How to sell security solutions - part five

In two or three years' time, security resellers will be easy to recognise, because each will be carrying an enormous wallet, a big stick and wearing a pair of sunglasses. Their skills will be so much in demand that they will be making huge sums of money and using the stick to beat back the competition, which will include ISPs, telecoms companies and other resellers.

And the sunglasses? These will be vital, because security will have become so important to companies that security resellers will find themselves in a very bright spotlight.

Paul Vlissidis, head of risk management at consultant NCC Group (formerly the National Computing Centre), says: "We will see a kind of digital Darwinism. Only those who adapt to the environment will survive. Only those businesses which can differentiate security for their brand will make it."

There will be many drivers for this change. Ecommerce and the need to build confidence among customers; increased legislative pressures, such as the Data Protection Act and Human Rights Act; new laws that will define the status of electronic contracts; threats from a new generation of hackers and virus-writers; the growing use of home and portable technologies; and stock exchange regulations that have made directors personally accountable for security.

According to Mik Stevens, director of technology at managed internet solutions provider Esoft Global, the growing maturity of the security market and increased knowledge of the risks and benefits will mean that companies will want to stop fire-fighting and start planning security strategically by including IT in their overall risk management plans.

"Many people feel they are applying sticking plasters to individual problems," says Stevens. "They will need to look at security as a coherent strategy, instead of a reactive policy as they are at present."

A key benefit of this, from the reseller's point of view, is that they will start making lots of money. Research by independent security consultant MIS-CDS shows that security accounted for just five per cent of companies' IT expenditure last year, but rose to about 12 per cent this year and is expected to grow to 18 per cent by 2001.

An eye on the enemy within
Access controls around the perimeter of a company will no longer be enough, partly because so many customers and trading partners will be allowed through sections of that perimeter, and partly because of the threat from within from hostile or inept staff. So there will be increased use of internal firewalls to act like water-tight bulkheads in case another area is breached, and of assessment and monitoring tools such as WatchGuard to assess the risks and check who may be snooping around.

Leading firewall vendor Check Point, which is promoting weaving security into the fabric of the business, believes one solution is to bring it down to the application level. Check Point has developed suitable interfaces and is working with about 30 application vendors, including Oracle.

Monitoring will become more proactive. By building up a profile of each legitimate user, for example, the system can raise an alarm if they do anything abnormal, such as logging on at 3am or trying to access the directors' personnel records. Intrusion.com is developing products in this area.

Websites pose a particular risk, partly because they are so public and also because commercial pressures mean they are often thrown together quickly and security is a low priority. Site monitoring software will become popular, checking on availability, performance and security and attempting to fix problems on the hoof. Nokia and Radware are key vendors in this area.

Firewalls themselves may be built into components such as ethernet switches so that they do not become bottlenecks, or built into modems for home users. Already, firewalls on chips are being produced by WatchGuard.

Appliance firewalls - solid-state hardware devices which are claimed to be very secure, reliable and cheap to run - are quite popular. This trend will continue, with small business products added to today's corporate offerings. Appliances could soon become multi-functional security centres. Nokia has recently added RealSecure threat detection from ISS and Trend Micro's antivirus software to its IP appliance firewall.

Content monitoring software, which tries to intercept libels, obscenities and breaches of confidentiality in emails, will remain popular. This will be extended to scanning for images as well as text, as in the new Pornsweeper product from Content Technologies.

Security management is another area that will become increasingly centralised. Easy-to-use tools are promised and companies will be able to take a unified view of security to avoid a repeat of the 'divide and conquer' tactics used in some denial-of-service attacks on websites earlier this year.

Security will have to extend far beyond the user company itself. Virtual private networks (VPNs), which use the internet as a cheap alternative to privately leased lines for voice and data communications, look set to be lucrative.

End-to-end security
Matt Tomlinson, business development director at MIS-CDS, says: "I think VPNs have finally emerged. Some key VPN vendors such as Alcatel and Cisco have established themselves as the standard within the industry. They will proliferate across Europe in the next 12 to 18 months."

End-to-end security may also be necessary when customers are accessing a system, particularly from home PCs, because problems can occur before the user even makes the connection. Investment bank Credit Suisse recently began issuing customers single-use secure tokens from RSA so they can identify themselves when they log in. American Express is reported to be making a similar move.

VPN traffic, and any confidential internet communications, must be encrypted, and the encryption market will be given a boost by the relaxation of US export restrictions on strong 128bit encryption technology. However, in many ways it is not the strength of the encryption that is important, but the ease of applying it, otherwise users simply do not bother.

