessen the likelihood of a breach, and why they didn't select competing vendors.

Apparently Oracle has grown tired of watching VMware print money with server virtualization in the datacenter. Oracle VM is a new product that signals the database and enterprise application giant's foray into server virtualization. The timing could not be better for the Redwood Shores vendor, with server virtualization, as hot as it is, running at less than 10% penetration in the datacenter. Enterprises are enthusiastically establishing the value of server virtualization, and there is plenty of market upside for Oracle VM to join the likes of VMware, Citrix, Virtual Iron, and Microsoft.

As with any infrastructure investment, run virtualization systems through the wringer of your own test datacenter. Confirm every vendor claim holds for the unique characteristics of your business.

1. Run your own performance tests. Hypervisors add an additional layer of software between your application and server hardware that can have significant impact on performance. Do not blindly accept vendor performance figures - derive your own metrics of how a product such as Oracle VM will perform in your environment.
2. Completely understand the management capability. A major barrier to increased virtualization is the risk of losing control of the datacenter, or at least inefficient operations, due to immature management tools. Make sure the management methods dovetail with the way you like to run your datacenter.
3. Use competition to negotiate best deal. Every vendor is hot to be your server virtualization vendor of choice. Most know assume a revenue stream of 7-10 years as an infrastructure product. Let the vendors know that you're doing your homework. Extract concessions on year-to-year maintenance costs to get a winning TCO.

It is good to see Oracle VM entering a lively market. Oracle's pricing model of giving away the software for free and charging $999 per year for maintenance is a real eye-opener. If you are an Oracle-centric shop for the datacenter and enterprise applications, then Oracle VM may be just the server virtualization product you need. If you're more multi-vendor oriented, then Xen or Virtual Iron may be better suited for your business needs. In any event, put them through the test bed obstacle course to reach the best decision. It's your business infrastructure, it's worth the time and energy.

McAfee's acquisition of ScanAlert, a Napa-based web application security scanning company, is a good sign that things may be turning around for the beleaguered security vendor. ScanAlert is an intriguing company - a security vendor that is light on security but heavy on business savvy. If McAfee can infuse its rigorous security technology into the ScanAlert product, then McAfee's sales channel and Foundstone-based services will be able to generate healthy returns.

ScanAlert is the vendor behind the HackerSafe icon you may have noticed on e-business web sites. Customers are only allowed to display the HackerSafe icon if they pledge to fix any security defects that ScanAlert's web application security scan discovers within 72 hours. Online shoppers feel more confident that security is taken seriously and are more likely to complete the transaction (instead of exiting when asked for a credit card number). ScanAlert, a PCI Approved Scanning Vendor (ASV), also offers low cost quarterly scans for PCI compliance for web applications. The company either drives e-business or lowers the cost of PCI compliance - both business efficiency messages that are rarely seen in security.

Web application scanning is either becoming a feature of SDLC vendors (Watchfire and IBM Rational, Fortify with web logic), is becoming consolidated into a best practices scanning function (Core Security, Qualys), or is shifting to a services model for special expertise (White Hat, Cenzic, Veracode). McAfee now possesses an approach that aligns well with business drivers for web application security. If they execute well, ScanAlert can be a real asset for extending McAfee security from endpoints into business processes.

SignaCert is an intriguing security player out of Portland, Oregon. The company's first product, Enterprise Trust Server started shipping early in 2007. At first glance, ETS looks like a next generation TripWire - a centralized server that can notify IT if an executable file has been altered or a newer version is called for. Even the messaging of Improve IT operational excellence through the use of independent IT controls is close to TripWire's Configuration Audit and Control. But that's where the similarity ends.

SignaCert allows enterprises to create a library of reference images of IT approved host configurations to make it easier to determine the compliance of an endpoint. SignaCert creates packages from vendor distribution kits (such as Microsoft Windows) to ensure that the reference model starts with a clean baseline. IT then customizes the model according to business application requirements. Automation then proactively compares what is actually on the endpoint with what IT approves in the reference model. Rather than looking for attacks,SignaCert arms IT with the capability to detect and correct configuration policy deviations before a security incident occurs or the help desk gets a call.

The ability to create and manage a reference model becomes particularly important when talking about controlling the sprawl of virtual desktop images, such as would be required by those taking advantage of Intel's Trusted Execution Technology with VMware VDI, Citrix XenSource, or the upcoming Microsoft Viridian. Organizations would be able to create software bills-of-material references to attest that the virtual desktop image is exactly what IT specifies. Attestation of a virtual image is a fundamental requirement for a secure virtual infrastructure.

