How to sell security solutions - part one

The time has long gone when the reseller of security solutions was an unpopular harbinger of doom, a messenger who deserved to be shot as just reward for the propagation of wildly exaggerated scare stories.

Nobody currently running a corporate network, let alone one supporting an ebusiness, needs reminding now that security risks are not fiction.

Computer viruses can make the news headlines. Lax web security can result in an instantaneous press roasting. Denial of service, following a system breakdown, can fry a smaller startup and knock millions off the share price of a solid blue-chip.

The statistics, which tell only part of the story, are shocking. US-based Computer Security Institute and the FBI have estimated that hackers stole more than $100 million (£65 million) last year via the world's ecommerce servers, as well as causing untold damage to systems. This figure is believed to be highly conservative by many. It is certainly set to grow.

A recent study by PricewaterhouseCoopers found that almost three-quarters of UK IT professionals believe they have come across evidence in the last year of breached network security or corporate espionage via the internet.

Analysts say websites and commerce servers are particularly attractive targets for criminals, both organised and solo, since they perform transactions that attract intrusion, such as the processing of personal data and credit card details.

All this is surely proof that God is a security reseller. Or at least that He has shares in a security software vendor. The commercial possibilities for security solution providers are almost endless, adding substance to the adage about ill winds.

In particular, protection for ecommerce transactions is becoming a huge opportunity for vendors and their partners. Market analyst IDC estimates that transaction security will account for $8 billion of an overall $13.1 billion global web security market by 2003. This means it is something that resellers cannot afford to ignore any more than their corporate customers.

Accentuate the positive
The current wisdom, according to any number of security vendors, is that selling security is not about selling doom and gloom, it is about selling technology that makes life easier. Frederic Engle, marketing director at digital identity technology vendor ActivCard, says: "Resellers should spread the message that the glass is half full, not half empty. Security is an enabler, not just a protector."

Although security sells itself these days on one level, that does not necessarily make life easy for those whose job is to deliver the goods.

Sell a document management system that goes wrong, and you will be called back to fix it by a slightly cross systems manager. But if your security measures are perceived to be responsible for an embarrassing disaster, you can expect the customer to go ballistic, and a stiff letter from its solicitors.

Somewhat complicating matters is the task of knowing your way around the mess of technologies and standards that make up what people simply call 'the security market'. Customers will look to resellers to have a good grasp of many different areas of security, in the same way that people place faith in their family doctor to fix everything from ligaments to lungs.

Partly to better meet this demand, many resellers specialise in security instead of tacking it on to an existing skill set. But total specialisation is by no means essential. For many resellers, security is a core part of what they offer, but not necessarily the end of the story.

For specialists and non-specialists alike, a problem with following security standards is that there seems to be perpetual disagreement among vendors, standards bodies and end-user enterprises about which standards should rule.

Take the example of SET (Secure Electronic Transaction), the emerging standard which has been promising to enhance the authentication process for online acceptance of credit cards. With SET, a user is given a digital certificate, and a transaction is conducted and verified using a combination of digital certificates and digital signatures between the purchaser, a merchant and the purchaser's bank.

SET in stone
SSL is currently the most popular standard for securing transaction data collection, but it is regarded as inadequately secure and primitive. The SET alternative has been touted by many, including MasterCard and Visa.

But while SSL is built into every standard web browser and server, SET requires expensive additional software. SET also does not provide merchants with detailed transaction information. The merchant knows only a limited amount of data, the name of the consumer, the amount of the purchase and if the amount was authorised or declined. This denies them potential marketing opportunities.

Already, Visa has issued statements saying, or at least implying, that SET is not suitable for global implementation just yet, prompting some analysts to declare the standard stillborn.

Visa is also working on yet another development, called the Three-Domain Model (3-D Model), a system which it says adds greater flexibility and takes pressure off both cardholders and merchants. The new model potentially allows the cardholder and merchant to authenticate themselves to the issuer and acquirer respectively without necessarily using the SET protocol.

The issuers and acquirers can choose to use different authentication protocols, such as SSL or chip-based cards, therefore avoiding the costly and cumbersome process of cardholders and merchants loading SET digital certificates.

But will the 3-D Model take off? The success of security standards is all about timing, weight of support, fragile alliances and plain old good luck, and SET illustrates this perfectly.

Another issue is that security standards and technologies never exist in a vacuum but need to co-exist with other technologies if protection for the enterprise is to be seamless. As a reseller, for example, you cannot afford to focus on just anti-virus protection or firewalls.

