RSS feedsVicious viruses, sleeping stock exchanges and lost or stolen laptops containing top-secret plans may do little for public confidence in IT, but they all help fuel the continuing success of the security market, which has been ignited by the growth of ecommerce, and home and mobile working.
David Tapper, a network and desktop outsourcing services analyst at researcher IDC, says: "Converging technologies, demand for remote access, voice and data services, and the need for seamless connectivity are inciting growth in the network security services market and creating lots of opportunities for service providers.
"Companies are increasingly outsourcing their network security needs, because the complexity of networked devices and systems is straining the ability of in-house IT organisations to perform the necessary security management."
IDC said security services providers will have to deliver their products as part of a comprehensive package of network services, including disaster or network recovery, and network, systems and desktop remote management.
The researcher's predictions will be music to the ears of any reseller with security or networking interests. Worldwide firewall appliance turnover will grow by 51 per cent a year to $1.4bn (£875m) until 2004. Total firewall sales could top $2bn by the end of this year. Network security services will soar from $512m in 1998 to $2.24bn in 2003. Internet security software will be worth $8.3bn by 2003, representing a compound annual growth rate of 21 per cent since 1998.
This is in addition to more conventional security issues, says Paul Vlissidis, head of information security at the National Computing Centre. "Risks that have been around for a while, such as virus attack and loss of data, are still the biggest problems. Things such as secure credit card transactions on the web are lower down the list of priorities, although they're becoming more important as usage increases," he says.
Businesses are coming under increasing pressure to deal with IT security. Last year, the Stock Exchange amended the regulations for public companies in the light of the Turnbull Report, issued by the Institute of Chartered Accountants. Directors are now responsible for managing risk in their organisations, and are obliged to report at least annually to shareholders on what risk analysis and risk management they have done. This year's audits and annual reports will have to take account of this.
The new Data Protection Act, which came into effect in March, also has security implications. Emails can now be classed as personal data, and employers may find it more difficult to secretly monitor staff communications. Year 2000 audits have brought to light a lot of problems, from loopholes in access controls to kit that has gone missing over the years.
The burning issue
Firewalls remain the cornerstone of network security, providing sophisticated access controls, plus ancillary services such as antivirus, control of internet access and basic encryption. Sales of traditional software firewalls remain strong, but appliance firewalls - machines with stripped-down, super-secure operating systems - are gaining ground, and filtering routers are often used as a simpler alternative to full firewalls.
Firewalls are effective, offering good added-value potential for resellers, but only if they are configured by an expert. Cisco, Check Point and WatchGuard are among the leading vendors, and Nokia is making noises with easy-to-manage appliance firewalls.
But firewalls are fairly passive beasts, merely reacting to security threats when they arise. More pro-active managed service firewalls, or session walls, can detect possible hacking attempts and denial of service attacks - where a server is bombarded with messages until it crashes - monitor employees' use of the internet and fix simple security threats automatically. Anti-threat software, such as RealSecure from Internet Security Systems (ISS), performs similar functions.
The growth of teleworking, extranets and the internet has created a need for authentication technology, to check just who is at the other end of the line. There are even products that perform a health check on remote PCs, checking for viruses before allowing them to connect, according to Kevin Black, sales and marketing director at ISS. "Two years ago, a typical 1000-user network would consist of 999 employees and maybe one outsider. Now it might be 50 employees and the rest are customers, suppliers and other outsiders," he says.
Although simple authentication is built into Windows 2000, companies with larger networks prefer separate products, such as those from RSA, Baltimore or Entrust. These create unique digital signatures that can prove the identity of a caller or the author of an electronic document.
High-end products tend to use public key infrastructure (PKI), which works by combining a private key held on the user's PC with a public key distributed to anyone with whom the user communicates.
But this is an area best left to the experts, says Bernie Dodwell, marketing and business development manager at specialist security distributor Allasso. "PKI is a minefield for resellers," he warns. "There are very few companies that are capable of implementing and managing a PKI. It's not just installation but long-term management. What happens if someone loses their key, or two companies merge and their PKIs are based on different vendors?"
Is encryption the key?
As the volume of email increases, encryption is being used even more widely, often to create virtual private networks (VPNs) that use the internet as a cheap alternative to a private network infrastructure. Leading encryption vendors include Network Associates, which now owns the popular PGP standard, and RSA. But encryption use presents its own security hazards, since businesses cannot easily see what their employees are sending and receiving. Is employee one smuggling out the client file before defecting to a rival, or is employee two running a porn ring from their desktop?