SignaCert's technology is well positioned to help organizations manage the sprawl of virtual machines, especially in providing attestation checks of virtual desktop images. Its efforts with the Distributed Management Task Force and the Trusted Computing Group should help the company stay in the forefront of managing virtual images in mixed vendor environments. It will be a matter of execution if SignaCert can avoid distractions and focus on improving IT controls in a virtual world.

This column is about the intersection of two security Three Letter Acronyms that I've never really warmed up to: Digital Rights Management (DRM) and the Payment Card Industry Data Security Standard (PCI). Together they just may be able to help each other out of the doldrums.

DRM, the ability to control who can read and operate on information, has struggled to find a more than niche appeal. The big problem with DRM is that data it is meant to protect proliferates and gets used in so many different ways over time that it becomes impossible to manage in an enterprise scale. What works well for DRM is the strong authentication and change control for sensitive data required by small groups of workers.

PCI is an attempt by the credit card companies to reduce fraud by requiring merchants to secure their operations by implementing security controls across 12 general requirements. The big problem with PCI is that it requires a large investment in security products and services without focusing on its mission: reducing the attack surface of confidential credit card information. A few more firewalls and IDSs isn't going to make your data appreciably more secure, which is why most merchants are blowing off the PCI deadlines. What is effective for PCI is an effort to reduce the risk of data loss by removing vulnerable credit card track data before black hat people can get their hands on it.

BitArmor has a customer that uses a DRM approach to protect credit card data from the point of sale through to the back-end database. When the transaction is complete, local copies of the sensitive information are automatically destroyed. The data is encrypted at the point of sale, and the key is discarded once the data safely enters the secure datacenter. This can dramatically reduce the window of vulnerability for a retailer. DRM may be a good answer for connectivity between known points, and for data elements that have a short life-span.

I suggest that the PCI Council get out of the password policy management business, the IDS business, etc. and draft a program oriented to reducing the sprawl of sensitive information. Traditional security may be appropriate once the transaction hits legacy systems, which nobody wants to touch. Meanwhile, PCI should find a way to enable the market to create best practices for discovery of card track data, unique protection outside of the data center, and then protection within the data center. Retailers will actually support this as less data to manage will reduce their risk and reduce their operating costs.

The Distributed Management Task Force recently announced a draft milestone in its work with the Open Virtual Machine Format standard. This defines a standard format for describing the runtime requirements for a VM, with the idea that it promotes interoperability across hypervisors. It sounds good to have a roadmap before VM sprawl becomes a real problem, but it is not clear that running a Xen VM on VMware will really be a problem. Standards activity can be more effective with a few extra considerations:

Include enterprises and consumer organizations. Standards bodies are dominated by vendors. Look at the membership of the DMTF or the Trusted Computing Group, to name just two. These groups need to have customer involvement to be sure all of the good work will be useful to the IT community. The Jericho Forum is one body that mixes businesses, universities, and vendors pretty well.

Wait until there is useful experience with the technology. Standards activity often starts up before customers even know what they need standardized. The world does not know what to do with NAC, yet the TCG has NAC standards; the world is figuring out how best to use virtualization, yet the DMTF is working on an OVF standard. Consumer-oriented activity is necessary to avoid chaos as emerging markets develop, but enterprise-oriented activity really needs to have a strong foundation in practical experience.

Include interoperability certification of standards compliance. There needs to be some mechanism for testing the interoperability of various implementations of the standard. Not all 802.1x compliant supplicants work with 802.1x compliant network gear because the compliance rules have not been regimented. The rationale for standards is to plug-and-play for the best solution - if that doesn't work then the standard is not effective.

Enterprises like standards because they can give more choices and lower switching costs, small vendors like them because it commoditizes the competitive advantage of large vendors, large vendors support them to avoid appearing monopolistic. De facto standards from IT vendors always win because commerce forces the vendor to solve customer problems, integrate with other vendors for a "whole product" solution, and support the installed base of experienced users. Standards bodies are best when they arise to support a critical mass of users and vendors.

Agiliance is a promising early stage company headquartered in San Jose, California. Founded by technical talent with ArcSight heritage, the company is a living example of one of the directions security information management is heading. Agiliance aims to promote security intelligence to where security becomes an integrated management element of the business infrastructure.

