361 85 1MB
English Pages 186 Year 2004
TECHNOLOGY
The Enterprise Security Outlook New product strategies and the impact of partnerships and verticalization By Gary Eastwood
TLFeBOOK
Gary Eastwood Gary Eastwood is an experienced writer and editor on business and IT issues, contributing to many of the leading IT publications and magazines that cover the gamut of IT sectors. As well as having held senior positions on a number of IT trade publications, Gary is currently the freelance editor of a trade publication covering mobile technology and business issues. Gary has also worked with companies such as Microsoft, IBM, CSC, Oracle and Intel in a marketing communications capacity.
Copyright © 1998 Business Insights Ltd This Management Report is published by Business Insights Ltd. All rights reserved. Reproduction or redistribution of this Management Report in any form for any purpose is expressly prohibited without the prior consent of Business Insights Ltd. The views expressed in this Management Report are those of the publisher, not of Business Insights. Business Insights Ltd accepts no liability for the accuracy or completeness of the information, advice or comment contained in this Management Report nor for any actions taken in reliance thereon. While information, advice or comment is believed to be correct at the time of publication, no responsibility can be accepted by Business Insights Ltd for its completeness or accuracy. Printed and bound in Great Britain by MBA Group Limited, MBA House, Garman Road, London N17 0HW. www.mba-group.com
ii
TLFeBOOK
Table of Contents The Enterprise Security Outlook
Executive summary
10
Chapter 1
23
Introduction
Layered security Drivers Inhibitors
25 27 30
Chapter 2
Market overview
By geography
34 34 36 36 38 39 40 41 42 42
Global Europe By vertical market SME market sizing Middleware Bespoke vertical applications Front-office applications Back-office applications General business applications
Chapter 3
33
Enterprise anti-virus markets
Key market drivers Key market inhibitors The global market Europe SME vs enterprise Vertical markets
47 48 49 50 51 51 53
3
TLFeBOOK
Chapter 4
Enterprise content filtering markets
Drivers Inhibitors By geography
59 60 61 61 62 62 63
Global Europe SME vs enterprise By vertical
Chapter 5
Enterprise encryption markets
Drivers Inhibitors By geography
SME vs enterprise By vertical market
Enterprise firewall and VPN markets
Drivers Inhibitors By geography
79 80 82 83 83 84 85 86
Global Europe SME vs enterprise By vertical market
Chapter 7
67 69 69 70 70 72 72 73
Global Europe
Chapter 6
57
Enterprise identity management markets
Drivers Inhibitors By geography
92 93 95 96 96 98 98 99 102
Global Europe SME vs enterprise By vertical market Critical success factors
4
TLFeBOOK
Chapter 8
Enterprise Internet management markets 106
Drivers Inhibitors By geography
107 108 109 109 110 111 112
Global Europe SME vs enterprise By vertical market
Chapter 9
Network-based intrusion protection systems markets
Drivers Inhibitors By geography
117 118 119 119 120 120 121
Global Europe SME vs. enterprise By vertical market
Chapter 10
Host-based intrusion protection systems markets
Drivers Inhibitors By geography
126 127 128 128 128 130 130 131
Global Europe SME vs. enterprise By vertical market
Chapter 11
116
Enterprise PKI markets
Drivers Inhibitors By geography
136 138 139 140 140 141 141
Global Europe By vertical market
5
TLFeBOOK
Chapter 12
Enterprise security management tools markets
Drivers Inhibitors By geography
147 148 149 149 151 151
Global Europe By vertical market
Chapter 13
Enterprise vulnerability assessment markets
Drivers Inhibitors By geography
By vertical market
Enterprise wireless LANs
Customer focus
Chapter 15
156 157 158 158 158 160 160
Global Europe
Chapter 14
146
164 165
Conclusions
172
Multi-product solution models Improving partnerships Channel strategies Verticalizing the sales and marketing message
179 181 182 183
6
TLFeBOOK
List of Figures Figure 1.1: Figure 2.2: Figure 2.3: Figure 2.4: Figure 2.5: Figure 2.6: Figure 2.7: Figure 3.8: Figure 3.9: Figure 4.10: Figure 4.11: Figure 5.12: Figure 5.13: Figure 6.14: Figure 6.15: Figure 7.16: Figure 7.17: Figure 7.18:
Figure 8.19: Figure 8.20: Figure 9.21: Figure 9.22: Figure 10.23: Figure 10.24: Figure 11.25: Figure 12.26: Figure 13.27: Figure 14.28:
The layered security model 25 Global enterprise security market revenues 2002-2006 ($bn) 34 Global enterprise security product market revenues, by region 2002-2006 ($bn) 35 Global enterprise security product markets by size of organization 2002-2006 ($bn) 38 Global mobile middleware revenues, by application (2001-2006) 39 Global mobile middleware revenues, by sizeband (2001-2006) 41 Strategic evaluation of selected mobile security vendors 43 Global enterprise anti-virus markets 2002-2006 ($m) 50 Global enterprise anti-virus markets by size of organization 2002-2006 ($m) 52 Global enterprise content filtering markets 2002-2006 ($m) 61 Global enterprise content filtering market by size of organization 2002-2006 ($m) 63 Global enterprise encryption solution markets 2002-2006 ($m) 71 Global enterprise encryption market by size of organization 2002-2006 ($m) 73 Enterprise firewall & VPN market 2002-2006 ($m) 84 Global enterprise firewall & VPN market by size of organization 2002-2006 ($m) 86 The pros and cons of an identity management deployment 96 Global enterprise identity management spend, 2003 to 2007 ($m) 97 Global enterprise identity management market by size of organization, 2002-2006 ($m) 99 Global enterprise employee Internet management solution markets 2002-2006 ($m) 110 Global enterprise employee Internet management solution market by size of organization 2002-2006 ($m) 112 Global market for network-based intrusion detection & prevention solutions for enterprises 2002-2006 ($m) 119 Global enterprise network-based IPS market by size of organization 2002-2006 ($m) 121 Global market for host-based intrusion detection & prevention solutions for enterprises 2002-2006 ($m) 129 Global enterprise host-based IPS market by size of organization 2002-2006 ($m) 131 Global enterprise PKI markets 2002-2006 ($m) 140 Global enterprise security & threat management markets 2002-2006 ($m) 150 Global enterprise vulnerability assessment market 2002-2006 ($m) 159 Global revenues from enterprise WLAN infrastructure by region to 2006 ($m) 166
7
TLFeBOOK
List of Tables Table 2.1: Table 2.2: Table 3.3: Table 3.4: Table 4.5: Table 4.6: Table 5.7: Table 5.8: Table 6.9: Table 6.10: Table 7.11: Table 7.12:
Table 8.13: Table 9.14: Table 10.15: Table 11.16: Table 12.17: Table 13.18:
Global mobile middleware revenues, by application (2001- 2006) 40 Global mobile middleware revenues, by sizeband (2001-2006) 41 Global enterprise anti-virus markets 2002-2006 ($m) 51 Global enterprise anti-virus markets by size of organization 2002-2006 ($m) 52 Global enterprise content filtering markets 2002-2006 ($m) 62 Global enterprise content filtering market by size of organization 2002-2006 ($m) 63 Global enterprise encryption solution markets 2002-2006 ($m) 71 Global enterprise encryption solution market by size of organization 2002-2006 ($m) 73 Enterprise firewall & VPN market 2002-2006 ($m) 84 Global enterprise firewall & VPN market by size of organization 2002-2006 ($m) 86 Global enterprise identity management markets 2002-2006 ($m) 97 Global enterprise identity management market by size of organization, 2002-2006 ($m) 99 Global enterprise employee Internet management solution markets 2002-2006 ($m) 110 Global market for network-based intrusion detection & prevention solutions for enterprises 2002-2006 ($m) 120 Global market for host-based intrusion detection & prevention solutions for enterprises 2002-2006 ($m) 129 Global enterprise PKI markets 2002-2006 ($m) 141 Global enterprise security & threat management markets 2002-2006 ($m) 150 Global enterprise vulnerability assessment market 2002-2006 ($m) 159
8
TLFeBOOK
Executive summary
9
TLFeBOOK
Executive summary Introduction
Security is still the number one priority for CIOs, with 31% of all enterprises surveyed placing security as their first ranked concern, the highest proportion by far.
In total, 60% of companies indicate that security is one of their top three concerns.
As companies wake up to the benefits of equipping their field forces and remote workers with mobile devices, the security market is also picking up.
As routes to market for enterprise solutions are changing and developing considerably, it is important that security vendors are flexible enough to cope with this.
Strong channel and technology partnerships will both be crucial to success.
Market overview
The global enterprise security products market will grow from $7.1bn in 2002 at a CAGR of 17.4% to reach just over $13.5bn in 2006.
The North American market accounted for almost 56% of total revenues in 2002 and will grow at a CAGR of 15.3% to reach almost $7bn by 2006.
The UK & Ireland market was the largest in Europe in 2002, representing around 23% of a total of $2.1bn.
While the SME sector will continue to grow more rapidly from 2002 to 2006, the enterprise sector will still represent 73% of the market in three years time.
10
TLFeBOOK
The financial services sector was the largest individual vertical market in 2002 in terms of revenues with 25% of the market.
The mobile middleware market will grow by 183% between 2004 and 2006, to just under $2.1bn.
Enterprise anti-virus markets
The global anti-virus market will grow at a CAGR of 14% from $1.74bn in 2003 to $2.5bn in 2006.
By 2006, North America will account for 48% of total global revenues, compared to 51% in 2003.
Latin America will be the fastest growing region, up from $39m in 2003 to $72m in 2006, a CAGR of 185%.
The SME market will grow at a CAGR of 16% to reach $847m in 2006, up from $660m in 2003.
The enterprise anti-virus market will grow at a CAGR of 14%, up from just under $1.2bn in 2003 to $1.64bn in 2006.
Working closely with the best-of-breed vendors in each segment of the market will be vital to providing a solution that customers feel isn’t letting them down in certain areas.
Enterprise content filtering markets
The North American market is still the largest market for enterprise content filtering solutions in terms of sales, hitting $289m by 2006, up from $132m in 2003, a CAGR of 31%.
11
TLFeBOOK
The EMEA market for enterprise content filtering will grow from $59m in 2003 to $138m in 2006, a CAGR of 34%.
The central European market is still strong but issues over monitoring employee mail from a privacy stance (Germany & Austria) and a trade union stance (France) have kept growth in these markets down.
The SME content filtering market will grow strongly at a CAGR of 42% from 2002 to 2006, reaching $190m.
While content filtering will continue to grow as a stand-alone market for the foreseeable future, the signs for the future of the technology point to its integration with other solutions.
Working closely with the best-of-breed vendors in each segment of the market will be vital to providing a solution that customers feel isn’t letting them down in certain areas.
Enterprise encryption markets
The global encryption market is set to grow at a CAGR of almost 45% to reach over $0.5bn by 2006.
By far the biggest reason why the encryption market will see rapid growth between now and 2006 is the introduction of SSL appliances.
One problem for device-based storage systems is how to control authentication.
The European market in 2003 was worth an estimated $58m. This will grow at a CAGR of 41.3% to hit $161m by 2006.
Although the enterprise market will grow more quickly from 2002-2005, the market will begin to take-off and it is likely that the SME market should at least match the enterprise market from 2002-2006 – and possibly even outstrip it.
12
TLFeBOOK
The market for SSL appliances will largely be based on the provision of more effective mobile worker and extranet solutions
Enterprise firewall and VPN markets
The global market for enterprise firewalls and VPNs will grow from $2.73bn in 2003 to $4.52 in 2006, a CAGR of 20%.
The EMEA market for firewalls and VPNs will grow from $931m in 2003 to $1.54bn in 2006, representing a CAGR of 20%.
Again, the fastest growing market will be Latin America, growing at a CAGR of 34% to hit $143m in 2006.
The SME space will grow at a CAGR of 27% from 2002 to 2006, representing around a third of the market.
Reducing communications costs is the number one driver for stand-alone VPN solutions and the VPN element of combined firewall / VPN devices and software.
At least seven major competitors are fighting it out for mainstream and niche revenue sources. The advent of application-level firewalls should see competition increase, as each vendor looks to make its solutions block as many attacks as possible.
The strong competition in the market will continue and that little will change with the advent of the new business models
Enterprise identity management markets
The total market for identity management (IDm) products and services is set to grow from 2003 revenues of $4.3bn to reach $6.2bn by 2007 at a CAGR of 9.9%.
