Thursday, September 29, 2011

VDI: it's about people

After participating in analyst events with the world’s leading VDI vendors (AppSense, Citrix, VMware) , it is increasingly apparent that the marketing of virtual desktops needs to get personal and emotional in a hurry if the industry expects to see explosive growth. For all of the VDI hype and messages of IT control, there are precious few deployments of more than 1000 seats. One possible reason is that end-users do not see what VDI does for them that cannot be easily done with the present physical approach of applications installed on laptops. Virtualization vendors trumpet the IT benefits while marketing to server teams - VDI is doomed to niche uses unless vendors can lead people to clamor for the new capabilities introduced by the technology.

Vendor marketing messaging and positioning targets IT decision makers with promises of enhancing data security, controlling application environments, saving operational expenses, and enabling business agility for existing applications. However, when it comes to re-inventing user experiences the user organizations participate in endpoint architecture decisions and it is personal demand for new capabilities that is going to drive explosive growth in virtualization at the endpoint.

One good start will be to shift the words virtual desktop infrastructure to the fine print of the back page of all market-oriented material. There is not one word in VDI that a user really wants: few people are comfortable with their understanding of anything virtual, a desktop is a necessary evil only to run desired programs, and do users rise to the edge of their seats when the conversation turns to infrastructure? There is amazing technology and potential in virtualization that is buried under IT-oriented technical jargon. It is critical that vendors tap into key user emotions related to making their computing lives easier. A few examples may be:

Imagine having business and personal applications at your fingertips not matter where you are or what computer you’re using – without painful software installations or generic browser user interfaces. You do not need the frustration of being unproductive on the road because you forgot to pre-install software, or you had to borrow a computer that doesn’t have your presentation on it. VDI can provide you access to more exciting programs at your fingertips than you can possibly install yourself.

Imagine relief from not getting upset waiting while Windows installs important updates and reboots your machine just when you’re ready to use your computer. System and application software is maintained by IT in the data center, meaning the most up to date versions are ready to run – before you need them! No more waiting like a second citizen while your computer manages itself; no more playing “IT” to configure security software or applications.

Imagine the freedom of not having to lug a laptop home from the office every day, and back again. There have to be better ways to exercise your upper body and back muscles. There is no need to include laptops, power cords and heavy-weight knapsacks in every commute. Virtualization allows you to run business applications – including Microsoft Office – on home computers, tablets, or mobile devices without having to install application software.

It is rare to find organizations that plan to be entirely VDI hosted in the data center - laptops are not going away anytime soon and even the early adopters seem to only envision a 20% penetration. For virtualization at the endpoint to move forward significantly, vendors need to find and promote visions of the technology that provide benefits that are not easily achieved in physical endpoints or through browsers. The present path of marketing solely IT benefits will result in organizations maintaining about 80% of their endpoints as physical desktop and laptop systems, VDI will be an additive expense, and the great opportunity to impact user lifestyles with virtualization will be lost. It is about people – let’s look for ways for virtualization to change user experiences.

Friday, September 23, 2011

Proactively addressing home and office PC security

Webroot’s extensive survey – over 2500 respondents that was summarized in a Sept 20th press release – reinforced the need for businesses to recognize the inevitable blurring between personal and professional computing. With anti-malware scanning and filtering shifting to the cloud it is easier for organizations to proactively help secure home PCs as well as those in the office. Vendors can do their part by providing services that makes it easy for users or IT to manage security policy for multiple devices - inside and outside of the office.

What caught my eye in the Webroot study was that more than 40% of respondents purchased non-work related items online. Combined with prior results that 46% of users visit their favorite social networking site several times a day, it is becoming clear that employees don’t think twice about blurring personal and professional browsing while in the office. That is not a real surprise, since hundreds of millions of users have been blurring the distinction between personal and professional computing while at home to read business mail, or connect to desktops via VPNs or products like GoToMyPC. And that does not even factor in the use of mobile devices which completely bypass corporate security. Security teams need to address home security for home computing.

Businesses can help by negotiating coverage of home computers in their anti-virus agreements, evaluating cloud-based endpoint security management that bridges the home and the office, or recommending to employees the best free anti-malware offerings (sometimes available from service providers). There is a train of thought that there should be a clear separation of duties between personal and professional devices, and it is up to the employee to shell out $50 per PC annually to help protect the business. But that train is leaving the station.