The SIM market segment has historically always been a tough place to be. Desperate vendors would sell enterprises on diverse claims of real-time security defense, a single uber-manager of security products, and a dashboard or scorecard of policy compliance. Any one of those expectations would be difficult to meet; all three in a large organization proved to be more than challenging. Vendors who could not live up to their lofty promises were often displaced by the next promising SIM in line. Even though vendors could cite customer acquisition, the cannibalistic tendency made it an unhealthy market. The vendors needed to do something to meet customer needs and grow the total market size.

While some vendors have morphed into log file management, Agiliance is pursuing higher value assessments on the business value of security. Their Governance-Risk Management-Compliance model directly addresses a corporate mandate to take the costs out of managing security controls. Enterprises have a variety of compliance regulations to deal with, and each starts with demonstrating that the business controls its security profile, and that the security profile is aligned with business priority.

Agiliance still carries SIM baggage: connectors have to be built and maintained to link into a diverse collection of information sources; data from those sources has to be normalized for deep correlated analysis; dashboards for risk management are fancy words for real-time threat protection. These maintenance activities drain critical engineering resources and inhibit meeting performance expectations when scaling the solution for larger enterprises. Agiliance will have to solve these problems, perhaps by leveraging their logfile management brethren, to further penetrate large organizations.

Agiliance is on the right track. SIM can never be a real-time defense tool when it works from log files, nor can it reasonably expect to manage products from other security vendors. Analysis of security information to help the CIO/CISO manage the risk of business disruptions and the effect of security investments is the right course. Agiliance is just starting out and has many challenges ahead, but it has its sights set on where security management belongs - supporting the business.

I know that is close to heresy in these days where the" V" word seems to open all doors and IT genuflects to learn more about how your solution leverages virtualization. I have talked with a few CIOs, however, that are not completely sold on re-architecting their data centers to accommodate virtualized approaches. Before jumping into virtualization there are a few security issues that you should be sure to understand:

• Disaster Recovery becomes more complex in a virtual data center. Many CIOs are not comfortable with mission critical applications floating around a server farm. They look for more control of the processing environment to maximize application availability. If important business applications need to be locked down, then the risk of extra virtualization layers may be unacceptable for the benefits gained.
• Compliance becomes more difficult to attain. Many independent security vendors are not ready to provide the complete and accurate reporting that auditors require in a virtual world. Tracking configuration controls and the actions of privileged users with appropriate segregation of duties is a challenge in a dynamic data center. Work with your audit team to agree on compliance requirements before committing to a virtual data center approach.
• Desktop virtual machines do not scale particularly well in an enterprise environment. Executing applications and keeping sensitive data in the protected data center makes perfect security sense. The applications will need to look like they are running locally for the end-user and for that you will need an application delivery system. Everybody's desktop needs are different and are frequently changing - trying to maintain and deploy desktop VMs for a diverse workforce is likely to be painful.

Don't get me wrong - I am a big believer in virtualization. There are very tangible benefits that virtualization brings to a business, but it is not yet for everyone or for every application. Be sure to talk with your industry peers to completely understand the risks involved in going with the "V". It is important to keep a balanced perspective.

A few weeks ago I wrote about advances in desktop virtualization that will be coming our way. This week Symantec and Intel started talking publicly about Project Hood, an effort to run Symantec threat protection as a virtual machine on Intel's vPro chip.

Intel is building security technology right into the chip. The vPro chip is the headliner, though there is also security capability built into the Duo Core chip that has been shipping in big numbers. This is disruptive stuff: Intel's trusted execution technology and advanced management technology allows security and management VMMs to execute in isolation from Windows and its applications. The first principle of security is steer clear of threats. Running as a hardware-enforced virtual machine changes the entire security model. Intel's problem is that it takes forever for third party vendors to bring solutions to market that are based on this technology, and to get a critical mass of enabled desktops deployed to support a vibrant VMM partner program.

Symantec is working with Intel to run threat management as a vPro VMM. This could have many benefits for Symantec as it would be more difficult for users to disable security execution, threat protection would not be undermined by attacks against Windows, and attacks would be removed before they even reached the operating system. From a business standpoint, a Symantec VMM operating alongside Windows would have a large competitive advantage over Microsoft ForeFront that executes on top of Windows. I can't wait to see specific plans from Symantec on their Intel program.

My life is using a browser for information access, e-mail, and office applications like Google Apps. If I have a PC that only runs a browser as an Intel VMM, do I even need Windows or Symantec anti-virus? Project Hood talks about servers, however Rowan Trollope is a VP with Symantec's consumer products. Symantec may really have something if he figures out that he needs to start with AppStream on vPro.

