« October 2009 | Main | December 2009 »

November 30, 2009

Nick Selby: Guardium Acquisition as Catalyst for DTM Roll-up

Assuming the stories of an IBM acquisition of Guardium are correct, the deal marks the official transition from "standalone product" to "standard feature" of database transaction monitoring. That is to say, DTM is actually an important feature of a much larger family of products and services. No longer should it be considered a standalone industry of its own.

Right now, DTM is, sadly and still, a fairly obscure space, populated by bleeding and leading edge companies unafraid to wade hip-deep into DBAs. So the question is, can IBM make this more understandable to the mainstream? That is what has to happen. People put information into a database because the data is important to their business. At this point, they worry about backing it up, but securing the database and hence the data while it's being used - which is even more relevant in the upcoming cloud thing - is less understood. Is IBM going to take on the effort of educating the marketplace? Or will it sell it as a platinum feature?

For customers, a buy-up within the DTM space should spell great news over the coming years in the form of increased quality, better-integrated server agents, and one-stop shopping - not to mention the rapidly increasing possibility to think of database vendors as being a bigger part of a safe solution when firms move to establish enterprise-wide data security (or anti-data-loss) programs. The question is when it moves from an "available feature" (like a backup vacuum pump for your 2009 Cirrus SR-22) to a "standard feature" (like seat-belts for your new Honda).

That Guardium would go to IBM is not at all surprising - IBM is well-poised to leverage the product and the services aspects of such a thing. That some have commented that Guardium executives sold the company for more than IBM wanted to pay is funny. (It's always more than IBM wanted to pay, no? But I would not be shocked if the real number turned out to be that IBM paid between four- and seven- times - or that Guardium revenues were as high as $50m for 2009; basically I think it did just about $37m this year.) I think Guardium is fully worth what IBM is said to have paid.

From what I can tell, Guardium has led the space in terms of sales and public relations. It has achieved this leadership by its concentration on partnerships with the likes of BMC and Dell; its concentration on the mainframe (mainly through a Z/OS agent Guardium had licensed from NEON Enterprise Software) as well as its ability to articulate, probably better than anyone, the value proposition for DTM. It also built a great database agent and showed that this could be integrated without freaking out either security or operations - in short, it worked, and customers love it.

One of the things that Aaron Turner has pointed out in our Information Protection track at IANS Forums for about two years has been the highly effective capabilities that Guardium brings to the table in terms of having someone capable of speaking with and explaining to database administrators the value of security: Guardium speaks DBA in a way that DBAs don't find threatening. In and of itself the ability to translate between business, security, and database administrator imperatives is a highly valuable skill set.

I talk about DTM (as does Rich Mogull) as part of a larger data security approach as opposed to a small independent market in and of itself. At Trident we counsel clients to use DTM as an arrow in the quiver of an overall data security approach. (By the way, I just saw that Securosis has Guardium at $45m, raising earlier estimates that more closely jibed with mine.)

What's left in the marketplace is interesting, and I see similarities between this and the rollup of the web application vulnerability assessment space a couple of years ago. This may well be the catalyst for a couple of quick acquisitions, mainly of Imperva, Application Security Inc, and Secerno. The religious differences between the products - specifically the outside-and-inside approach of Imperva's integrated Web Application Firewall/DTM product, and the babel-fish approach of Secerno - help several of the remaining players make solid acquisition stories. Bummer for AppSecInc, selected for the marketing project that was Enterprise To The Edge then getting passed over. Not sure what play it has here, nor how it remains relevant enough to become acquired meaningfully. Another player not catching on fire is Sentrigo, which has an interesting technical take that make some in the US intel community say things like, 'Dude, how do you spell '8200'?'.

I would not be surprised to see, as with the web application vulnerability assessment space, a longer-than-expected integration period as political battles within the acquiring companies overtake common sense and deal execution.

As with anyone selling a panacea, this is really just a piece of the very very much larger puzzle, and it directly threatens certain factions within any acquiring organization. For example, I would not like to be the guy in Oracle to tell the Oracle team that they'd just acquired Secerno to help with security of Oracle products. Merry Christmas indeed.