Friday, September 16, 2011

Intelligent Whitelisting and VDI

Check out my latest post on intelligent whitelisting titled "Working together in a virtual environment: application whitelisting and anti-virus". It is all about provisioning thinner virtual desktops for greater performance and density. Those requiring AV can run it as a security service on the virtual server.The article is right here.

Wednesday, September 14, 2011

RSA SBIC is worth checking out

You have to give RSA credit for the way they’ve responded to their phishing attack. Rather than being totally defensive about the incident, RSA has responded with a drive to educate the market about threats that start with a plausible email that begs for attention. It is a good effort by a mature security vendor.

Their Security for Business Innovation Council reports are interesting executive conversations that result in recommendations and conclusions for enterprise security officers. The latest edition, released Tuesday of this week, focuses on the serious problems in combating APTs.

Usually I take these things with more than a grain of salt because they can be overly slanted into “buy my product” pieces, but RSA does a nice job of letting the executives speak. I liked that recommendation #6 was to “Rearchitect IT”. This is an admission that instead stacking security products in costly (and futile) defense in depth architectures, perhaps the business might be safer with thin clients and virtualization, tighter network zones and access controls, and even use of cloud infrastructures to share costs. It is thought provoking and worth checking out – although having said that I am not convinced about enterprise needs for intelligence services.

RSA also publishes a series of phishing reports - the latest reminding us that though phishing is a global concern, there are security actions we can take here in the US that may help. That is certainly not new information, but while the above SBIC report spent time talking about foreign agents and foreign attacks, it seems like our government and service providers have responsibilities right here - the US hosted 53% of the world’s phishing attacks in July!

Friday, September 2, 2011

Recent press release support

Summer is winding down and Q4 activities are picking up. I’ll post a short note Monday on some concepts from briefings that I found interesting. Meanwhile here are the top 3 quotes I gave recently for Watchguard, Damballa and eEye …


I like what Watchguard has been doing, particularly for companies looking to protect their networks against security issues associated with social networks. The quote is on DLP functionality that will help against unauthorized outbound data flows. My French stops with “merci” – Watchguard did the translating:

“Until recently, data loss prevention technology has been predominately relegated to enterprise organisations that have the staff or resources capable of managing the administrative complexities associated with DLP,” said Eric Ogren of the Ogren Group. “The new DLP features in this WatchGuard
release focus on providing mainstream business environments with the badly needed benefits of enterprise‐strength DLP in a simple to manage solution.”

"Jusqu’à récemment, la technologie de prévention des pertes de données était principalement réservée aux services de l’entreprise disposant du personnel ou des ressources capables de gérer les complexités d’administration inhérentes", déclare Eric Ogren d’Ogren Group. "Les nouvelles fonctionnalités DLP de cette mise à jour de WatchGuard visent à offrir aux principaux environnements professionnels les avantages indispensables d’une protection DLP d’entreprise éprouvée au sein d’une solution simple à gérer."


I liked Damballa’s ISP approach to associating domains and IP addresses with botnets. This allows service providers to detect command and control communications in the cloud, blocking early attacks while AV can perform clean-up of existing threats.

“The designer malware used in today’s attacks is supremely capable of evading detection,” said Eric Ogren, principal analyst of The Ogren Group. “The weakest link for data-seeking malware is now the command and control infrastructure with its reliance on the DNS hierarchy. Being able to detect the criminal infrastructure in its early days, as it is being set up and long before the actual attacks are launched, gives businesses a fighting chance at staying ahead of these threats.”


eEye has been in security for a while, with both Retina and Blink products. I thought their approach to risk identification, vulnerability management, and patching to be interesting for small and medium businesses that can benefit from a community approach.

“Many organizations fail to address their most critical security weaknesses, spending time and money correcting relatively minor security problems,” said Eric Ogren, principal and founder of the Ogren Group. “Security risk prioritization is an indispensable element of any pragmatic IT security and compliance strategy. Enterprises need solutions that will allow them to prioritize so that they can quickly and easily close the most dangerous security gaps in their networks.”