Earlier this year EMC scooped up RSA Security. With great fanfare at the RSA Conference, EMC proclaimed that this was the first acquisition of what would be a "string of pearls", and that by the time they were done there would be no independent security market. Well, we are most of the way through the year and I am wondering if EMC knows what a pearl is!

Since that bold introduction EMC has reached out and touched Authentica, Verid, and Tablus. Authentica was a dead Digital Rights Management company walking; Verid is a tiny Authentication player; Tablus has about 30 Data Loss Prevention customers. It is big stretch to call any of these companies a pearl, or to envision how any of them will substantially add value to EMC. RSA always struggled with a market vision that did not include SecurID. It looks like having a multi-billion dollar company behind them hasn't changed anything.

EMC should be leading aggressively from their strengths. They should look for security companies that consume storage, drive business processes or augment next generation authentication. Network Intelligence fits this model nicely. I can see a transaction auditing or NBAD vendor to trace data access, a vulnerability scanning company to maintain a compliant business profile, or even a configuration management vendor to help control virtual datacenters and SaaS applications. Maybe they should have started by buying Trend Micro instead of RSA.

Pearls come from oysters, but you don't go bottom-feeding to find them.

I have talked with a number of companies, mostly in the financial sector, that are embracing thin client technology in a big way. Thin clients are deployed to drive a display, with as little independent thinking and processing as possible. The momentum behind thin clients is directly tied to security concerns about data leakage through endpoints when consolidating a datacenter - sensitive data is unquestionably safer in a protected virtual datacenter than it is exposed to the elements on a remote endpoint.

Given the mantra to keep data off of endpoints, IT is turning to application delivery products with thin-client capability to enable consolidated datacenters. The easiest approaches are to use SSL through a browser, RDP through Windows Terminal Server, or ICA through Citrix Presentation Server. Microsoft and Symantec have streaming capability, but until they are used for application delivery, such as with OfficeLive or Google Apps, these don't count. Citrix, long-time application delivery experts, at least shows some intelligence at the endpoint to use local processing power to enhance rendering and network performance. I've even seen Sun's SunRay product in action, which gives me instant flashbacks to the days of dumb X-terminals. All of these products do what they claim to do very well, and all have some benefits in reducing the administration of providing applications as a service.

My problem is that every advance in computing over the last 30 years is driven by powerful endpoints operating at the independent discretion of the user. I have been conditioned by the end-user driven explosion of the Internet and the promise of multi-function phones to expect innovations with powerful endpoint agents. Going back to the days of dumb terminals cannot be a good thing.

Soon organizations will realize that the money they are saving on servers for a virtualized datacenter is going out the door for servers and licenses to drive end-point application displays. Those desktop virtual machines still need computing resources. The right model is one where a secure desktop environment allows rich clients to put application parts together to empower the end-user. The big vendors, including Intel, are all working in this space. Let's hope that something happens to break this thin client fad.

Vendors have been asking me what I thought of the database security market. For some time I could only respond that I wasn't sure if it was a market segment or a portion of a greater application security market. I still tilt towards a greater application security space because down the road I can see convergence in vulnerability scanning, activity auditing, and the use of reputation algorithms. However, today it is pretty easy to tally up $200 million in revenues for database security protection products before adding in leveraged sales from IBM, Microsoft, and Oracle or a fudge factor amount for all of the other companies I haven't thought about. It is indeed a lively market segment today that is driven by compliance, and the demand for greater control of the datacenter.

I would expect this market to grow at a healthy clip over the next three years as organizations consolidate datacenters applying advances in virtualization, thin-client, and application delivery technologies. Organizations will require automated solutions that can give IT visibility and control into an increasingly dynamic application environment. At some point, database security will merge with security for Web applications, messaging systems, and even VOIP systems. Until then, it looks like a good market to be in. A quick sampling of vendors that specialize in vulnerability scanning, auditing, or protection against abuse follows:

Top tier:

• AppSec - still the best database vulnerability scanner out there, also provides auditing and encryption
• Imperva - the best at linking Web portals and databases, provides free scanning tool
• Symantec - excellent combination of security and data handling expertise

Middle ground:

• Crossroads - Lots of capabilities, not clear how focused on this space
• Guardium - made an astute switch from blocking to a high performance auditing appliance
• IPlocks - solid database security vendor

New entrants:

• BlueLane - neat database IPS, though they market themselves as virtual patching
• Sentrigo - host based approach includes virtual patching
• Transparency Software - presents security issues in the context of business requirements

Others:

• Embarcadero - trying to make a go of it
• Lumigent - great DBA contacts, rebuilding product line
• Oracle - introduced a new database security prroduct
• Tizor - new management team, starting to get traction

I did not include the crypto vendors, mainly Ingrian, NetApp, and Vormetric, as I cannot account for the crypto products from the big storage vendors. If I were a bigger company, I would sprinkle in professional services, backup/recovery, privilege management, policy enforcement, etc to get a really attractive number. The $200 million is a good bottom-up summary - just keeping it real.