13
TLFeBOOK
The North American market for IDm products and services will grow from $1.05bn in 2003 to reach $1.19bn in 2006, a CAGR of 4%.
EMEA is typically a year behind the US on the technology curve the market will take slightly longer to establish itself. The EMEA market will grow more quickly from 2002 to reach $711m in 2006, at a CAGR of 7%, because it is growing from a much lower base.
No single vendor controls the market for identity management solutions because of the modular nature of the market.
The complexity of identity management solutions is a significant inhibitor of the market.
There is a series of core attributes that IDm vendors and solution providers must be able to demonstrate: full portfolios; a highly modular approach; devolved administration capabilities; professional services back-up; future focus; and understanding of the legacy environment.
Enterprise Internet management markets
The strong growth currently experienced by the enterprise Internet management market will continue, rising from $201m in 2002 to an estimated $679m in 2006, at a CAGR of 36%.
The majority of revenues generated in 2003 came from the North American markets (approximately 64%), which is set to grow at a CAGR of 34% between 2003 and 2006 to reach $410m.
Growth in Europe and Latin America will outstrip that of the North American market, with EMEA growing the most rapidly at a CAGR of 39%, hitting $181m by 2006.
14
TLFeBOOK
The SME market is expected to grow at a CAGR of 52% between 2003 and 2006 to over $200m, compared to just under $500m for the enterprise market.
There is some debate as to whether the EIM market solves a security problem or an efficiency one, but strong growth suggests that organizations see controlling their employees’ Internet activities as a priority.
The markets for EIM and content filtering will continue to converge as organizations look to create a more comprehensive content control strategy
Network-based intrusion protection systems markets
The global market for network-based IPS is set to grow at a steady rate of around 19% from 2003 to 2006. By 2006 sales will hit $536m.
North America dominated the space in 2003, accounting for 61% of all sales. This region will grow at a CAGR of 18% to reach $310m by 2006 (58% of the total market).
The EMEA region will grow at a CAGR of 20% between 2003 and 2006, increasing from $83m to 138m.
While Latin America will show the fastest growing CAGR (24%), the region will represent only limited market opportunities, growing from $7m in 2003 to $12m in 2006.
Customer testimonials will be vital in convincing a skeptical market that things have changed for the better.
15
TLFeBOOK
Host-based intrusion protection systems markets
The global market for host-based intrusion protection products and solutions will grow at a CAGR of 20% between 2003 and 2006, reaching $186m by the latter date.
The North American market will outstrip the rest of the markets to 2006 because US and Canadian companies are more receptive to the latest security technologies than their counterparts in the rest of the world.
The North American market is set to grow from $69m in 2003 to $128m in 2006, a CAGR of 21%.
The EMEA region market opportunity is set to grow from $19m in 2003 to $35m in 2006, a CAGR of 20%.
Asia Pacific growth will match that of the EMEA region growing at a CAGR of 20% to hit $19m by 2006 (up from $11m in 2003).
Vendors should make their solutions as modular as possible to ensure that they can work effectively with complementary solutions from a number of vendors.
Enterprise PKI markets
The global market for PKI products will grow at a CAGR of 8% between 2003 and 2006, to hit $129.7m.
North America accounted for just under 50% of the market in 2003, and will continue to do so through to 2006.
The North American region will grow at a CAGR of 7% between 2003 and 2006, reaching $64.7m.
EMEA sales will grow at 7% CAGR to reach $48.8m in 2006, accounting for 38% of the market.
16
TLFeBOOK
Asia Pacific will grow the fastest, at a CAGR of 9%, to reach $13.6m by 2006.
One of the most important recent developments, certainly in the enterprise authentication space, was the push of Microsoft’s PKI with the release of Windows Server 2003.
Vendors should work closely with Microsoft to ensure not only that their solutions are fully compatible with the Microsoft PKI but also that customers looking for a more externally facing PKI can migrate easily to other vendors’ platforms.
Enterprise security management tools markets
The global market for enterprise security management tools will grow from $485m in 2003 to just under $1.1bn in 2006, a CAGR of 30%.
The EMEA and Asia Pacific regions will see the fastest growth (CAGR 31%) through to 2006.
The EMEA market for enterprise security management tools will grow from $125m in 2003 to $297m in 2006.
The Asia Pacific market will more than double between 2003 and 2006, making a $120m market opportunity.
It remains unclear who will succeed in this market but the threat protection and network management vendors are most likely to be the top solution providers in this space.
Enterprise vulnerability assessment markets
The global enterprise vulnerability assessment market is set to grow from $344m in 2003 to $606m in 2006, a CAGR of 20%
17
TLFeBOOK
The North America region will offer a $381m opportunity by 2006 (up from $217m in 2003), accounting for 63% of the vulnerability assessment market.
EMEA will grow at a CAGR of 21% reaching $142m by 2006 (up from $78m in 2003). It will account for 23.4% of the market by 2006.
Asia Pacific will match EMEA growing at a CAGR of 21% to reach $72m by 2006.
VA vendors should look to build VA reporting capabilities into the rest of their solutions and create proactive, intelligent threat assessment modules.
Stand-alone vendors should look to partner and should work closely with IPS vendors and threat management players to ensure a more dynamic role at the heart of a much larger solution.
Enterprise wireless LANs markets
The global enterprise WLAN market was worth approximately $650m in 2002. This report forecasts a CAGR of 19% through to 2006, when the market is estimated to be worth over $1.3bn.
Approximately 750,000 access points were deployed in the enterprise market globally in 2002 and expects this number to increase to over 1.3m by 2006.
The strongest regional growth in the coming years will be in Asia Pacific where price pressures have been high and WLAN equipment is very good value for enterprise IT managers.
The vertical market with the highest revenues in EMEA has been and will continue to be the manufacturing sector, which was worth approximately $50m in 2003.
The fastest growing vertical market for WLAN infrastructure revenues in EMEA is the education sector.
18
TLFeBOOK
Strong growth will also come from ‘white collar’ enterprise vertical markets such as financial and professional services with the productivity benefits of WLANs increasingly resonating with IT managers in these industries.
19
TLFeBOOK
Conclusions
The security market is set to grow at levels well above those predicted for the rest of the market for the next five years largely due to the strength of demand following increased awareness of the continuous need to stay on terms with hackers and virus authors.
Security appliances continue to thrive as companies look for security solutions that are easy to integrate and set up.
While standards have been slow to take off in the mass market they have become a prerequisite in areas where purchasing is made at an individual level but rules for such purchasing have been set centrally within an organization.
The future of the enterprise security products market as a whole will certainly not entirely depend on vendors adapting their solutions to meet these needs, but these drivers will increase in importance and may be a prerequisite for success in many markets.
Four key messages have emerged from the analysis for this report. These are:
Embrace the merging multi-product solution models;
Increase the focus on partnerships and strategic alliances;
Constantly look to improve the channel model;
Verticalize the sales and marketing message.
20
TLFeBOOK
21
TLFeBOOK
CHAPTER 1
Introduction
22
TLFeBOOK
Chapter 1
Introduction
Summary
Security is still the number one priority for CIOs, with 31% of all enterprises surveyed placing security as their first ranked concern, the highest proportion by far. In total, 60% of companies indicate that security is one of their top three concerns. As companies wake up to the benefits of equipping their field forces and remote workers with mobile devices, the security market is also picking up. As routes to market for enterprise solutions are changing and developing considerably, it is important that security vendors are flexible enough to cope with this. Strong channel and technology partnerships will both be crucial to success.
Introduction With security still a number one priority for many CIOs, the stock market valuations of many security firms suffered less than many others in the IT industry during the downturn. When any organization looks to improve the security of its IT assets, it will typically seek to build on previous investments made in its security architecture – that is to say, by buying more security products. The enterprise security products market is, however, really a number of different sub markets, each with a compelling story to tell. Some of the markets are more mature than others and each one typically has a different set of business dynamics, making it difficult to compare one segment to the other. This report aims to provide a detailed overview of each market while explaining how each technology can be combined with technologies from other areas to provide a more comprehensive threat protection model.
23
TLFeBOOK
This report covers the individual product sectors that make up the overall enterprise security products market, which has been subdivided into twelve individual markets. These are:
Anti-virus protection;
Intrusion protection;
Content filtering;
PKI solutions;
Encryption products;
Security management;
Firewalls & VPNs;
Vulnerability assessment;
Identity management solutions;
Wireless LANs;
Internet management.
Market overview The economic downturn seriously affected this industry with uptake of simple proofof-concept solutions (such as mobile email) stuttering due to a lack of solid, credible ROI metrics for solutions of this type. The uptake that has been seen has been of slightly more complex (and hence more costly) solutions. The market for enterprise security products remained relatively flat during 2002 largely due to the soft economy, with only a handful of vendors seeing revenues rise dramatically. The experiences learned during this time have however been invaluable for many vendors who have taken greater steps to both listen to the needs of their customers and work to ensure that their solutions can become part of a more cohesive security architecture.
24
TLFeBOOK
Layered security One way that vendors have sought to increase the penetration and the number of deployments for their technologies within a single customer has been to push the concept of layered security. With this model, customers no longer have to rely on one device to protect all of their assets and can feel more confident that their assets have more solutions in place to protect them. There are three layers within the enterprise IT system where such solutions will be applied (see Figure 1.1). Figure 1.1: The layered security model
The perimeter
Service provider- The core infrastructure Router-based based security security solutions solutions ApplicationHardened specific solutionsThe desktop / OS
client level Host-based security
Integrated security Change management solutions
Gateway-based solutions
Business Insights Ltd
Source: Business Insights
The three key elements of the layered security model are:
The perimeter. The concept of perimeter security devices evolved as soon as the IT user community realized the threat potential of the Internet. With so many threats coming from a single source, it stood to reason that positioning security solutions on the edge of the network and allowing them to analyze and control the flow of data from the Internet to the heart of the system could allow many of these potential problems to be controlled or spotted.
25
TLFeBOOK
The core infrastructure. The core infrastructure is defined here as the solutions within the network that manage and control the flow of data to and within the system. Vendors realized that should the perimeter be breached then the IT assets would be at the mercy of hackers or malware. Perimeter-based solutions also could do little to prevent attacks carried out by users within the system or from other sources such as devices added to the network (such as wLANs, PDAs or USB storage tokens), from users bringing in infected floppy disks or CD-ROMs or from solutions that punched holes through perimeter devices such as VPN tunnels or open firewall ports. Vendors have therefore added solutions designed to give greater protection to routers, servers and specific applications.
The desktop / client level. For many organizations, security investment began at the desktop level with anti-virus solutions designed to protect the system against viruses transferred by floppy disks. With the recognition that the Internet had become the key area of concern, the desktop became relatively neglected. Now, with the realization that this has increasingly become another potential vector for infection, customers are once again looking to add security solutions to or in front of desktops, home worker PCs and even PDAs.
In some senses, the move towards layered security evolved when vendors brought in both network- and host-based solutions such as anti-virus, firewall and intrusion protection. While so far the number of organizations deploying a truly layered security architecture is relatively small, the model is gaining acceptance and the mature, ‘security-elite’ organizations (also referred to as ‘early adopters’) are beginning to look with greater interest at more complete protection strategies. As such, the model will flourish first in North America before moving on to Northern Europe and Japan, the rest of EMEA and then the rest of Asia. From a vertical market perspective, it will be the financial services organizations that look to this model first – to be followed soon by healthcare organizations, the defense sector, other government organizations and the pharmaceutical industry. Understanding this concept from a
26
TLFeBOOK
management perspective is vital because as customers add extra devices to their networks, they increase the inherent complexity of their security architectures. Customers should therefore look to vendors who have taken this aspect into consideration and ensure that they can easily and effectively distribute, manage and update these solutions in a carefully considered manner – if possible from a single source. An example of where this model is already seeing success is in the anti-virus space, where vendors have increasingly sought to persuade customers to improve security by adding anti-virus software at the gateway, server and desktop level. Only through such a strategy can customers minimize potential threats from a wide number of potential attack vectors such as the Internet, floppy disks and CD-ROMs as well as PDAs, home laptops and portable storage devices.