Shattering the anti-virus illusion
The world of anti-virus protection has been fairly cosy and self-contained until recently. End-users everywhere bought happily into the myth that a simple anti-virus package running in the background would cure all ills, as and when they arose. After 'I Love You' and a number of other high-profile global scares, this illusion was shattered.

Nir Ganani, marketing director at Israel-based Finjan Software, believes that more dynamic and intelligent solutions are needed. "Anti-virus software is usually based on a blacklist of known viruses. If it's not on the list, it will get past, no problem," he says.

Ganani claims Finjan software scans all code as it passes through the server or PC and inspects it to see if it is "good or bad".

Similarly, firewalls are no longer accepted as a magic potion for security problems. They are more likely to be deployed with virtual private network (VPN) technology, designed to securely connect networks so that they can share data over the internet without the use of leased lines.

VPNs, in turn, need to work with a growing number of mobile technologies. The most popular VPN type allows remote access to a corporate network. Employees can use their local internet service provider dialup accounts to access the network securely over the internet via a personal digital assistant or notebook, eliminating the need for dedicated modem banks and analogue lines.

Once connected, the VPN opens up a secure tunnel, in which content is encapsulated and encrypted, and users are authenticated. Such technology allows safe, direct and speedy passage of data over the internet.

The quantum leap of PKI
Like VPNs, the relatively new idea of public key infrastructure (PKI) is being touted by many as a quantum leap in enabling secure communications and transactions. PKI is a private and public key pair that is matched up to provide enhanced security over the internet. The private key can be kept on a PC or a card. This dual form of security surpasses less effective but still popular password security technology. PKI can tell who is who and who is allowed to do what. Leading vendors are already investing in the technology, including Microsoft, which has embedded PKI technology in Windows 2000.

Colin Bastable, vice-president of sales at nCipher, a company described as a "product-neutral enabler of PKI solutions", believes that PKI's time is at hand. "The security market is maturing rapidly, with lots of pilot PKI initiatives being rolled out.

"The UK is actually a bit behind the rest of Europe, which is leading the way. We are short on cryptography skills, but they will grow," he says.

One of the challenges of PKI, as with so many security technologies, is making the authentication process portable. The digital certification can be downloaded to the desktop, but portability demands something like smartcard technology, which does not enjoy terribly high user penetration.

What is needed are credit cards with embedded smartcard functionality to make PKI an acceptable portable form of security. Some are touting the idea of a virtual smartcard that enables users to download a certificate of authentication.

Moving to mobiles
Portability is definitely an issue for the security conscious. Some influential voices are warning that even attempting to involve mobile devices in a world where security is paramount, is foolhardy at present.

Graham Titterington, senior analyst at research consultancy Ovum, warns in his recent report E-Business Security: New Directions and Successful Strategies: "Smartphones and handhelds have too many vulnerabilities today to be afforded high levels of trust, even if the users themselves are trusted. There is no standardised security infrastructure in the form of end-to-end protocols, it is too easy to steal or tamper with the devices, and digital keys are stored at gateways rather than on the device. Organisations should be restricting their access rights until at least 2001, when the prospects of a standardised security infrastructure will be better."

It is the ability to make sense of complex issues like the safe integration of mobile technology that makes the reseller so vital to the security process. There can hardly be another technology market where so much information is needed by so many but delivered by so few.

Vince Sacks, director of product marketing at security hardware vendor WatchGuard, says: "There is a dearth of security expertise out there. IT departments are experiencing an average staff turnover of between 12 and 20 per cent a year. To find good people is hard. To find people well versed in security is practically impossible. Resellers, on the other hand, have the knowledge."

Management role
Reselling security is about much more than products and technologies. There is, for example, a growing market for risk-management and other managed services.

Xavier Tapon, marketing director at intrusion detection specialist ISS, says: "Security management is at early adoption stage, but all the press given to security problems is helping. We used to give advice to customers and let them work it out for themselves. Now they are asking us to design and manage the whole solution. We can do things like compare the security policy of a customer against best practice."

Resellers that are able and willing to take on the security market, warts and all, will find a world full of value-added possibilities. They will also find that the goodwill that comes from peace of mind can act as a powerful glue between service provider and customer. As businesses everywhere adopt the ebusiness model, they are faced with the challenge of creating a secure electronic relationship between themselves and their clients.

The reseller that can bring this dream alive will have a customer for life.

Conclusions

• Security solutions are in demand among all businesses, thanks to the growth of ebusiness and high-profile scare stories. What complicates matters is the abiding problem of the interoperability of standards.
• Not all security resellers are specialists, but it helps if they have relevant skills.
• Most security technologies do not work in isolation any more.
• Virtual private networks and public key infrastructure are important growth areas within security, but both face problems from the growth of mobile computing.