Virtualization is coming to an endpoint near you. It is inevitable.

Virtualization in the datacenter has clear security benefits of keeping sensitive data in the protected datacenter, simplifying disaster recovery, and centrally managing application access. For endpoints, security-conscious customers can place application environments in virtual machines for sessions that are isolated from attacks that infect other applications, for performance of using endpoint or datacenter processing power, and for the management cost savings of streaming applications to end-users.

The key vendors are starting to think more in terms of virtual applications than virtual desktops:

Citrix Presentation Server has been the industry leader for virtualizing presentation services for years. Their ICA protocol stack is well grounded in virtualization principles, which allows Citrix to be smart about using endpoint resources for rendering and processing when executing on datacenter servers is less optimal. Look for Citrix to build on their application delivery leadership.

Microsoft has beefed up Terminal Server and turned the Softricity acquisition into the SoftGrid product in less than 1 year. While they do also have Virtual Server and Virtual Desktop, the future for Microsoft may be leapfrogging the market by building the infrastructure to deliver virtual machines as a service.

VMware has led the charge for datacenter virtualization, deserve all the rewards that are coming their way. VMware' ACE, their endpoint product, is strong in disconnected user scenarios. But everyone is connected to the datacenter today. Expect VMware to integrate ACE with VDI so that applications can move smoothly between remote and centralized environments.

There are two major security vendors who need to have stronger voices in the virtualization market:

Cisco is the champion of VPN and VLANs, and are conspicuously absent from virtual application discussions. To me, the network is the optimal place to drive applications to endpoints and to arbitrate policies for VM usage. The NAC vision is far better applied to Virtual Machine management than it is to checking on anti-virus software.

Symantec is the endpoint security company and connecting confidently to networked resources. Their acquisitions have given them the necessary building blocks - Altiris for application streaming, Veritas Enterprise Vault for management and audit of VMs, On Demand Protection for virtualizing remote access security. Symantec has a definite role to play in applying virtualization techniques to security.

One thing is for sure: all of these big vendors are involved because their biggest customers require the benefits of virtualization for secure application usage.

In an article I recently contributed to Dark Reading, I went on a diatribe lamenting that security Innovation is Dead. The biometric authentication space traditionally fit this model like a glove: vendors offering new variations of fingerprint validation or voice recognition, each of which required custom hardware and extra administration to be effective.

BioPassword is a young company worth checking out for tighter end-user authentication, without the accompanying baggage associated with competing biometric schemes. The secret sauce for BioPassword is its ability to analyze the timing characteristics of the way people type to provide an extra factor to password authentication. The company claims that individuals can be uniquely identified just by their cadence when typing in usernames and passwords. I know that I have a definite rhythm when I sign-on, so I can imagine that everyone has their private tempo. BioPassword assures me that they have over one million users that are additionally authenticated by how they type in their passwords. 

There are many potential benefits to the BioPassword approach. A few of the possibilities that I like include:

• Users are protected against stolen passwords. Another interactive user cannot use a stolen password without being detected and denied access. Similarly, a dictionary attack would also be refuted.
  
• Users get relief from password change policies. The more often users sign-on with a password, the smarter and stronger the BioPassword biometric gets. Users do not object to passwords, and this technology could help reduce help desk calls resulting from password resets.
• Internet sites can reduce the risk of a fraudulent sign-on. BioPassword's approach is transparent to the end-user, requiring only a brief training period and active code to execute over the Web. No hardware to distribute or support is required.
  
• Businesses are spared the expense of offering tokens to their customers, and the associated operational expenses.
• The active software approach lends itself well to stratgeic partnerships and indirect sales channels.

The security industry needs to offer something easy to augment passwords. Tokens are far too onerous for most consumer applications, BioPassword can add the third factor without incremental end-user training. BioPassword still has challenges. They must continuously prove the accuracy of their approach, demonstrate resilience against keylogger-based replay attacks, transparently attentuate scoring algorithms to minimize end-user challenge questions, and fight for mindshare in the channel. With excellent execution, BioPassword may be part of the authentication solution to help application owners protect their business nad customers.