Key drivers and inhibitors This section of the report will look at the overall drivers and inhibitors for security products in general. While each individual product market has its own individual set of drivers and inhibitors, there are a common set of reasons to why sales of security products in general are still a number one priority for CIOs in terms of new infrastructure investment. There are also a number of reasons why growth has not been as dramatic as expected. Drivers The following are the most important drivers of investment in enterprise security products over the next five years.
Security as an ebusiness enabler. One of the strongest drivers for security solutions has been the realization by many enterprises that security is vital to ensure that other ebusiness initiatives are successful. This was especially true during the dot.com boom, when companies realized how important security was in ensuring customer confidence in both the B2B and B2C arenas. Now, as companies look to
27
TLFeBOOK
other technologies to take their business forward, such as VoIP, mobile & remote access and web services, security remains an integral part of any solution.
Greater government involvement in security awareness programs. One of the worries that have emerged following the war on terrorism and the invasion of Iraq has been continuing fears over terrorist backlashes. A large part of the US Homeland Security initiative, for example, has been dedicated to increasing awareness among US firms of the possibility of attacks via electronic means. By doing so, the government hopes that businesses will be better prepared should an attack occur and that, as a consequence, the damage inflicted will be much less than it could have been.
Homeland security. The increasing focus by the US government has not only translated into a number of security awareness initiatives but also led to a massive investment by a number of government agencies. The federal government reportedly spent billions of dollars on IT security in 2002/3 and this level of investment is set to continue over the next few years. Key initiatives have included rolling out access control solutions and smart card deployments for a number of government agencies as well as a number of schemes designed to assess the effectiveness of each agency’s security plans and develop common standards and best-practice documentation.
The need to respond to security issues in specific applications and services. When vendors design security products, most are built to work effectively within the IT system as it is today. Advances in technology, however, can cause a number of headaches or require new products to be created (or modifications to old ones made). Below is a list of some of the technological events that have caused many clients to query how future-proof a vendor’s technology is and have even allowed a few new vendors to break into the market with technology-specific security products.
Web services. While web services emphasize the interoperability of the web, they also highlight the security problems associated with conducting transactions and communications over it, namely authentication, integrity and confidentiality. While 28
TLFeBOOK
the WS-Security initiatives are praised by the industry as a means of building security into projects from the start, some vendors still feel that the security message is lagging behind the functionality message. Many think that existing standards don’t go far enough and that other issues such as availability and platform security need to be addressed too. One worry is that web services could be used as a means of attacking an organization. Advances in the technologies from the existing leaders of the firewall market such as Cisco, Check Point, NetScreen and Microsoft will provide most customers with greater security from web servicesbased attacks.
Voice over IP (VoIP). Another technology that looks like finally making it into mainstream use over the next 18 months is VoIP (also referred to as IP telephony). While some fears may exist about the threats from and to VoIP traffic, there are also logistical problems that some firewalls may cause for the technology models used to carry voice as data traffic. An example is User Datagram Protocol (UDP). UDP is a transaction-oriented protocol used for real-time IP communications and is an alternative to the Transmission Control Protocol (TCP) but up to three times as fast. Such speeds are vital for real-time IP voice communications such as telephony and video conferencing. With UDP, transmission details such as ensuring that packets arrive at the proper place in the proper order are the responsibility of a specific application. Unfortunately, many applications send UDP packets to random multiple ports, and those ports must be open for the application to be successful. Such a mechanism could, however, be used to flood ports or infiltrate the network by some other means. As a result, many firewalls are configured to block UDP traffic –a large hurdle in the mainstream acceptance of VoIP.
Mobility. While the promise of more mobile workforces through technology has been around for some time, the increased uptake of broadband, GPRS and the increasing rollouts of public access hotspots (public wireless LAN deployments) mean that it is even easier for IT end-users to access the applications they need from home, hotel rooms, Internet cafes and even coffee shops – giving them the information they need when they need it. Naturally, giving employees access to highly confidential information such as client data or order information has led
29
TLFeBOOK
many organizations to worry about security and, as a consequence, vendors have looked at positioning a number of their technologies as suitable for securing remote access solutions for workers and partners. A good example of this came with wireless LANs. While the technology proved to be extremely effective at mobilizing workers, the security standard chosen to protect it had a number of highly publicized flaws. As sales of wireless LANs slowed, vendors began looking at a number of solutions to improve security.
Inhibitors Security as a business disabler. While security may give companies the confidence to experiment with new technologies with less fear of creating security gaps, the impact of the technologies on day-to-day operations can be prohibitive. One example is how useful wireless LANs could be for improving employee mobility. Because of the deficiencies of the embedded security solution, WEP, many vendors looked at security technologies such as IP VPNs and identification tokens as a means of securing access. The administrative burdens incurred and the need to issue client applications and tokens to new users reduced many of the benefits that companies gained in the first place. Another example is false positives. If a security technology takes too much time to manage or, in the case of anti-spam technology, may actually delete important business information, then many IT departments will reconsider deploying the technology and when they do will require lengthy testing cycles so they judge the impact on their operations for themselves. Other problems concerning security technologies include interoperability issues with legacy systems, degradation of server performance and a reduction of network throughput.
Cost. Another problem for organizations is that many security solutions are still immature and vendors have to factor in the cost of development. Manufacturers also have typically not learned how to minimize total cost of production, particularly for hardware solutions. Consequently many companies find many security solutions to costly and would need to have a distinct problem, which this solution would solve before considering deployment. Vendors of solutions that don’t have a clear and direct ROI argument have found it difficult to get their messages across. 30
TLFeBOOK
Management. One side-effect of the economic downturn is that many companies have downsized their IT departments and there is enough for the remaining staff to worry about without adding to their tasks by having to manage new, complicated, manpower-intensive security solutions. Many vendors have cited examples of how a sale over a competitor was won because of the comprehensive management capabilities of these solutions. Indeed some of the faster growing areas of the security product markets are management tools: user-provisioning solutions in the identity management space and threat management solutions in the security management tools space. These solutions are popular because they reduce the time an organization needs to spend on security, whereas solutions that have stumbled in the past few years such as the old intrusion detection solutions and PKI fell short because they took much of the IT department’s time.
Interoperability. Another concern for many potential customers has been worries over how solutions will work together to form a more complete solution and how security solutions will impact the rest of the system. An example of this is one of Microsoft’s reasons for buying an anti-virus vendor in June 2003. Microsoft noticed that often anti-virus solutions came into conflict with its systems from time to time and consequently performance was reduced. There is also no common standard for managing security solutions and often a separate tool needs to be deployed for each solution. This adds to the cost and management overheads discussed earlier.
Need for education. The final barrier is still an important one despite the inroads made by vendors and governments alike to make organizations aware of the benefits of deploying security solutions. This is especially the case for new technologies – unless companies are made aware of the benefits of such solutions there is no chance of selling solutions to them. Clearly educating customers as to the availability and advantages of a new technology is a prerequisite for a successful venture. Slow sales in certain segments of the market or slower than expected take-up suggests that this is not always the case.
31
TLFeBOOK
CHAPTER 2
Market overview
32
TLFeBOOK
Chapter 2
Market overview
Summary
The global enterprise security products market will grow from $7.1bn in 2002 at a CAGR of 17.4% to reach just over $13.5bn in 2006. The North American market accounted for almost 56% of total revenues in 2002 and will grow at a CAGR of 15.3% to reach almost $7bn by 2006. The UK & Ireland market was the largest in Europe in 2002, representing around 23% of a total of $2.1bn. While the SME sector will continue to grow more rapidly from 2002 to 2006, the enterprise sector will still represent 73% of the market in three years time. The financial services sector was the largest individual vertical market in 2002 in terms of revenues with 25% of the market. The mobile middleware market will grow by 183% between 2004 and 2006, to just under $2.1bn.
Market size The increased demand for security and the increasing maturity of key individual markets mean that the overall enterprise security products market is set to grow at a CAGR of just over 17% from 2002 to 2006, from a base of around $7.1bn in 2002 to reach over $13.5bn in 2006 (Figure 2.2). The encryption technology space will be the fastest growing sector of the market, with a CAGR of 45%, thanks mostly to the demand for SSL appliances. This market was small in 2002, however, having reached $115m globally and by 2006 will account for only 3% of the total market.
33
TLFeBOOK
Figure 2.2: Global enterprise security market revenues 2002-2006 ($bn)
16
Other Security Mgmt Tools
14
Content filtering 12
Employee Internet Mgmt Encryption
10 $bn
PKI 8
Vulnerability Assess. Host IPS
6
Network IPS 4
Identity Management Firewall / VPN
2
Anti-virus
0 2002
2003
2004
2005
2006
Business Insights Ltd
Source: Business Insights
The largest individual sector in 2002 was the firewall & VPN sector, which reached over $2.2bn (31% of the total market). Strong growth in the SME sector, advances in firewall technology and a central role in the emerging threat protection model mean that firewall / VPN solutions should continue to outpace the overall security market and will account for a third of all product revenues by 2006. By geography Global The largest revenue-generating region for most technologies historically has been the North American market. For security products this is no exception – in 2002 this accounted for almost 56% of total revenues (Figure 2.3). While in most cases over the next four years the market in other regions will grow more strongly, the lack of maturity for some technologies means that the strongest initial growth will be seen in North America. Therefore, while the other regions will outstrip growth in North
34
TLFeBOOK
America, this market will still grow at over 15% CAGR from 2002 to 2006 and represent around 52% of the total market in 2006. Figure 2.3: Global enterprise security product market revenues, by region 2002-2006 ($bn)
16 Latin America
14
Asia Pac. EMEA
12
North America 10 $m
8 6 4 2 0 2002
2003
2004
2005
2006
Business Insights Ltd
Source: Business Insights
The fastest growing market regionally is likely to be the Latin American market, with many firms making up for a lack of security investment previously. This stronger growth does not however mean that the market will be a significant one for several years to come and by 2006 the market will still represent only 2.5% of global revenues. The rapid rise of emerging economies in the Asia Pacific market (with China in particular should see this region generate around 15% of global 2006 revenues, while the more mature EMEA market will account for 31% of the total.
35
TLFeBOOK
Europe In 2002 the European market represented around 96.5% of the total EMEA market. The largest market was the UK & Ireland, with British companies in particular eager to improve their security infrastructures and also because the economic situation was less severe than in continental Europe. Based on vendors’ feedback, this market represented around 22% of the total European sector. While the German market is a significant one, it was more mature than the UK and firms were harder hit by poor economic performances. The German market still represented around one fifth of all European revenues. By vertical market The market for enterprise security products was previously seen as a horizontal one in that all companies who have deployed IT solutions (and particularly those connected to the Internet) need security to protect them. While this is certainly true, companies from certain vertical markets spend a greater proportion of their IT budgets on ensuring that they are better prepared for any attack. A combination of these factors makes firms in the financial services, telecoms, utilities and government sectors more “mature” in terms of their acceptance of the need for IT security than others. There are also a number of sub-verticals within each sector that display a stronger understanding of the need for greater security, such as defense suppliers and in pharmaceutical firms in the manufacturing sector and legal firms and consultancies in the services sector. Many of these enterprises typically dedicate a higher percentage of their budgets to IT security as a result and are typically the first choice for any vendor launching a new security product.
36
TLFeBOOK
The SME security market This report classifies SMEs as those with fewer than 500 employees. Analysis of this sector shows that the SME security products market is likely to grow at a much faster rate than the enterprise market, largely due to a number of factors. These include:
Broadband. One of the biggest reasons why an SME will invest in security now rather than previously is due to the change in their Internet connection speed. By changing from slow, dial-up access technologies and ISDN, smaller customers will have always-on, high-speed Internet access. This always-on capability means that they are constantly under threat from Internet-based attack and many broadband SMEs have increased their security expenditure in order to prevent such a situation.
Collaborative work with larger customers. One key driver in the future will be the increasing desire from larger customers to automate relationships with a large number of their smaller partners – simply to reduce administration costs. As has been the case with EDI in the past, many larger vendors have put pressure on SMEs to foot the bill themselves or risk losing their key contracts. Today, most larger firms who wish to do business in this fashion insist on minimum security levels before any arrangement can go ahead.
Government awareness programs. Studies have shown in the past that often SMEs have ignored security because they felt that were unlikely to be targeted directly. Governments around the world recognize the contribution to the economy of SMEs and at the same time have realized that many are investing in IT systems in order to become more competitive. In order to avoid a potential disaster in the future many of these governments have organized education programs to make SMEs aware of the dangers they have faced. A number of vendors have stated that this has been a key driver in some markets.
