HP created a new business unit in its Enterprise Storage and Server (ESS) group that will focus specifically on software. Does that create an issue in terms of security features between that unit and the rest of the group or does security fall nicely in the ESS software unit?
Security runs across hardware and software and part of the reason for doing it was to enhance many of the features of the new adaptive infrastructure. We're putting a tremendous emphasis on security virtualization, manageability and power cooling. In order to put a more consistent value to manageability and security across all the different products and that's part of the security strategy for our adaptive infrastructure as well as the rest of our product portfolio. With the acquisition of AppIQ in 2005, HP had a goal of what it called unified infrastructure management, the ability to integrate storage and server management to synchronize business processes. Doesn't breaking the two groups up into separate business units fly in the face of that goal?
From a security point of view, I don't think it causes more problems. When managing security, the approach from compliance products and manageability products must be consistent across all different kinds of hardware and open to heterogeneous systems. For example, on the security side what we're trying to do is coalesce this into a simple strategy.
You have to protect all resources, whether they're from HP or someone else. Once you solidify the infrastructure and resources what you really want to do is secure the data. How long does HP wait to tell customers about a vulnerability?
There is a very large set of people in HP over various operating systems and groups that have a process that deal with this. It is mostly centralized and we internally see notes in a very short period of time and after validation it's sent out to distribution points. My observation is that we are very quick in notifying customers.
As far as that particular set of products, the security that we're looking at runs from small and medium sized businesses all the way through to large enterprises. The bigger challenge is in small and medium businesses. In many cases the person doing security is also doing financial reports at end of day. We need to do a better job and we're spending a fair amount of time and effort making security simple with Storage Essentials. That way if you have a small and medium sized business you can dial-in security with Storage Essentials and you get all the security included in the same architectural approach. Across the company we are trying to link together the security strategy into the same all encompassing approach. We think key management and open key management standards linked-in with identity management is brought together with Mercury. We're bolstering trust and coming up with better interoperability in customer shops. Last year, HP introduced a Nonstop server targeting smaller businesses. The trend is continuing with a series of announcements this year from HP targeting the SMB market. Smaller businesses typically don't have the budget to buy security technologies. How does HP approach security with SMBs?
What we intend to do is to make security in small and medium sized businesses just as simple as taking an ATM card out of your pocket and sticking it in an ATM machine and getting $200. You shouldn't have to think about it. That not only takes a fair amount of product and intelligence but it takes certain amount of knowledge of your customers. Whether it's the All-in-One backup solution, Storage Essentials or Server Essentials we're working to simplify the security process and solidify data protection across your environment. It's going to be hard to give someone that level a comfort and that insurance level especially at the SMB level. At the enterprise level the PCI guys understand the PCI rules, but it's not always clear to an SMB what they should be protecting and how they should be protecting it. You should be able to do security without getting in the way of what you need your systems for. Does HP train people on secure coding practices?
Two sets of internal training goes on at HP. One is general purpose and another is a series of products being developed in our labs with several security groups outside of HP that has us doing basic security testing and proofs with basic algorithms and structures. It's a new way of mastering security training and more and more people are going through that. HP has long taken a third party approach to security. Bake-in security from third party vendors into your servers. An example is with the recent launch of a new appliance using software from San Francisco-based SenSage Inc. Do you agree with that statement? Has that strategy paid off and is HP sticking to that?
In certain cases that is absolutely the right way to go. Part of the attractiveness of HP is in our open trust. We're not blocking a customer into what ever we can come up with when it comes to security. By going with best of breed what we can offer the customer is choice. We have a range of products from the desktop to the data center. We have a rather unique range and if we try to cover it all with the stuff we've got it wouldn't be fair to our customers. In the case of SenSage they have a very high performance product and we needed to add HP's understanding of the industry to it. Between us and our partners we knew more about the rules that you put on top of that audit appliance. By going with SenSage you get a combination of things that are pretty powerful to the industry. It's better at addressing compliance and has a more powerful non-database audit engine that can do terabyte rapid session quickly. Part of HP's Adaptive Enterprise Strategy is this push around utility computing and virtualizing data center resources. Doesn't virtualization make security issues more complex?
It makes some things better and some things worse. In the case of client virtualization where you have a thin client and a blade center back in IT infrastructure, it makes things better because individual blades are then controlled by the IT organization. Many of our customers buy those thin client networks for security reasons. There are government organizations that only run remote offices on those thin clients.
The kind of virtualization that makes things harder is the one in which you take any arbitrary number of CPUs and storage units and put them on an arbitrary operating system. You have to have a lot of trust in that structure. One of the reasons HP is big on trusted software model is that we put trust down starting at the chip level and build up from there. The BIOS validates the boot, the boot validates the OS and up and up. We highly recommend using identity management structures to bring all that together with a set of policies. You need to build up from the bottom of trusted components and OS and build down from your trusted identity structure across the enterprise and then bolster it in middle with key management and encryption.