SearchSecurity: CA has gone on a shopping spree over the last 18 months. Give us a sense of how you've integrated these acquisitions, specifically Pest Patrol and Netegrity.
On the Pest Patrol side, you have a different user base -- consumers, SMBs and enterprises. What people expected from CA was to keep Pest Patrol best-of-breed. One of the reasons it was best-of-breed was the research that went on for spyware detection. There's also a trend to reduce the number of agents on the desktop and leverage existing infrastructures with antivirus. We are in the process of launching our Integrated Threat Management Release 8 solution, and we have a new enterprise version of our Pest Patrol and antivirus products -- we've combined the two, so customers who want to run them both get one install, one management infrastructure, one user interface and one set of policies. Large companies with one or two people managing antivirus are now going to be able to manage antispyware, too.Toby Weiss: It's now been 13 months since the Netegrity close. Netegrity had a large customer base, and there was a little bit of overlap in technology with what CA has. At the same time, customers had bought Netegrity products like Site Minder or Transaction Minder, because they were best-of-breed and they wanted us to continue to develop them. We published a roadmap called, "Innovate and Integrate." We had a dual track of development: innovation and integration, which allowed [customers] to integrate into the CA portfolio and leverage common workflows. The big integration was completed when we launched our Identity Manager product in November. This was really the superset of the Netegrity product and CA technology -- to give end-to-end ID management to our customers.
Do you think ultimately antispyware will become commoditized and the AV vendors will own the market?
Weiss: The platform vendors are always adding functionality into their platform, and the management vendors always have to provide value. At the same time, there's a push from users who want best-of-breed protection, but there's pressure towards commoditization. Customers want one way to manage [antispyware]. They'd like lower costs. But there's still a lot of room for growth before we see that commoditization. There's still a lot of room for differentiation amongst the products. If you look at the big incumbent vendors in the antivirus space, no one really has an outstanding antispyware product. We keep hearing that 2006 is going to be the year of ID and access management. Why do you think businesses are really starting to invest time and money in this sector?
In 2002, 2003 and 2004, customers were looking at ID and access management as way to reduce costs. They'd go through ROI cycles and hard analysis on saving money. They'd look at password resets that they can automate, the time it takes to create users, the process of getting customers on line more efficiently.
In 2005, you saw a shift to a focus on the benefits in terms of being compliant with regulations. There's still strong ROI, but the reasoning shifted to, "We need strong controls because government and auditors say we need strong controls." A simple question, like who has access to what, is impossible to answer in most companies. How do we automate? Can we implement more sophisticated workflows so approvals flow seamlessly? Can we have one system to manage all of our identities? We're going to see an increase in ID and access management to drive automation and keep costs of compliance down. The other big thing we'll see in 2006 is federation.
Really? That's different from what RSA CEO Art Coviello said.
Federation projects are making their way from the labs to production. At last count, we had over 100 customers starting to roll out federation. In 2005, it was an interesting term. People were playing around in the labs. They were working with partners. They worked out some kinks, and we got a second round of standards last year. You now have these rolling out into production. I think we'll see this reduce the cost of compliance, but also enable business. Whereas in the past security was viewed as the lockdown group, identity and access management are reducing costs and enabling the top line by allowing more customers and partners to access services. In your keynote, you're talking about the "silos of security" and how to break them down. What silos are you referring to?
You've got the group that tries to lock things down and the group that tries to enable open access. You've got a network operations center and a security operations center. You've got organizations that manage desktops, and a different group worried about security vulnerabilities and patch management. In many cases, the war is with ourselves to make all of this work.
You have new dimensions of security coming in -- what I would call presence. Give me access based on where I am; give me access based on the type of device I came in on; give me access based on specific information about what I'm doing now. Cisco Systems is driving a lot of this with its NAC strategy: Don't give anyone access unless they have updated antivirus and antispyare. That's just one example. It's no longer just a user ID and password that lets you into the network. I want to check the policies and configuration of your computer to make sure you're a safe environment before I let you become part of our extended environment. You can take this concept to the next level. If someone's on their mobile phone, give them access to certain things. If they're at a customer site, give them access to certain things. We're really looking at much more than who you are and what you have access to: Where are you, and what's your current state right now?
Read more of our RSA Conference '06 coverage.