SME-specific security solutions. The SME sector is very different from that of the enterprise market largely because of the divergence in purchasing characteristics between the two groups. Vendors have recognized the need for lower prices and simplified management and have produced solutions that are more appealing to
37
TLFeBOOK
SME customers. Naturally, this has lead to an increase in the demand among SMEs because they can finally by something specifically tailored to their needs.
SME market sizing The global SME security products market will grow at a CAGR of 25% from 20022006 and that the market will generate revenues of almost $3.6bn (almost 27% of the total market) in 2006 (Figure 2.4). This compares favorably to the enterprise market, which will grow at a slightly more sedate CAR of 15% in the same period. Figure 2.4: Global enterprise security product markets by size of organization 2002-2006 ($bn)
16 14 Enterprise 12
SME
$bn
10 8 6 4 2 2002
2003
2004
2005
2006
Business Insights Ltd
Source: Business Insights
38
TLFeBOOK
Emerging opportunities Middleware At present, mobilizing corporate applications is still primarily a middleware issue. Mobile security vendors need to understand how this market will develop in order to be able to position themselves for future success. This report’s forecasts for uptake of mobile middleware are somewhat conservative, with the market showing little value from 2001 to 2003, but the market will grow by 183% between 2004 and 2006, to just under $2.1bn (see Figure 2.5 and Table 2.1). As devices and networks improve, and as integration standards (that is, web services) emerge, more uptake will be seen, with substantial growth occurring from 2004 to 2006. Mobile security vendors need to be aware of the applications that will drive the market over this time, to ensure that they are developing the right products and forming appropriate partnering strategies. Figure 2.5: Global mobile middleware revenues, by application (2001-2006) 2,500 Bespoke vertical applications 2,000
Back-office applications
Revenues ($m)
Front-office applications General business applications
1,500
1,000
500
0 2001
2002
2003
2004
2005
2006
Year Business Insights Ltd
Source: Business Insights
39
TLFeBOOK
Table 2.1: Global mobile middleware revenues, by application (2001- 2006) ($m)
2001
2002
2003
2004
2005
2006
General business applications Front office applications Back office applications Bespoke vertical applications
75 65 18 82
98 97 21 112
117 139 30 148
177 244 70 244
272 424 167 408
413 681 361 626
Total
240
328
434
735
1,271
2,081
Business Insights Ltd
Source: Business Insights
Bespoke vertical applications In 2003, middleware designed to enable the mobilization of bespoke vertical applications accounts for 34% of the total market. These types of application tend to be deployed by large enterprises with specific business pain points that need solving. Security is extremely high on the agenda, and as a result additional solutions (such as VPNs, identity management, and so on) will be required. Although the proportion attributable to bespoke vertical application mobilization will reduce gradually over time, in 2006 it will remain a substantial share of the market (see Figure 2.6 and Table 2.2). To ensure sustained success in this area, security vendors will need to ensure that integrator relationships (the primary channel to market) are not ignored in the pursuit of the mid-market dollar and that their products keep pace with technological change.
40
TLFeBOOK
Figure 2.6: Global mobile middleware revenues, by sizeband (2001-2006)
Revenues ($m)
900 800
SMB (11 - 50 employees)
700
SME1 (51 - 250 employees)
600
SME2 (251 - 1000 employees) Enterprise (1001+ employees)
500 400 300 200 100
No
0 2001
2002
2003
2004
2005
2006
No
Year
Business Insights Ltd
Source: Business Insights
Table 2.2: Global mobile middleware revenues, by sizeband (2001-2006) ($m)
2001
2002
2003
2004
2005
2006
SMB (11-50 employees) SME1 (51-250 employees) SME2 (251-1,000) Enterprise (1,001+)
36 40 67 97
63 71 81 112
95 110 98 131
191 199 144 201
402 336 218 314
809 489 298 485
Total
240
328
434
735
1,271
2,081
Business Insights Ltd
Source: Business Insights
Front-office applications Front-office applications (such as mobile field service and sales) have seen a substantial amount of uptake in recent times, in most cases by large enterprises. Over time, the proportion of front-office implementations will reduce, and as standards
41
TLFeBOOK
emerge to make this less technologically challenging, mid-market companies will also look to deploy solutions of this sort. Though security is important for smaller companies, they are less prepared to invest in solutions that require additional security, looking instead for packaged, end-to-end solutions. By the end of 2004, the SMB and SME1 sizebands will actually account for over 50% of the total market. This will occur as security products adequate for these solutions becomes commodified and embedded into the solutions. Smaller companies will not need to outlay further capital expenditure to deploy solutions and management costs will be dramatically reduced. Security vendors looking to address this market should learn from the BlackBerry email solution, which succeeded in part because the security was embedded in the solution, and no more was required from the end-user. Relationships will have to be formed with device manufacturers, browser manufacturers, middleware vendors and mobile operators. Back-office applications Mobilizing complex back-office systems will see increased uptake until 2006, mainly by large enterprises. In the same way as with bespoke vertical implementations, security will be a crucial issue. Companies will therefore look to implement additional security features on a bespoke basis, meaning that security vendors will need to work with integrators in this regard. General business applications The proportion of middleware revenues attributable to mobilizing general business applications will reduce from 2002 to 2006. Early success was experienced in this market (by the likes of RIM, with the BlackBerry solution) but the harsh economic climate has meant that implementations have slowed. At a time when ROI metrics are once again crucial for IT investment, mobile email has suffered as it is not easy to produce credible ROI metrics for such a solution (where opportunity cost cannot be accounted for). As the market develops, the number of large companies mobilizing general business applications as a stand-alone solution will also reduce and these will simply become a component of a larger (front-office or back-office) mobility solution. However, it is clear that there is an opportunity for mobile solution vendors and 42
TLFeBOOK
operators to target small and mid-market companies with simple solutions. In this instance, embedded security is a must.
Competitive dynamics Figure 2.7: Strategic evaluation of selected mobile security vendors Evaluation criteria
Aventail
CA
Certicom
F-Secure
Nokia
RSA
Symantec
Geographical coverage
Product offerings
Financial strength
Not disclosed
Core business strength
Partnering strategy
Datamonitor viewpoint
Weak
Moderate
Good
Strong
Very strong
Business Insights Ltd
Source: Business Insights
Large, established security companies, with substantial operations in the fixed-line space, are best positioned for future success in the mobile security market. Although there are obviously risks in approaching a new market, the benefits of having a strong reputation, trusted brand, large installed base, effective channel and technology partners already in place and a stable balance sheet cannot be outweighed by early specialist technical expertise. Although some specialist mobile security vendors do have the potential to be successful and corner a niche area of the market, once the large
43
TLFeBOOK
vendors get their houses in order with regard to mobile security they will dominate this market (see Figure 2.7).
Conclusions The enterprise mobility market is still nascent and as a result there will be an opportunity for vendors to address large enterprises for some time. These companies typically implement the most complex solutions, have the greatest security needs and are willing to invest substantial amounts in bespoke security solutions to ensure that their corporate data is secure. Vendors targeting this space must ensure that their solutions are technically able to satisfy enterprise CIO demands (and these will clearly change over time) and that they have effective relationships with systems integrators, who will remain the primary channel to market. Vendors aiming to secure simple mobile solutions need to be aware that embedded security is a must. Small companies taking up these solutions do not have the ability, or resources, to manage a large number of mobile devices and cope with the headaches provided by additional security requirements. Many security vendors already operate in this space and those targeting this market from scratch may struggle. However, there is an opportunity for security vendors to work with mobile operators. While operators will clearly have a role to play in the enterprise mobility market (particularly for midmarket companies looking at simple mobile applications, possibly on a hosted basis), they are not especially advanced strategically and there is still an opportunity for security vendors to form partnerships in this area. There is clearly potential in this space, though it is unlikely to come to fruition for 12-18 months (at the earliest). The mobilization of front-office applications offers mobile security vendors a significant opportunity. On the technological front, the focus needs to be on working with developers, ISVs and middleware companies to embed security products into the overall solution. To date, this has not really happened, but increasing levels of standardization and uptake of web services occurring amongst enterprises will mean
44
TLFeBOOK
that this becomes less and less of a technological challenge. On the channel side, vendors need to work with ISVs, tier-one and tier-two integrators, selected mobile operators and other VARs.
45
TLFeBOOK
CHAPTER 3
Enterprise anti-virus markets
46
TLFeBOOK
Chapter 3
Enterprise anti-virus markets
Summary
The global anti-virus market will grow at a CAGR of 14% from $1.74bn in 2003 to $2.5bn in 2006. By 2006, North America will account for 48% of total global revenues, compared to 51% in 2003. Latin America will be the fastest growing region, up from $39m in 2003 to $72m in 2006, a CAGR of 185%. The SME market will grow at a CAGR of 16% to reach $847m in 2006, up from $660m in 2003. The enterprise anti-virus market will grow at a CAGR of 14%, up from just under $1.2bn in 2003 to $1.64bn in 2006. Working closely with the best-of-breed vendors in each segment of the market will be vital to providing a solution that customers feel isn’t letting them down in certain areas.
Market overview In 2001 it was Code Red and Nimda, in 2002 Klez and Bugbear and, in 2003 it was Sapphire (also known as Slammer) – no matter how mature the anti-virus market is, headline-grabbing virus outbreaks prompt enterprises to continually reassess and strengthen their solutions. Anti-virus vendors have responded to this by constantly adding functionality to their products, ensuring strong upgrades (repeat business) and new customers. Because anti-virus solutions can also be deployed in more than one area (the gateway, servers, desktops and even PDAs) there is still scope for further growth. The subscription-based revenue models that many anti-virus vendors have established also ensure that revenues are maintained.
47
TLFeBOOK
Key market drivers As one of the most mature of the security solutions market (with commercial anti-virus solutions available in the late 80s) and penetrations levels high, it is surprising that there are any strong drivers at all in the anti-virus market. There are, however, a number of key reasons why in 2002 the anti-virus market was one of the most successful security solution sectors:
Virus growth. The number of viruses in the wild continues to grow as more and more authors experiment with existing virus code, vying to unleash the most potent viruses they can. Anti-virus solution clients are aware of this increasing menace and most have faith in anti-virus solutions to protect their IT assets.
Apocalyptical viruses. It is not only the frequency of viruses reported that is growing but also the potential damage that they can cause. Many companies suffer greatly from viruses because of their effect on the performance of their systems and networks. Many AV vendors warn, however, that should widespread viruses carry destructive payloads, the damage done could be catastrophic.
The changing face of viruses. One thing that the new wave of viruses has taught us is that authors will deploy a variety of different attack mechanisms, often within a single virus, in order to inflict the maximum amount of damage. As viruses adapt, so must AV solutions, in order to counter each threat. As a consequence companies need to update their systems regularly to take on-board new features. This helps maintain the healthy subscription market while promoting churn by customers who feel that their existing AV solution did not do enough to protect them.
New areas to protect. While many anti-virus solutions started out on the desktop and spread to the gateways and servers, not all organizations have rolled anti-virus solutions out to all the areas that they could. If AV vendors can persuade users of the benefits of doing this and, indeed, extend protection to home-worker PCs and PDAs, then there is still plenty of room left in the market for growth.
48
TLFeBOOK
Key market inhibitors Despite the continuing popularity of anti-virus solutions, there are a number of factors that could restrict growth in this market.
High penetration of anti-virus solutions. While subscription models help maintain revenues, there are very few greenfield opportunities left in the key markets. As such, new sales are often only possible through churn. This is a double-edged sword, however, as focusing on new customers could make existing customers feel neglected. At the end of the day, it is more cost-effective to keep existing customers rather than gain new ones.
Product substitution. Recently, a number of new technologies have appeared that protect against some of the threats that anti-virus solutions have typically prevented, such as intrusion protection solutions (IPS) and firewalls with the ability to detect and respond to incoming viruses. Other products such as content filtering solutions can also decrease the need for increasingly complex anti-virus solutions. Currently vendors of such alternative solutions are partnering with the anti-virus vendors to leverage their expertise and brand names. In the future, however, it is possible that they could develop enough expertise and mindshare in-house to cut their partners out – as will be the case with ISS, which plans to launch an appliance with anti-virus capabilities later in 2003.
