Tuesday, December 29, 2009

Web security strategy

Check out SearchSecurity.com for the latest:

If you haven't focused on an enterprise-wide Web security strategy then it's time for a reality check. It's safe to assume that various parts of your organization are using Web applications and a cloud computing infrastructure or services, and the time to wrap a security strategy around that is now.

Wednesday, December 16, 2009

Microsoft and EC settle their IE dispute

Good to see the European Union competition commissioner has finally come to its senses and settled its silly and costly business practices lawsuit against Microsoft over the bundling of Internet Explorer into Windows.

This seemed like pure harassment to me – browsers are free, users can easily download and install any browser they want, and service providers could have included or recommended browsers if their customers demanded help. In fact, you could even argue that ubiquitous feature-rich free browsers have worked to everyone’s benefit (though I do not believe Microsoft set the market price of free).

Anyway, Microsoft and the European Commission are now in agreement. Microsoft has agreed to give the user a choice of leading browsers in versions of Windows and presumably the EC can find better things to do.

Tuesday, December 15, 2009

Lessons from CoreStreet

CoreStreet is the most recent security company fire sale – selling to ActivIdentity for “approximately” $20 million. Usually this means that the investors get some money back, the founders get some candy so they’ll bring their next idea back to the VC’s, and everyone else gets new business cards. CoreStreet gave it a good go – they had sharp mathematicians and a new idea for authentication, but could not find a sustainable and repeatable business. There are at least 2 things that other struggling security companies may be able to learn from CoreStreet:

Keep your messaging simple. CoreStreet is in the “distributed credential validation solutions” segment. You cannot expect a security team to evaluate, recommend or buy a product that they do not fully understand or have an expressed need for. When I first talked with them, CoreStreet described proofs and math models to authenticate signatures when a certificate authority was unavailable. I was in over my head in about 30 seconds, and I like to think I’m pretty good at authentication and math. If you are looking to increase sales traction, make sure your messaging is easily understood and directly addresses an important business need.

Try to diversify from government dominated customer base. When it comes to security, government agencies often have unique solution requirements that do not translate well into the commercial world. You can make a business serving the federal government if your company reaches a critical mass, but if you are not cash flow positive you need to have alternatives. While CoreStreet attracted business from defense-oriented agencies, it couldn’t translate its technology to the commercial sector. The company had no options and no place to grow, except perhaps by acquisition to a vendor that can service outstanding government contracts.

There is a tough year coming up and we will see more security vendors like CoreStreet with tired investors and shuttered doors in 2010.

Database activity monitoring lacks security lift

Posted to SearchSecurity ...

The IBM acquisition of Guardium Inc., a privately-held database activity monitoring (DAM) vendor, is far from a validation statement of DAM as a viable security market segment.

Vendors including Embarcadero Technologies Inc., IPLocks (acquired by Fortinet Inc.), Lumigent Technologies Inc., Symantec Corp. and Tizor Systems Inc. (acquired by Netezza Corp.), have already given up on the DAM space, leaving companies such as Application Security Inc., Imperva Inc., Secerno Inc. and Sentrigo Inc. fighting to divvy up a total annual market of well less than $100 million. The IBM acquisition of Guardium helps the company gain information management technology and a capability to drive professional service revenues in the data center.

Tuesday, December 1, 2009

Health Net breach failure of security policy, technology

I'm back from vacation and Thanksgiving - hope you all had a nice break!

Here is the latest SearchSecurity posting:

"The recent Health Net data breach—affecting some 1.5 million users—is a failure of all aspects of IT security, including the ability to set appropriate policy, communicate that policy to employees and deploy the relevant security technology.

Health Net announced last week that unencrypted records, and the portable external hard drive containing those records, were lost. A loss of this magnitude from normal business practice suggests that either sensitive data accumulated over a long period of time and was not systematically erased when no longer needed, or the user worked on extremely large chunks of data without proper security controls. IT should have been aware of both possibilities and acted to protect the business." ...