So vendors have produced software such as Content Technologies's SecretSweeper, which can decrypt emails and web traffic before scanning them for naughty and nasty bits. More conventional products, such as Content's Mimesweeper and Websense from Nokia, can check for viruses and illegal content such as libels, pornography or confidential data, as well as letting managers define what users are allowed to do on the internet.
Chris Heslop, marketing director at Content, says: "During the 1998 World Cup, a lot of customers blocked the name Beckham. One customer picked up 40 references, 39 of which were obscene or time-wasting."
The virus threat should not be underestimated. There are about 60,000 known viruses, most of which transmit themselves through macros in email attachments. Viruses that trash your hard disk are rare, but some can make you look stupid by, for example, sending something unsavoury to everyone in your address book. High-profile denial of service attacks, such as Yahoo and CNN, are carried out by virus variants called zombies, which take over the victim's server. Antivirus software remains popular, although it is largely commoditised and margins are lower. The key manufacturers include Content Technologies, Sophos, F-Secure - publisher of F-Prot, which is now moving into wireless application protocol - and Network Associates, which owns McAfee.
Resellers cash in
Security should be a dream market for resellers. There is scope for high-margin and added-value sales such as consultancy and implementation and there are often several products to integrate. Post-sales revenue is healthy, including software upgrades, regular security reviews and technologies to implement. Demand is booming.
Rajive Kapoor, chairman of network reseller Systems Group International, says: "The market is already there, you don't need to create it. If you're an applications-based reseller, it's a relatively easy sale because you can incorporate security as part of your existing applications sale."
High-margin added value accounts for at least as much of a security sale as the hardware and software, and the proportion is increasing. Margins on some products can be as high as 30 per cent, although not on commodity software such as antivirus packages. Vendors claim return on investment in just a few months, and there's plenty of scope for repeat sales.
Reseller numbers are also booming, particularly as smaller businesses begin to take security more seriously. "The reseller market is maturing very quickly," says Dodwell. "Few companies outside The Times top 1000 have the resources to have someone on the staff to monitor security issues, so they rely on resellers. We deal with 550 to 600 active security resellers in the UK."
A few of these resellers are security specialists, but most are in areas such as networking, web technologies or network integration. They may start by selling simple solutions such as firewalls, then extend into fully-fledged security solutions. They also create a separate unit to handle security business.
Mark Forrest, sales and marketing director at Sophos, says: "You don't suddenly become an expert in security. Successful resellers have been in security or networking for some time. They tend to be people with a portfolio of security capabilities, a range of added-value services based around a common set of problems."
But increased commoditisation is likely to open the security market, and vendors such as ISS are looking to increase their channel sales. "It's a specialist market now. Our most successful partners are those with network expertise," says Black. "But in the next two years, we plan more commoditised versions of the technology which can go through a more standard channel."
Security vendors are tightening up their accreditation processes for resellers. Sophos, for example, is introducing an accreditation scheme this summer, but despite the mystique that surrounds them, most security products are not all that complicated and can be learned on the training courses provided by vendors or their agents.
It's important for staff to possess up-to-date security knowledge in this fast-moving market where technology, legislation and security threats can all change quickly, as well as business and consultancy skills.
"Products have to be implemented according to the client's security policy," says Dodwell. "The skill is in picking the right technologies to implement the policy, and then configuring them correctly."
Not all resellers make the grade. "Box-shifters have come to us and said they wanted to sell security," says Dodwell. "Loading a firewall onto a server is only 15 per cent of the job. The skillful reseller will sell not just products, but expertise and an understanding of legal and personal aspects. That's where the money is to be made."
- the growth in ebusiness and remote working, combined with legal and regulatory pressures, is creating huge demand for security products and services
- traditional products such as firewall and antivirus software remain strong, but new areas such as authentication, email monitoring and appliance firewalls are growing
- security is a consultancy sale. Successful resellers have a background in networking or internet services, not box-shifting
- user awareness of security remains low, particularly in small and medium-sized companies that rely on resellers for security services
- opportunities for resellers are excellent as the market grows.
See also:
All Hacking
del.icio.us
Digg this
reddit!