System compatibility issues. Although anti-virus uptake has been impressive, vendors still feel that they can increase the penetration of solutions within each customer. One problem that they may encounter is that sometimes the anti-virus software itself can reduce the performance of the system, either by taking up processing capacity or through a software conflict with the operating system of other software. This has not hampered anti-virus uptake in most instances but may make organizations think twice about installing solutions on some of their core systems.
49
TLFeBOOK
Market value The global market While North America still remains the dominant region in terms of vendor revenues, the other markets are growing more quickly (see Figure 3.8 and Table 3.3). Leading the charge are the developing markets in Asia and Latin America with CAGRs of 19% and 25%, respectively. Some of the national markets are more mature, with Japan in particular forming a sizeable proportion (over 50%) of the total Asian market, however, the greatest growth potential comes from less developed areas where there are more greenfield opportunities. The shift in regional market share is unlikely to be dramatic, due to the stability that subscription models give to the AV market. The North American market is also likely to be one of the first areas to adopt anti-virus solutions for PDAs once strong penetration rates in this market lead to increasing demand. As a result of the stronger penetration in the North American market, greenfield sales will be low and therefore this region will represent around 48% of the global market in 2006, compared to around 52% in 2002. Figure 3.8: Global enterprise anti-virus markets 2002-2006 ($m)
3000 Latin America 2500
Asia Pacific EMEA
$m
2000
North America
1500
1000
500
0 2002
2003
2004
2005
2006
Business Insights Ltd
Source: Business Insights
50
TLFeBOOK
Table 3.3: Global enterprise anti-virus markets 2002-2006 ($m) ($m)
2002
2003
2004
2005
2006
CAGR
North America EMEA Asia Pacific Latin America
771 430 252 30
887 503 315 39
993 579 378 49
1,093 654 442 60
1,191 726 504 72
11% 14% 19% 25%
Total
1,483
1,744
1,999
2,249
2,493
14%
Business Insights Ltd
Source: Business Insights
Europe The European anti-virus market very much reflects overall IT expenditure in each major country or region. The fact that many local markets have a homegrown anti-virus vendor has done much to ensure that the spread of anti-virus solutions is consistent across the European countries. Germany is the strongest market in Europe by virtue of the fact that organizations in this area are more security aware than other nations and because of the size of the German economy and number of organizations. The UK and Ireland are, however, the second largest market by only a slim margin, due partially to the fact that his area has suffered less from the economic downturn and because IT security budgets have remained high, despite fears that the economy may take a turn for the worse. SME vs enterprise While many companies point out that hacking attacks are often specifically targeted at high-profile organizations, viruses are indiscriminate in whom they attack. As long as the vulnerability that they exploit is present in the system, there is always a possibility that an enterprise, be it large or small, will fall victim. As such, most SMEs also recognize the potential damage that viruses can do to their networks and many have invested in anti-virus solutions. As more SMEs connect via broadband and the Internet becomes a more important business tool for them, the need to protect their assets and avoid sending viruses to clients becomes paramount. In order to successfully compete
51
TLFeBOOK
in the SME sector, vendors need to develop strong channel partnerships. Finnish antivirus vendor F-Secure believes that one of its key strengths is its partnership program. Through this, it has learned the importance of local language support, ease of deployment and management. Figure 3.9: Global enterprise anti-virus markets by size of organization 20022006 ($m)
3,000 SME Enterprise
2,500
$m
2,000
1,500
1,000
500
2002
2003
2004
2005
2006
Business Insights Ltd
Source: Business Insights
Table 3.4: Global enterprise anti-virus markets by size of organization 2002-2006 ($m) ($m)
2002
2003
2004
2005
2006
CAGR
Enterprise SME
1,008 475
1,169 575
1,339 660
1,484 765
1,646 847
13% 16%
Total
1,483
1,744
1,999
2,249
2,493
14%
Business Insights Ltd
Source: Business Insights
52
TLFeBOOK
Vertical markets While anti-virus is not a solution that will specifically address industry-specific issues, it is likely that the depth and strength of any solution deployed will vary according to how risk-averse an organization is. A financial services organization is more likely to add anti-virus solutions at the gateway, server and desktop level and may improve virus scanning by deploying AV solutions from multiple vendors, whereas a manufacturing firm may simply deploy a gateway solution to limit the risks. Despite these variations, however, anti-virus sales will follow pretty closely overall IT spending patterns
Competitive landscape Three players currently dominate the market for corporate anti-virus solutions: Network Associates, Symantec and Trend Micro. Network Associates has a slightly stronger position in the enterprise market in terms of revenue, with Symantec second. Symantec is much stronger in the corporate space and as such may have more SoHo customers than its rivals. Computer Associates is another vendor that is strong in the enterprise space but has seen its market share drop sharply in recent years. There is a variation in strength by region and by country. Trend Micro, for example, is the dominant player in the Japanese market (both consumer and enterprise) and derives over 50% of its global revenues from Asia (43% from Japan). The local nature of many markets has created strong positions for other anti-virus vendors such as Sophos in the UK, Panda in Spain, F-Secure in Scandinavia and Kaspersky Labs in Russia.
53
TLFeBOOK
Conclusions With the emergence of new business models, working closely with the best-of-breed vendors in each segment of the market will be vital to providing a solution that customers feel isn’t letting them down in certain areas. The partnership program initiated by Symantec is a good example of this. While it has content-filtering capabilities of its own, Symantec understands that ClearSwift’s MIMEsweeper product is considered best-of-breed while Symantec itself is considered to be one of the leading enterprise anti-virus solution vendors (certainly in terms of revenue). By ensuring that the two solutions work well together companies can enjoy a best-of-breed solution that is likely to find favor with a large number of customers. Leveraging different brands to create a more powerful, best-of-breed solution represents an important stage in the maturity of the market. By accepting that customers demand best-of-breed and working towards creating a modular solution to fit this approach, vendors can leverage each other’s mindshare and installed base.
54
TLFeBOOK
55
TLFeBOOK
CHAPTER 4
Enterprise content filtering markets
56
TLFeBOOK
Chapter 4
Enterprise content filtering markets
Summary
The North American market is still the largest market for enterprise content filtering solutions in terms of sales, hitting $289m by 2006, up from $132m in 2003, a CAGR of 31%. The EMEA market for enterprise content filtering will grow from $59m in 2003 to $138m in 2006, a CAGR of 34%. The central European market is still strong but issues over monitoring employee mail from a privacy stance (Germany & Austria) and a trade union stance (France) have kept growth in these markets down. The SME content filtering market will grow strongly at a CAGR of 42% from 2002 to 2006, reaching $190m. While content filtering will continue to grow as a stand-alone market for the foreseeable future, the signs for the future of the technology point to its integration with other solutions.
57
TLFeBOOK
Market overview The market for content filtering solutions has grown steadily over the past couple of years thanks to its dual capabilities. Content filtering can act as a productivity tool to prevent employees from accessing content deemed inappropriate or by blocking potentially malicious code. The market is difficult to assess in some terms because of the integration with anti-virus solutions & firewalls and may be more difficult to size going forward as the market for total content control grows. Effectively, email filtering is designed to spot and / or block undesirable content from entering or leaving the system. Depending on the specific solution this includes:
Viruses. Typically solutions either examine content to look for viruses in a controlled environment (sand boxing) or simply block content that may contain viruses and that the intended recipient would not normally need to carry out his or her day-to-day activities.
Inappropriate written content. Solutions designed to scan for specific words or phrases are often implemented to avoid lawsuits – to prevent racist or sexist messages from reaching and offending individuals. In certain circumstances it could help prevent legal difficulties. An example would be in the financial markets sector where emails have to be monitored to ensure that no insider trading operates. Customers can prevent such breaches from occurring by stopping and checking emails with key phrases in the text body.
Inappropriate attachments. Aside from viruses, two other main forms of attachment employers may not wish their employees to receive: executables and inappropriate images. If the attachments are games then employee productivity will be reduced, and if the images are pornographic, violent or racist then lawsuits may ensue.
For many organizations, content filtering could have prevented serious human resources problems. Chevron Oil, for example, was forced to settle a sexual harassment claim for $2.2m after, among other things, its employees received an email joke listing 58
TLFeBOOK
"25 reasons why beer is better than women". While many people may not be offended by such humor, some are, and companies must protect themselves against such threats.
Key drivers and inhibitors There are many reasons why companies may choose to invest in some form of content filtering. Equally, there are reasons why the inexact nature of content filtering may damage a company’s productivity. Drivers To prevent lawsuits. The example of Chevron Oil is one of many incidents where individuals have reacted badly to content that they find offensive and have sued their employers for failing to adequately protect them. Content filtering solutions may stop such content getting through or at least prove to the court that it did everything the company possibly could to prevent it.
To improve productivity. While many working hours can be lost from individuals surfing the Internet, they can also be lost from playing games that they receive via email. Productivity can also be lost if employees open applications that then interfere with the rest of the system. Not only will their work be disrupted, but IT staff may need to spend their time cleaning up the disrupted host.
To reduce the incidences of virus outbreaks. While anti-virus solutions can stop many viruses, they find it difficult to stop new viruses or those hidden inside applications or files (Trojans). By blocking those files that are most commonly infected and that users don’t actually need, the risk of being infected can be significantly reduced.
Anti-spam. One of the key movements in the market over the past 9 months has been the push to merge content filtering solutions with anti-spam technologies to reduce the number of unsolicited emails received by customers. Estimates of spam proliferation vary but some put spam at around 40% of enterprise email messages
59
TLFeBOOK
(Brightmail) and any moves to reduce this level of saturation are bound to improve employee productivity.
Inhibitors Legislation. In certain countries, it is considered to be a violation of an individual’s human rights to have the contents of their email scanned unless they specifically agree to it. This has severely limited the uptake of solutions in areas such as Germany and Austria. As a result vendors have had to go the extra step to push their solutions in these markets and come up with workable alternatives. This is, however, the main inhibitor in such markets.
Blocking too simplistic or enthusiastic. While content filtering has come a long way over the past few years, the technology itself does not always perform as expected. Solutions may be too simplistic and block certain types of content. More often than not this is not a problem. But occasionally an employee may need that specific file or application to carry out legitimate work and will be annoyed if this is prevented. Another problem comes when the system analyzes content and deems it to be inappropriate, when it is not. Harmless photographs could be deleted because they have a certain percentage of skin tone and documents containing macros may also be blocked. This can cause annoyance and possibly reduce productivity.
Can be bypassed. A solution such as this is only effective to a certain degree. People who want to get around the system can simply add characters to their words instead of letters to bypass the filtering process. A human would understand what it means but a computer would not. This limits the effectiveness of filtering to a certain degree if the employees know that it is there. Filtering email alone is also not enough because employees could send or receive inappropriate content via instant messaging solutions or via web email.
False positives. Although similar to the point earlier above concerning content filtering solutions, the specter of false positives is particularly worrying in the antispam space. Because such solutions tend to be rule-based, if the rules are too strict they may block or delete legitimate emails. Usually this can be overcome in time by
60
TLFeBOOK
tweaking the filtering mechanism but this is still trial and error. Even if incidents only account for 0.05% of all emails filtered, with many systems processing thousands of emails a day, for some customers this will simply be unacceptable.
Market sizing By geography Global The North American market is still the largest market in terms of sales, but the European market has benefited from the presence of a number of important vendors in this space (see Figure 4.10 and Table 4.5). The EMEA market is still, nevertheless, small and it will grow at a faster rate, up from $59m in 2003 to $138m in 2006, a CAGR of 34%. Emerging markets in Asia Pacific and Latin America will also grow strongly because of the symbiotic relationship between content filtering and anti-virus. Figure 4.10: Global enterprise content filtering markets 2002-2006 ($m)
600 Latin America Asia Pacific
500
EMEA North America
$m
400
300
200
100
0 2002
2003
2004
2005
2006
Business Insights Ltd
Source: Business Insights
61
TLFeBOOK
Table 4.5: Global enterprise content filtering markets 2002-2006 ($m) ($m)
2002
2003
2004
2005
2006
CAGR
North America EMEA Asia Pacific Latin America
98 43 20 3
132 59 27 5
177 80 37 6
229 107 51 9
289 138 68 11
31% 34% 36% 36%
Total
164
223
300
396
506
334%
Business Insights Ltd
Source: Business Insights
Europe
The Northern European region is by far the largest because of the size of the UK and Ireland market. Vendors report that in Europe this is by far the biggest market, with a greater cultural acceptance of the need for filtering solutions of all kinds. The central European market is still strong but issues over monitoring employee mail from a privacy stance (Germany & Austria) and a trade union stance (France) have kept growth in these markets down. While Southern Europe is less lucrative overall, demand is reported to be increasing at a faster rate, particularly in Italy, where strong growth in 2002 was reported. SME vs enterprise
Content filtering solutions appeal to large and small companies alike because of the synergies with anti-virus. Demand among smaller companies has always been strong and as smaller organizations look to improve their security, content filtering will continue to be an area of investment for them, particularly as part of an overall secure content management solution to protect email. Securing email is as much a priority for SMEs as for large organizations and as a result the SME content filtering market will grow strongly at a CAGR of 42% from 2002 to 2006 (see Figure 4.11 and Table 4.6).
