It's been just over two years since IBM bought its way into the security market, purchasing Internet Security Systems Inc. (ISS) for $1.3 billion. Analysts say this week's fusillade of new product and product update releases indicates that IBM is giving the ISS folks some room to flex their muscles in the market as they work through what security means in IBM's overall strategy.
"ISS is getting itself back on track and finding its way," said Gartner Inc. analyst Greg Young. "There's a period of considerable distraction for ISS, which is not unexpected, particularly in a company as large as IBM. There are some hard decisions along the way. Do they do things for the ISS business unit or for the greater benefit of IBM? Those are some of the tough trade-offs they've been trying to rationalize as they move forward."
The over-arching strategy, said Josh Corman, principal security strategist for IBM, is to give organizations tools and options for dealing with spiraling security costs. He cites five sources of this dilemma: evolving threats, the burden of regulatory compliances' new IT technologies that change the landscape, fluctuations in the global economy, and changes in individual corporations' business priorities
"At this point in history, the confluence of changes across these five vectors has led to a state where the cost and complexity is far greater than people can handle," Corman said.
IBM offers hardware-based encryption for x servers: IBM is calling its VAULT hardware-based encryption tool the first of its kind and says the price point should appeal to small and midmarket companies.
CIO role could shift toward data quality, says IBM group: The subprime mortgage crisis illustrates the critical need for enterprises to implement processes for governing data, says IBM Council chairman.
IBM makes push into virtualization security with Phantom: Big Blue said its research teams would contribute to development of technologies and best practices to secure virtual environments.
A study this year conducted by Forrester Research Inc. showed that security will account for about 10% of IT spending in 2008, up from 8% in 2007, and is expected to grow next year. In one fell swoop, IBM announced:
- A new release of its unified threat management (UTM) tailored for small business, including, for the first time, an SSL VPN.
- A virtual appliance version of its network intrusion prevention system (IPS).
- An update to its network enterprise vulnerability scanner.
- An IPS controller, effectively a load-balancer to aggregate IPS appliances to achieve a greater throughput of up to 10 Gbps.
- A new release of Proventia Management SiteProtector, IBM's security management console.
"This may seem like a collection of announcements," Corman said. "Some of this is a natural opportunity to introduce refreshes or reboots and new products at one time, but another factor you're going to see is taking a lot of the legacy portfolio and new introductions and steer away from point products and more to reducing costs and reduce complexity and more to reduce business issues."
To a more cynical observer, all this may be a new variant of the venerable argument of all large IT vendors: Buying multiple managed products from us makes more sense than a collection of incompatible point products from different vendors. And, by the way, our products are best of breed.
Corman concedes the danger of vendor lock-in if enterprises commit too much of their security infrastructure to a single provider, but he also said the risk is greater with pure-play security vendors than with more diverse IT companies like IBM.
"IBM or other integrators solve a number of issues outside security," he said. Security really becomes an attribute of the existing infrastructure that IBM sells. People are expecting all their infrastructure products to make more things secure by default."
Analysts say the virtual appliance announcement is an interesting one; a good example of the impact new technology has on the security industry. It's an important first step as security plays catch up to virtualization, whose business benefits -- consolidation, energy savings, business continuity and disaster recovery -- have easily trumped security concerns. Recently, Check Point Software Technologies announced a virtual firewall appliance and Sourcefire Inc. announced a virtual IPS appliance. Until now, security tools were blind to virtual machines and traffic between them.
"The customer needs for security in virtualization has outstripped the security vendors delivery of them," said Young. "There's a huge gap between virtualization security requirements and what vendors are able to offer."
The announcements also reflect a couple of interesting trends in the security industry and the IBM-ISS marriage in particular. ISS was a large enterprise vendor. Its UTM appliances were built to install in branch offices of large enterprises managed by security professionals. The new release is pitched as an all-one-one, low-cost security appliance for small and midsized businesses (SMBs), and offers a number of usability improvements for those environments.
The addition of an SSL VPN fills a missing piece that both large and small customers are demanding for flexible remote users and cost savings for those using leased lines in distributed organizations.
Further, it's part of IBM's Express Advantage family, which is geared to small businesses and allows customers to purchase the system as both an appliance and managed service. In the same vein, SiteProtector is offered as a managed service as well. These underscore the importance of managed services to IBM's security strategy, a point that Gartner emphasized at the time of the acquisition. The deal made sense for IBM from a services perspectives, Gartner said at that time, but bringing in ISS' security products was risky.
"The formula is still there; the steps we're seeing in this announcement are ways to make up some of that ground," Young said. "It's good they're pressing on improvements in network security area." "The MSSP business made so much sense and that was why IBM bought them. But IBM does not have a strong rolodex in the network security buying center, so it's still a rough fit to roll out to the IBM sales force and subsequently for the IBM customer base," Young said.
Rough fits notwithstanding, the announcements signal some progress towards a strategy that fits IBM's world view and allows the security team to do what it does best, said Eric Ogren, founder and principal analyst of the Ogren Group.
"It's been a nice evolution both ways," said Ogren. "IBM has done a pretty good job of making security intrinsic. ISS has been encouraged to grow and is taking a more strategic view of where security fits."