To encourage this, encryption may be built into standard desktop software as a differentiator, from email clients to word processors, spreadsheets to databases.

Encryption protects data from prying eyes, but it does not guarantee the author's identity. Authentication is necessary, like digital certificates, from vendors such as BT TrustWise.

Vlissidis says: "We are actively encouraging our clients to go for digital certificates because the price has dropped to about £7.50 per person per year. Senior managers and directors should have one."

High-end encryption and digital certificates will increasingly use public key infrastructure (PKI), which works by combining a private key held on the user's PC with a public key distributed to anyone with whom the user communicates. Richard Parkinson, European managing director of PKI solutions vendor Xcert, says: "The basic concept of PKI is simple, but the technology was seen as difficult to deploy and manage, which delayed its take-up."

Vendors are trying to make PKI systems more interoperable, although distributors remain unenthusiastic, says Parkinson.

Bernie Dodwell, sales and marketing manager at specialist security distributor Allasso, says: "PKI is five per cent product and 95 per cent hassle. I do not see any mass market for PKI until it can be simplified and packaged for the channel."

Some resellers are biting the bullet. Corporate solutions provider Basilica is already involved in PKI and plans to use it internally, too. "It's hard to see how business-to-business ecommerce will be done without PKI, so people have to think about it," says Damon Crawford, security manager at Basilica. "It's OK if you approach it properly and don't see it as a panacea."

Viruses become more targeted
Viruses will always be with us. Antivirus vendor Sophos is logging more than 400 new ones every month, compared with 100 three years ago. Mark Forrest, sales and marketing director at Sophos, says: "The trend is becoming worse and many viruses are now being targeted to cause maximum damage."

Business and consumer awareness has improved considerably since the so-called I Love You virus was unleashed. But in the future there could be co-ordinated attacks by multiple viruses, such as this year's internet denial-of-service attacks, and there may be web-borne viruses that will affect people who are merely browsing.

The antivirus software market has consolidated and become commoditised, but innovations are still happening. F-Secure is using push technology from BackWeb to alert users to new releases of its software and then offer it for download. And products such as ePolicy Orchestrator from Network Associates will monitor security software to ensure that it is up-to-date and correctly implemented.

According to Jack Clark, European product manager at Network Associates, network administrators are more concerned about how they manage their antivirus software. "We are shifting our focus to that," he says. "They don't want to have to visit each PC to check."

Security on the move
As the boundaries of company networks extend to include mobile users and home workers, further security opportunities will open up. There have already been virus scares on mobile phones. These are false alarms, says Sophos, but there could soon be real viruses.

The growing power of handhelds, the growth of Wap and the advent of third-generation services such as GPRS (general packet radio service) will provide more powerful platforms which virus writers and hackers could use to do more damage. Any device that can be left on a bus or lifted by a pickpocket is inherently insecure. This makes them problematic for corporate security managers, who may need to devise a complex matrix to specify what information can be accessed, using what kind of device and from what location.

Bluetooth, the short-range wireless standard gaining ground with PC and peripherals vendors, could prove a nightmare, allowing hackers to steal vital data just by walking past a window. Good authentication will be required, although Bluetooth could help by providing authentication between a handheld and a desktop PC, or causing a stolen notebook to shut down because it does not recognise the devices around it.

Cherry-picked resellers
Personal firewalls are already on the market and firewalls may soon be built into modems. "Small office/home office is a key area of development," says David Ellis, head of e-security at specialist distributor Unipalm. "Check Point is moving into that space, so others are likely to follow."

However, security resellers are unlikely to have it all to themselves. "The future is more threatening to the traditional channel, because more players will be added, such as telcos and the big consultancy firms," says Aled Miles, North European managing director at Symantec.

Computer Associates, Network Associates, Alcatel and Symantec have been consolidating. "Good resellers will be cherry-picked," says Miles.

However, the main weapon in the reseller's armoury will be a combination of business and technical expertise. "Technology will be easier to implement, but only value-added services will make it work," says Dodwell. "Security will never become a commodity because no two security policies are the same. You will have to understand the needs of the business before you will be able to set up the technology."

Conclusions:

• Security will become very important, as a brand differentiator and a means of ensuring customer confidence.
• Access control technologies such as firewalls will remain popular, with appliances and personal products particularly strong.
• Use of encryption and authentication will grow, but advanced technologies such as public key infrastructure will remain specialist reseller sales.
• Mobile and home users will be increasingly important markets.
• Competition within and outside the channel will increase, but resellers with good value-added skills will always be in demand.