62
TLFeBOOK
Figure 4.11: Global enterprise content filtering market by size of organization 2002-2006 ($m)
600
500
Enterprise SME
$m
400
300
200
100
0 2002
2003
2004
2005
2006
Business Insights Ltd
Source: Business Insights
Table 4.6: Global enterprise content filtering market by size of organization 2002-2006 ($m) ($m)
2002
2003
2004
2005
2006
CAGR
Enterprise SME
115 49
152 71
198 102
253 143
309 197
28% 42%
Total
164
223
300
396
506
33%
Business Insights Ltd
Source: Business Insights
By vertical
Because of the broad appeal of content filtering solutions, the overall industrial and services space (including manufacturing) represents the largest market because of the sheer number of companies in this sector. The financial services market is also significant because of the overall desire for security as well as the need to control what employees write in the emails that they send. The government sector is also significant
63
TLFeBOOK
and, in particular, the education sector, where there is a need to ensure that schoolchildren do not view inappropriate content. The revenues in this sector do not match the number of units shipped (which is greater) because of the need to reduce costs for this price sensitive area.
Competitive landscape The market leader in this market is still Content Technologies, now a part of the ClearSwift organization. This is despite the encroachment of anti-virus vendors such as Trend Micro, Network Associates and Symantec, which have continued to push such solutions to provide extra protection for email. Anti-spam technologies have also been a driving force in this market, as demonstrated by Network Associates’ acquisition of Deersoft in January 2003. Other significant vendors in this market include Tumbleweed, Trend Micro and Finjan, although the movement towards a more comprehensive secure content management solution will push the market towards the anti-virus vendors with their huge installed bases. The move to content filtering from anti-virus is a natural one and customers will most likely see it this way too. A number of companies including Nokia, Computer Associates and Tel.Net Media have announced dedicated secure content management solutions as the two technologies continue to merge. Another significant trend in the industry is the arrival of SurfControl in the market. SurfControl is a leader in the URL filtering (otherwise known as employee Internet management [EIM]) space and it believes that there is a natural fit for email and web filtering – creating a more comprehensive content control solution. ClearSwift will continue to dominate the market, however, because its solutions are considered to be best-of-breed.
64
TLFeBOOK
Conclusions As the market for secure content management solutions grows, awareness of content filtering and its advantages will also increase. As a result, the revenues from independent vendors will continue to grow significantly for the foreseeable future. As companies look for more integrated solutions, however, organizations will look more closely at vendors whose solutions are certified as working together effectively to ensure that none of the capabilities of a combined solution are lost. This report recommends that large vendors and small independents alike should look to work more closely with each other to ensure that their technologies are compatible. By doing so, should a modular, best-of-breed market appear, then those who have prepared in advance will be ready to take advantage of the model. If it doesn’t, they will have learned a great deal from working with the independent firms and can integrate some of the more interesting features into their own solutions for a more compelling solution.
65
TLFeBOOK
CHAPTER 5
Enterprise encryption markets
66
TLFeBOOK
Chapter 5
Enterprise encryption markets
Summary
The global encryption market is set to grow at a CAGR of almost 45% to reach over half a billion dollars by 2006. By far the biggest reason why the encryption market will see rapid growth between now and 2006 is the introduction of SSL appliances. One problem for device-based storage systems is how to control authentication. The European market in 2003 was worth an estimated $58m. This will grow at a CAGR of 41.3% to hit $161m by 2006. Although the enterprise market will grow more quickly from 2002-2005, the market will begin to take-off and it is likely that the SME market should at least match the enterprise market from 2002-2006 – and possibly even outstrip it. The market for SSL appliances will largely be based on the provision of more effective mobile worker and extranet solutions.
Market overview Before the Internet was even born, when people thought of security they thought of encryption. While emerging security technologies such as firewalls and anti-virus took off and led to huge profits for their vendors, aside from VPN solutions, encryption technologies have so far failed to generate significant revenues for more than a handful of vendors. More standardized encryption appliances, however, have emerged that could allow users to more effectively protect the data in transit over the Internet without the administrative burdens of current alternatives.
67
TLFeBOOK
This section looks only at enterprise encryption solutions: solutions bought directly by organizations. This does not include vendor revenues for encryption technologies sold to other vendors in an OEM arrangement. Some toolkits are sold to sophisticated enduser organizations who develop their own encryption solutions but this has become increasingly rare as the power of commercial encryption solutions increases. Cost pressures in these markets have also forced IT departments to externalize many of these processes. This report splits the encryption market into two distinct segments.
Static encryption. Files that are stored on servers, client devices and other media
are encrypted so that should any unauthorized user access them they will be unable to read them (if the level of encryption is high enough to prevent hackers from breaking it).
Transactional encryption. Files that are transmitted to other users typically pass,
today, over the Internet in order to reach their intended target. Many see the Internet as an untrusted, public network and unless information is protected, it could be intercepted and read by unauthorized users. Transactional encryption solutions encrypt the message so that it arrives safely at its destination.
Although it is an encryption protocol, this report does not include IPsec in this market. This protocol (or set of protocols) is a traditional component of IP-VPN solutions and as such is not split from the dedicated firewall / VPN revenue numbers found earlier in this report.
68
TLFeBOOK
Key drivers and inhibitors Drivers
The encryption market is well established but several developments suggest that the market is set to grow strongly over the next five years.
SSL appliances for remote access. By far the biggest reason why the encryption
market will see rapid growth between now and 2006 is the introduction of SSL appliances. Such appliances are designed specifically to facilitate remote access provision for end-users to web-based applications, removing the need for IPsec VPN clients to be deployed: something that can be logistically difficult to deploy and maintain.
The strong growth in mobility solutions. As businesses embrace the benefits of a
more mobile workforce many organizations are beginning to express concern over the safety of data stored on mobile devices such as laptops and PDAs. As enterprises equip their end-users with more of these devices and as they begin using them for more mission-critical applications, the value of the data stored on them will increase. Encryption software is an effective way of protecting such information should the device be lost or stolen.
Greater need for additional security. As more security-conscious organizations
increasingly use the Internet to replace traditional means of communication, the desire to add extra security to such traffic will increase. This will drive demand for high-level encryption appliances and a need for stronger encryption in general.
Inhibitors Complexity. Adding encryption solutions to work effectively with the rest of the
system (for example for email) currently often involves a requirement for tighter integration. As such, the integration process may be slow and costly. Further complexity is added when managing encryption. One problem for device-based storage systems is how to control authentication. Many solutions use password69
TLFeBOOK
based systems as a means of securing such solutions, which could make it difficult or even impossible to retrieve vital data if the password is forgotten.
Reduced performance. The traditional problems associated with encryption were
that any server tasked with encrypting and decrypting traffic typically ran much more slowly. To overcome this problem, many companies deploy encryption accelerators, which can overcome this problem. Further problems, however, may arise as companies look to new technologies such as voice and video over data. The organization may wish to improve network performance by implementing contentaware network solutions. This process can, however, be hampered by encryption and solutions to overcome this problem can be expensive or lead to potential security risks.
Limited use. Most SSL appliances are currently suitable for securing only web-
based applications or those that have been tailored specifically for use with such appliances. As such, the number of applications that can be offered to remote workers and partners is reduced. This problem should largely be overcome as companies look to web-enable their applications now and to web services solutions in the future.
Market sizing By geography Global
The global encryption market is set to grow at a CAGR of almost 45% to reach over half a billion dollars by 2006 (see Figure 5.12 and Table 5.7). Essentially, this is a market of two parts: the first is a more mature market that is unlikely to grow spectacularly over the next few years because of more attractive mass-market alternatives to stand-alone encryption solutions and the second is that for SSL appliances.
70
TLFeBOOK
The SSL appliance market will begin to pick up speed over the next couple of years as awareness grows and enterprise mobility solutions increase in popularity. Because the market for SSL appliances will account for a significant proportion of any growth in the market and because the market is new, the North American market will grow at the fastest rate because firms here tend to adopt new technologies before their counterparts around the rest of the world. Figure 5.12: Global enterprise encryption solution markets 2002-2006 ($m)
600 Latin America
500
Asia Pacific EMEA
400 $m
North America
300
200
100
0 2002
2003
2004
2005
2006
Business Insights Ltd
Source: Business Insights
Table 5.7: Global enterprise encryption solution markets 2002-2006 ($m) ($m)
2002
2003
2004
2005
2006
CAGR
North America EMEA Asia Pacific Latin America
61 40 13 1
85 58 19 2
130 84 28 3
186 111 37 3
286 161 53 6
47.5% 41.3% 42.3% 44.8%
Total
115
164
246
337
507
44.8%
Business Insights Ltd
Source: Business Insights
71
TLFeBOOK
Europe
The European market in 2003 was worth an estimated $58m. This report forecasts that this will grow at a CAGR of 41.3% to hit $161m by 2006. The largest individual market is the Germany, which represents around a quarter of the overall market. According to vendors, however, the uptake of encryption technologies is starting to increase in other areas such as France and the UK & Ireland. Utimaco, for example, is a strong player in the German encryption market (which is in fact its home market) but has seen revenues from this market fall. Eastern Europe is a relatively small market for western firms importing encryption solutions but most vendors report that the understanding of the benefits of encryption technologies is very high. Local solution providers who have strong relationships with many of their clients largely serve the market but there is strong potential here as countries in this region join the EU and look to establish electronic relationships with Western firms. This could be a good base for strong SSL appliance sales in this region of the world. SME vs enterprise
As with any new market, solutions in this space are not yet cost-effective and it is also less likely that they will benefit from remote access technologies in the same way or be drawn to the technology in the same way. As such, the SME encryption solutions market in 2002 represented around 16% of the total market (see Figure 5.13 and Table 5.8). As the market grows, more SME-friendly solutions will be pushed to smaller customers and that these will find more favor within web services environments and other online partnership models. Therefore, although the enterprise market will grow more quickly from 2002-2005, the market will begin to take-off and it is likely that the SME market should at least match the enterprise market from 2002-2006 – and possibly even outstrip it.
72
TLFeBOOK
Figure 5.13: Global enterprise encryption market by size of organization 2002-2006 ($m)
600
500
Enterprise SME
400
300
200
100
0 2002
2003
2004
2005
2006
Business Insights Ltd
Source: Business Insights
Table 5.8: Global enterprise encryption solution market by size of organization 2002-2006 ($m) ($m)
2002
2003
2004
2005
2006
CAGR
Enterprise SME
97 18
140 25
209 37
287 51
426 81
44.8% 44.8%
Total
115
164
246
337
507
44.8%
Business Insights Ltd
Source: Business Insights
By vertical market
Traditionally the largest sectors for encryption technologies have been the financial services and government sectors, which have a fundamental appreciation of the benefits of encryption technology. Indeed, these organizations are typically the mainstay of the hardware encryption markets. Telecoms firms have also been strong
73
TLFeBOOK
markets for encryption in the past and while the market for telecoms firms is still relatively lucrative, the downturn in the economy has limited a stronger uptake. As SSL appliances begin to show signs of customer acceptance, the uptake by vertical will shift more towards the overall industrial and services sector as they look to push sales force automation solutions.