Nick Selby is IANS Faculty and managing director of Trident Risk Management, a security and risk consultancy.

Posted at 01:58 PM in Vendor Analysis | | Comments (0) | TrackBack (0)

November 17, 2009

Adam Cardinal: Building Relationships - Internal Audit Team

This series of blogs is intended to give Information Security professionals some ideas on building quality relationships within their enterprise. If you are following these steps – good for you! You’re well on your way to building a good professional working relationship. If not, take this as an opportunity to think about what small steps you can take – today or this week – to build those relationships. Only you can make your job more rewarding and improve your chances to positively impact the organization.

It should come as a surprise to no one that being a successful Information Security professional is entirely dependent upon the ability to build relationships and influence behavior. Shifting the profession from a tactical to a strategic position is an essential component to success in raising the profile of security professionals in the enterprise.

I’m not foolish enough to think that we’ll ever stop being tactical professionals – far from it. I actually love the crisis management aspects. But I am cognizant that as I assist the business to make informed decisions before a project goes live, I will see a reduction in the number of incidents I manage. I also know that I will be brought to the table more frequently if my business partners think I need to be there – and if they actually want me there!

Information Security and Internal Audit have a strong allegiance in many organizations. For Information Security, the Internal Audit team is often the last line of defense with a management team that can’t understand or fails to appreciate the impact of risks they are taking by allowing vulnerabilities to exist without proper mitigation. Internal Audit turns to Information Security first for significant portions of their IT audit work. Getting quality samples in a timely fashion helps ensure that audits are accurate and completed in a timely fashion. Identifying opportunities to work together can bring significant value for both groups of stakeholders.

  1. Track open items – Auditors are measured not just on the audit items they identify, but their ability to work with the business to close them. Work with your audit team to understand audit items that are outstanding, the owner that has been assigned to address them, and the date by which a written response and remediation plan are due.
  2. Ensure assigned roles make sense – Auditors don’t want items to be assigned to the wrong person any more than you do. Help them save time and avoid pushback by participating in post-audit review sessions not only to validate the validity of audit findings, but to ensure that they are assigned to the group that has the ability and the authority to make changes or implement compensating controls.
  3. Validate mitigation plans – In some cases, the Info Sec team may have key insights into whether the business or systems team’s mitigation plan is achievable. Provide clear feedback to audit and business/systems team’s if you have reason to believe that the mitigation plan won’t work. I worked on an instance where the business told audit they’d remove access to a high risk function for 90% of the staff that had it; however, neither audit nor the business realized that the function was required to allow an essential process step. The proper response should have been to fund a systems change to separate the sensitive function from the one required for most staff. Instead, the business made a request to remove the function – the business team was brought to a halt so the function was added back. When audit returned to examine the results of the remediation, they saw that nothing was done and they opened a high priority audit item. It also meant that more than 6 months went by with the vulnerability, when it could have been closed more quickly if the proper mitigation action was identified and planned for.
  4. Provide input to audit strategy – Most Internal Audit teams welcome input into their audit planning to reduce redundancy and overlap. Providing audit teams with opportunities to separate audits of systems shared by multiple groups with the audits of the groups themselves reduces redundancy and re-work. No one wants to re-audit the general ledger system when the accounting group, accounts payable, accounts receivable and order entry teams are audited.
  5. Review major changes – Sit down with the audit team and inform them of major projects you’ve worked on in the past year. New systems, new functionality modules, business processes, external connections and strategic partnerships could all be in scope. Ideally, the business team has briefed them – but in the event they haven’t, you are providing good focus on areas of change. This is an opportunity to review all the steps the business and systems teams certified they’d done were done and done correctly.
It helps to notify your management team when your relationship with Internal Audit yields benefits for your team. Part of your job is building and investing in these relationships. It’s important to give credit when credit is due, when your partnerships make you a more effective security professional.

Posted at 09:25 AM in Research | | Comments (2) | TrackBack (0)

Technorati Tags: , , , , , , , ,