Tuesday, February 21, 2012

Early Vibe: CO3 Systems

CO3 Systems is a new security company with an excellent position, seasoned management team, and a ton of potential.

CO3 provides a cloud-based service to help companies prepare for, and then navigate through the process of a disclosure event resulting from a breach of regulated data. It fulfills such an obvious need that I am surprised more vendors are not specializing here – every large company will suffer a serious incident and every exposure of regulated data invariably results in expensive pandemonium. CO3 aims to help businesses save significant expense by generating a custom-fit incident response strategy and then providing the tools to manage the complexities of the notification process.

Market need: Most enterprises are affected by several international, federal, and state regulations for regulated data. Furthermore, the regulations regarding consumer privacy and the best practices associated with those regulations can change. Most enterprises are also not in the disclosure security business so CO3 can help educate the business about the potential costs and expected organization and “fire-drill” process when an incident occurs.

Leadership ability: The management team is as strong as they come. In fact, I would feel better about CO3 if they had been thrown from a few more horses. The team lists @Stake, Arbor, Axent, Counterpane, and Symantec in their lists of credits. The only obvious clunker is Authentica and even there engineering was the strength of that company.

Opportunity: The cloud service approach makes a lot of sense as companies will run low-expense what-if exercises most of the time, and then will experience a massive spike in activity when the breach is detected. CO3 will have to figure out how to deliver continuous education/service to maintain a healthy steady-state revenue flow and then price the disclosure service to reflect its value during a breach – without appearing predatory. CO3 can also drive managed service revenues which would make it attractive to large systems integrators, MSSPs, and even insurance companies.

It will be interesting to see how CO3 executes. Most security startups promise to rid the world of an attack or an obsolete security technology, but then have nothing to offer their customers if their product gets beat by a clever attack. CO3 spends the time researching the regulatory disclosure requirements, working with their customers to have an actionable strategy in place, and then helping to coordinate the response. It is one of the few areas in security with clear ROI benefits. They are nicely positioned with an experienced team – look for good things from CO3.

Thursday, February 2, 2012

NAC and VDI work well together

I have spoken with a few companies lately that have made a nice security solution out of integrating NAC and VDI products.

Security officers have always liked most of the traditional NAC story – automatically assess the health of the endpoint, control access to applications at the port level, and have end-users bring their own devices into compliance. That has led to a resurgence of interest in NAC products from the likes of Cisco, ForeScout, Juniper and Microsoft.

However, the NAC problem has always been the concept of quarantining devices that fail health checks, are unmanaged because of device type (such as iPads or mobile devices), or are unmanaged because they are owned by business partners (and maybe do not run 802.1x). In many of these cases the devices cannot automatically be brought into a safe compliant state, but the user still needs to conduct business on the network. There are not many security officers that want to tell business executives that they have blocked access to the network – a better approach is to offer an alternative delivery of the application.

A solution for some is to host guest desktops in the datacenter and to use VDI from the likes of Citrix, Microsoft, Quest or VMware to allow the user to do their jobs. With VDI, the organization has far less concerns of valuable data residing on an infected endpoint since the data never leaves the datacenter in a persistent form, access to critical applications is still controlled by strong authentication, and security can recommend a safe, compliant means of using the network.

If you are running NAC for automated remediation and quarantining of non-compliant or unregistered endpoint, look into granting access to applications with VDI.