Competitive landscape Effectively the market for encryption solutions is divided into three main categories: software encryption solutions, standard SSL appliances and high-level encryption solutions. While there is no overall leader in the software encryption market (with revenues a mixture of out-of-the-box solutions and encryption toolkits sold directly to some organizations (typically financial services institutions and governments), there are a number of companies who actively sell off-the-shelf encryption, including PGP from Network Associates, Secure Shell from SSH, SafeGuard from Utimaco and FileCrypto from F-Secure. While these firms generate solid revenues, many of the operating system vendors also offer encryption as part of their solutions, which reduces the scope of the overall market. Advances in the operating systems for PDAs and laptops may reduce potential future revenues further from increased mobile solution uptake. Before SSL appliances became a potential mass-market technology, manufacturers were producing dedicated encryption appliances to create secure communications networks for security-aware customers such as the defense sector and financial services institutions. Although the market is not large compared to other sectors of the security industry, it is steady and lucrative. Such appliances are provided by a handful of organizations such as Rainbow Technologies and Thales e-security. These firms have a strong grip on the market and it would be difficult to see other companies penetrating this sector.
74
TLFeBOOK
The market with the biggest potential is that for SSL appliances. So far, it is very small (in 2002 it was worth around $28.9m), but it is set to grow extremely quickly over the next five years. This report’s growth predictions are cautious’ because IPsec VPNs can also offer remote access services but we still believe that the market will grow quickly. Current estimates put that market in 2006 at $400m, making the CAGR around 93%. This represents an extremely high growth rate but reflects the fact that customer demand is high and that the technology is growing from a very small base. The market is currently hotly contested by a number of private firms including Netilla, Neoteris, Aventail and NetSilica. The most recent entrant into the market, Nokia, adds credibility to the market as does the continued push by Nortel. Other firms will enter this space to compliment their IPsec VPN solutions. Other areas where SSL is being pushed is the mobile device and WLAN security space and it is not inconceivable that vendors from this market will look to complement their product portfolios as Nokia (mobile solutions) and Nortel (WLANs) have looked to do.
Conclusions The market for SSL appliances will largely be based on the provision of more effective mobile worker and extranet solutions. As stand-alone solutions, SSL appliances do a great deal to solve some of the problems inherent in IPsec-based offerings but by themselves have limited functionality. Those companies that work effectively to bring the web-based and legacy environments together will ultimately be more successful. Until that happens, organizations will only be able to offer limited services to their employees and partners or will have to operate a two-tiered system, whereby IPsec and SSL co-exist uneasily. This set-up would nevertheless negate some of the positive aspects of SSL because the IPsec environment would still have to be rolled out and managed. Until more applications can be web-enabled quickly or SSL appliances can give access to internal, legacy applications, SSL is unlikely to replace IPsec VPNs in the remote access space.
75
TLFeBOOK
Such companies should work closely with portal vendors to promote their solutions as a one-stop shop for remote access solutions. Only by leveraging advances in the portal world or by making it easier to SSL-enable applications will SSL appliance vendors be able to offer the extra functionality that would persuade companies to buy their solutions in the first place. SSL appliance vendors have understood many of these potential pitfalls and have moved to position their appliances as designed to solve particular problems. Neoteris, for example, has released the Meeting series of products that allow organizations to create temporary online meetings by leveraging SSL appliance technology. This solution is designed to appeal to companies that currently use relatively costly thirdparty online meeting providers on a regular basis and is designed to save such companies money in the long term.
76
TLFeBOOK
77
TLFeBOOK
CHAPTER 6
Enterprise firewall and VPN markets
78
TLFeBOOK
Chapter 6
Enterprise firewall and VPN markets
Summary
The global market for enterprise firewalls and VPNs will grow from $2.73bn in 2003 to $4.52 in 2006, a CAGR of 20%. The EMEA market for firewalls and VPNs will grow from $931m in 2003 to $1.54bn in 2006, representing a CAGR of 20%. Again, the fastest growing market will be Latin America, growing at a CAGR of 34% to hit $143m in 2006. The SME space will grow at a CAGR of 27% from 2002 to 2006, representing around a third of the market. Reducing communications costs is the number one driver for stand-alone VPN solutions and the VPN element of combined firewall / VPN devices and software. At least seven major competitors are fighting it out for mainstream and niche revenue sources. The advent of application-level firewalls should see competition increase, as each vendor looks to make its solutions block as many attacks as possible. The strong competition in the market will continue and that little will change with the advent of the new business models.
79
TLFeBOOK
Market overview The firewall is seen by many as the cornerstone of any perimeter security solution, making this market a mature one, with high levels of penetration. While most large organizations have deployed them for their central offices, there is still a great deal of traction in the branch office space, internally within the organization to protect key areas of the network and in the SME sector, where for many security is a new consideration. There are also a number of technological developments that will help push the market forward – particularly for intra-network deployments. This report has combined the market for firewall and VPN solutions because typically these products are sold together and it is unknown what proportion of total solutions sold are used primarily as a firewall and which for VPN.
Key drivers and inhibitors One of the first security solutions that an organization will deploy when establishing its security architecture is the firewall. There are a number of reasons why the firewall market will continue to grow at an impressive rate. Drivers Trust factor. IT managers and directors pretty much know what firewalls can do
and when looking to increase their security understand that firewalls can be an effective means of securing access to internal areas of the network and remote offices. This will be extremely important as vendors move towards a layeredsecurity solutions model because customers will automatically understand that using firewall technology will increase the level of security in the area that it is employed in.
Reducing communications costs. This is the number one driver for stand-alone
VPN solutions and the VPN element of combined firewall / VPN devices and
80
TLFeBOOK
software. Simply put, a company looking to reduce the costs of leased line connections (such as frame relay circuits) will look to pure IP solutions as a means of achieving this. To secure these connections, however, they must run additional security solutions across the connection such as IPSec or SSL.
Unpenetrated segments. While the corporate perimeter firewall market may be
rapidly approaching saturation point, there are some sectors where firewalls can be deployed that have so far remained relatively untouched. Other applications such as DMZ, interdepartmental and desktop firewall solutions have still yet to take off in a meaningful fashion. Penetration levels among SMEs are also much lower than in the large enterprise markets, indicating that there is further room for growth in this sector.
New technological changes. One of the roles of a firewall is to keep undesirable
traffic streams from entering the network. Problems may therefore arise when new technologies and protocols confuse the firewalls into thinking they are attacked. This leads to the possibility of VoIP or web services traffic being blocked by the network. There are also a number of developments within the firewall market itself that may lead organizations to upgrade or replace their firewalls. A good example of this is the rapidly emerging application-level firewall solution, which will be discussed in greater depth below.
Another driver for new sales is the desire for many large, security-conscious organizations to increase the number of firewall / VPN solutions at the perimeter to ensure fail-over (clustering). Appliance vendors such as Nokia emphasize their capabilities in this area, particularly when selling to certain verticals such as banking, financial markets and healthcare (for whom business continuity is a necessity).
81
TLFeBOOK
Inhibitors
Despite the ubiquity of firewall solutions (and the strong penetration of VPN), there are a number of inhibitors that may restrain continuous market growth in the future.
Saturation. For vendors such as Check Point, this has been one of the key inhibitors
to revenue growth. When combined with a harsh operating environment with an unusually large number of prominent operators, the addressable market for certain product lines is increasingly shriveling up.
Cost. For other areas of the network where firewalls can be deployed such as
internally for departmental firewalls or for home workers, the cost may be prohibitive. This can largely be overcome by choosing solutions that have firewalls embedded in them such as broadband routers or even NIC cards in the case of 3Com products.
Configuration problems. Despite the understanding that firewalls are an effective
security tool, many customers who have already deployed solutions know that configuring solutions so that they run harmoniously with the rest of the network operations can be tricky. As such, customers may decide not to install firewalls in greater numbers within the network because of the extra management headaches that solutions bring with them.
False positives. While this hasn’t been a problem for customers before, application-
level firewalls may determine that something is attempting to perform an illegal operation when in fact the traffic is benign. This can be a real problem if it prevents legitimate users from accessing the resources they need. Until there are a significant number of real-life deployments, however, it is unknown how much of a problem this could be.
82
TLFeBOOK
Market sizing By geography Global
The strong ROI investment that VPN solutions offer has led to a high penetration and companies are now looking to add to this capability to provide connectivity to areas that were previously technological backwaters such as far-flung branches or homeworkers. North America was one of the first areas to see a small resurgence in interest after the downturn, whereas the EMEA region has seen slightly stronger growth because it is further
behind
on
the
technological
development
curve
(see
83
TLFeBOOK
Figure 6.14 and Table 6.9). The lack of any real growth of the Asian economies has also hit sales but the region has a strong growth potential and any change in the financial situation for the better is likely to see a strong period of investment, particularly in emerging areas such as China.
84
TLFeBOOK
Figure 6.14: Enterprise firewall & VPN market 2002-2006 ($m)
5,000 Latin America 4,500
Asia Pacific
4,000
EMEA
3,500
North America
$m
3,000 2,500 2,000 1,500 1,000 500 2002
2003
2004
2005
2006
Business Insights Ltd
Source: Business Insights
Table 6.9: Enterprise firewall & VPN market 2002-2006 ($m) ($m)
2002
2003
2004
2005
2006
CAGR
North America EMEA Asia Pacific Latin America
1,149 751 265 44
1,379 931 358 62
1,613 1,127 476 85
1,839 1,330 619 113
2,059 1,543 774 143
16% 20% 31% 34%
Total
2,209
2,730
3,301
3,900
4,519
20%
Business Insights Ltd
Source: Business Insights
Europe
While the German market is still the strongest in terms of overall revenues, the UK and Irish markets have picked up faster due partly to the more robust nature of the economy and increased uptake of broadband by branches and smaller enterprises. While most of the central and southern European nations have seen fairly flat growth many vendors
85
TLFeBOOK
have seen increasing uptake in Italy and Eastern Europe, particularly for VPN deployments with a view to creating extranets. Eastern Europe in particular has attracted the attentions of many because number of potential greenfield sites and the technological development occurring in countries due to enter the EU in the near future or who are looking for closer relationships with western European businesses. Cisco, for example, has reported that strong demand in Russia has led it to increase its focus on this area. Russian firms are looking to improve their security infrastructures as a precursor to a greater use of ebusiness technologies and electronic relationships with firms from Western Europe and further afield. SME vs enterprise
While the large enterprise sector has been the main source of revenues for firewall/VPN solutions in the past, the benefits of broadband access coupled with the knowledge among many smaller firms that high-speed Internet access has its risks, has stimulated the SME market. Many firms have produced scaled-down versions of their solutions in order to produce relatively quick yet low-cost versions of their enterprise product specifically for the SME and branch office space. While it is difficult to ascertain exactly where each solution will be deployed (in the branches of large organizations or in SMEs), The SME space will grow at a CAGR of 27% from 2002 to 2006, representing around a third of the market. In order to make their solutions more attractive to this market, many vendors have added extra functionality to their appliances or solutions to give smaller customers more features. Microsoft, for example, is positioning its solution, the ISA server, as a multi-functional solution because of its Internet caching capabilities to help SME customers cope with bandwidth issues, as well as security. Many other vendors have looked to this route to add intrusion prevention, anti-virus and URL filtering capabilities to their boxes in order to give customers an all-in-one security device and make the package as attractive as possible. The addition of anti-virus slows devices down to a virtual crawl (compared to how they would perform without it) meaning that only SME customers and branches with low bandwidth requirements can benefit from its inclusion.
86
TLFeBOOK
Figure 6.15: Global enterprise firewall & VPN market by size of organization 2002-2006 ($m) 5,000 Enterprise
4,500
SME
4,000 3,500
$m
3,000 2,500 2,000 1,500 1,000 500 2002
2003
2004
2005
2006
Business Insights Ltd
Source: Business Insights
Table 6.10: Global enterprise firewall & VPN market by size of organization 2002-2006 ($m) $m)
2002
2003
2004
2005
2006
CAGR
Enterprise SME
1,653 574
1,965 765
2,310 990
2,652 1,248
3,028 1,491
17% 27%
Total
2,209
2,730
3,301
3,900
4,519
20%
Business Insights Ltd
Source: Business Insights
By vertical market
While the manufacturing and services sectors (part of the industrial / services market) remain the largest sector due to the number of organizations in this sector, the retail & distribution sector has seen greater numbers of VPN deployments as companies look to link their branches with higher-bandwidth connection to provide more than EPOS (electronic point of sale) facilities. While the notion of “virtual branches” (whereby the
87
TLFeBOOK
offline and online branches merge and customers can buy goods over a network but pay for and collect them in the store) has not taken off as quickly as many had hoped, some organizations such as Virgin have rolled out such facilities. VPNs provide the perfect means of increasing bandwidth but keeping costs down, allowing organizations to get more functionality for their money. While verticalizing the sales message for VPNs has been relatively easy, in the past many vendors have struggled to provide examples of how firewall solutions can overcome vertical-specific challenges. This is because the function firewalls provide is essentially advantageous to anyone with an external network – regardless of which sector they operate in. Vendors looking to add their firewalls to other areas of the network, however, can use their knowledge of those sector-specific applications a company may wish to protect. A pharmaceutical firm, for example, which conducts clinical trials for its drugs, may wish to house this data more securely than the rest of the network because of the damage to its reputation should the confidential patient data be compromised. Understanding which applications and systems a firm would wish to add extra protection to is clearly crucial and only through verticalizing the sales message can this notion be effectively conveyed.
Competitive landscape Despite the maturity of the market, the number of important competitors remains high. While Cisco, Check Point (including Nokia), Nortel and NetScreen are the market leaders in terms of the revenues they generate from the firewall / VPN sector, firms such as Microsoft, WatchGuard, SonicWALL and Secure Computing continue to generate significant revenues from this sector. At least seven major competitors (plus others such as Avaya, 3Com and Symantec) are fighting it out for mainstream and niche revenue sources. The advent of applicationlevel firewalls should see competition increase, as each vendor looks to make its 88
TLFeBOOK
solutions block as many attacks as possible. While speed was a competitive differentiator before, the number of potential threats that can be blocked and the speed with which vendors can update their solutions to cope with the latest attack patterns will be crucial. In this sense, firewalls will become as vulnerable as intrusion detection solutions – while rule-based systems may help decrease the need for updates, as new attacks emerge and new protocols are developed that could potentially by-pass such systems, updates will need to be made available. Companies will therefore look to compete on the number of threats they can overcome with the least number of false positives.
89
TLFeBOOK
Conclusions The strong competition in the market will continue and that little will change with the advent of the new business models. These are so new, in fact, that they will almost certainly take a while to become accepted. One of the biggest concerns for an industry that has been obsessed by increasing the throughput of firewalls has been the dramatic impact on performance that application-level inspection has so far had. However, the application-level model is unlikely to take off in the short term. This is likely to be due to education issues, however, but many companies will be worried about how quickly the marketing message has changed. Initially, speed was pushed as a means of future-proofing firewall investments. To see such a message swept aside so quickly in favor of deeper filtering capabilities may be unpalatable for many customers. As such, the customer must be given the choice between two options and that the vendor should remain as neutral as far as is possible on either decision if the trust with customers is to be maintained. Application-specific, application-level firewalls represent an effective compromise. By putting application-level firewalls that search for specific threats in front of certain applications, the strain on network throughput is eased. This allows most traffic to flow into the network and be monitored by normal means and key applications to receive extra protection. This should continue until technology has again caught up with the ideas and acceleration solutions can push throughput speeds closer to the speeds achievable now.
90
TLFeBOOK
91
TLFeBOOK
CHAPTER 7
Enterprise identity management markets
92
TLFeBOOK
Chapter 7
Enterprise identity management markets
Summary
The total market for identity management (IDm) products and services is set to grow from 2003 revenues of $4.3bn to reach $6.2bn by 2007 at a CAGR of 9.9%. The North American market for IDm products and services will grow from $1.05bn in 2003 to reach $1.19bn in 2006, a CAGR of 4%. EMEA is typically a year behind the US on the technology curve the market will take slightly longer to establish itself. Therefore, the EMEA market will grow more quickly from 2002 to reach $711m in 2006, at a CAGR of 7%, because it is growing from a much lower base. No single vendor controls the market for identity management solutions because of the modular nature of the market. The complexity of identity management solutions is a significant inhibitor of the market. There is a series of core attributes that IDm vendors and solution providers must be able to demonstrate: full portfolios; a highly modular approach; devolved administration capabilities; professional services back-up; future focus; and understanding of the legacy environment.
Market overview The term “identity management” has been adopted by a number of vendors in a bid to create a platform around which a variety of solutions can work within a modular system and to provide customers with a single concept to work around. Although definitions of exactly what elements this market contains differ, this report uses this definition as a catch-all phrase for the following markets:
93
TLFeBOOK
Identification / authentication solutions. This includes hardware and software
tokens, smart cards, USB tokens and biometrical solutions for use as enterprise identification purposes. This definition normally includes PKI solutions too but for the purposes of consistency between reports, this report has sized the PKI license market separately.
Single sign-on & access control solutions. There are two key forms of access
control solutions, web-based and legacy system access control, which have been considered in the model for this report.
User directory structures. Directories have long been deployed by organizations as
a store for their users’ identities and these solutions can be found as part of a number of different applications. Access control solutions typically use a single directory that feeds information into those of other applications.
User lifecycle management solutions. The term user lifecycle management has been
coined relatively recently for a collection of solutions that serve to facilitate the creation, updating and removal of user identities. The information surrounding these identities is then used by the access control solution to determine what a user can and cannot access. Once information on the user is added or updated in the future, the system will automatically ensure that the applications used within the access control system also receive this information.
Key drivers and inhibitors While each of the individual markets has its own set of drivers and inhibitors, this section will look at identity management as a whole. Drivers Data confidentiality & integrity. The overall aim of an identity management
solution is to positively identify a user to the system and then determine which elements of the network they can access. The benefits of this are that only
94
TLFeBOOK
authorized users will be able to access sensitive or mission-critical data, ensuring that only those permitted to view or alter the information can do so.
Auditing & accountability. By positively identifying a user to a system, the IT
administrator can then look back at the records should any problems occur and identify the party or parties that have either mistakenly or deliberately carried out an illegal operation. This may help a company plan for the future and optimize its access control solutions or allow it to take steps to punish those individuals who have deliberately broken the rules.
Reduced management overheads. One key trend among vendors for all security
solutions has been to try and prove a return on investment for their solutions, in light of the downturn in the economy. Identity management solutions are no exception to this and in certain respects the job is an easier sell than for many technologies. There are a number of ways in which management overheads can be reduced, such as less time spent managing user information for user life cycle management as well as reduced helpdesk calls for forgotten passwords for both identification and single sign-on solutions.
Improved user experience. Once a comprehensive identity management solution is
in place, the system can be configured so that the identification information can personalize the experience for the user. For example, when integrated with a portal solution, user information can be used to create the workplace for an individual so that they automatically know which applications they will be using. Employees also appreciate the ability to access applications that they need to without worrying about accessing areas or inadvertently changing information that they should not.
95
TLFeBOOK
Inhibitors
Despite the number of improvements to the overall IT experience that identity management solutions can bring, there are a number of obstacles that vendors must overcome.
Cost. One problem with any solution of this magnitude is that the initial cost of
purchasing and installing the solution is high, which puts a number of casual interested parties off from the start. While many customers benefit from the return on investment over the life of the product, with limited IT budgets many firms may be unable to make that kind of commitment in the short term.
Complexity. The complexity of such solutions is also a major drawback. The sheer
volume of information that needs to be processed means that careful consideration and planning need to go into the design of any system. This coupled with the fact that not all solutions are supported (particularly legacy ones) means that either not all of the applications within a system will be covered or a great deal of time and money will be spent bringing them on board. This complexity may frighten a few customers away.
Lack of flexibility. Part of the planning process is to determine the rules by which
the system will determine who can access what. Often this is based on the role of the user in order to limit the number of individual configurations (which would take a great deal of time to perform for each individual user). The problem comes when a person with a certain job specification needs to perform a task outside of their ordinary day-to-day remit. To allow this person access, the system would need to be temporarily reconfigured, taking time and effort. While role-based access will cover 95% of all access conditions, the users will be frustrated by any delays to their work schedule.
96
TLFeBOOK
Figure 7.16: The pros and cons of an identity management deployment Drivers
Inhibitors
Reduced admin costs
Cost
Meet legislative requirements Enforce internal policies Improve productivity
Authentication
Complexity
Access control Union issues User provisioning & management Associated infrastructure
Timescale issues
Increase security
Interoperability concerns
New services
Technology maturity
Business Insights Ltd
Source: Business Insights
Market value By geography Global
The total market for identity management (IDm) products and services is set to grow from 2003 revenues of $4.3bn to reach $6.2bn by 2007 at a CAGR of 9.9%. IDm solution providers will increase revenues largely thanks to the powerful ROI arguments that such solutions provide. While each segment of the IDm space will typically have its own drivers, there are a number of common push factors that are persuading organizations to adopt a holistic view of the identity management problems they face. Figure 7.16 demonstrates the main drivers for identity management, as well as the inhibitors that vendors must overcome.
97
TLFeBOOK
The North American market has been the principal sector for identity management for a while, with typically the most systems deployed within a specific enterprise (see Figure 7.17and Table 7.11). While the overall market growth is slow, because of the mixture of mature solutions for legacy environments, the web-based solutions will increase at a more dramatic rate. Web services deployments and more collaborative ventures are most likely to take off first in the North American market and so this market will remain the largest sector for some time to come. Figure 7.17: Global enterprise identity management spend, 2003 to 2007 ($m)
2,500
Latin America Asia Pacific EMEA
2,000
North America
1,500 $m 1,000
500
2002
2003
2004
2005
2006
Business Insights Ltd
Source: Business Insights
Table 7.11: Global enterprise identity management markets 2002-2006 ($m) ($m)
2002
2003
2004
2005
2006
CAGR
North America EMEA Asia Pacific Latin America
1,034 533 173 26
1,048 561 184 29
1,080 604 199 33
1,131 653 220 37
1,194 711 248 42
4% 7% 9% 12%
Total
1,766
1,822
1,916
2,041
2,195
6%
Business Insights Ltd
Source: Business Insights
98
TLFeBOOK
Europe
The market in EMEA is also strong and as the economic downturn continues, companies are looking increasingly at reducing overall IT running costs as they bid to get back on track and maximize potential profits as revenues fall. Because EMEA is typically a year behind the US on the technology curve the market will take slightly longer to establish itself. Therefore, the EMEA market will grow more quickly from 2002 to 2006, at a CAGR of 7%, because it is growing from a much lower base. There are distinct areas where the uptake has been strongest. The demand for identification solutions in general, for example, has always been strong in the Nordic regions (this is not so obvious in terms of revenue because there are relatively few organizations in the Nordic countries), whereas both the Nordics and France have been areas where smart card uptake for logical access has been most impressive. The UK market has also been traditionally strong and is usually only 9-12 months behind the North American market. As such, large UK-based organizations have been some of the first to look at identity management solutions as a whole. Germany is also a significant market and there is particular demand for solutions that allow the organizations to make more use of their legacy systems. SME vs enterprise
While some elements of the identity management portfolio will be attractive to smaller enterprises, it is the large organizations that will account for the vast majority of revenues in this market. Simply put, the organizations that will benefit most from these solutions in terms of cost reduction will be the larger customers because they will typically have more solutions than would otherwise need individually updating. Access control solutions for smaller customers will continue to grow, particularly as customers look outside of their current environments to collaborative projects such as web services. This will drive the uptake of identity management solutions in the future (see Figure 7.18 and Table 7.12).
99
TLFeBOOK
Figure 7.18: Global enterprise identity management market by size of organization, 2002-2006 ($m)
2,500 Enterprise SME 2,000
$m
1,500
1,000
500
2002
2003
2004
2005
2006
Business Insights Ltd
Source: Business Insights
Table 7.12: Global enterprise identity management market by size of organization, 2002-2006 ($m) ($m)
2002
2003
2004
2005
2006
CAGR
Enterprise SME
1,590 176
1,631 191
1,705 211
1,796 245
1,888 307
4% 15%
Total
1,766
1,822
1,916
2,041
2,195
6%
Business Insights Ltd
Source: Business Insights
By vertical market
Because identity management has a number of drivers that will appeal to most large organizations with a considerable number of users, it is not as vertically sensitive as others. Certain technologies, however, are more likely to be adopted by some industry sectors than others. For example, the financial services and government spaces have
100
TLFeBOOK
long been the key areas where authentication / identification solutions have been popular. Certainly, it is rare to find biometrical implementations outside of organizations with a very high awareness of the need to protect sensitive data, such as banks, the military and pharmaceutical firms. Despite this, the industrial / services sector is the largest, followed by financial services. Together these two industries represent almost 55% of the market.
Competitive landscape No single vendor controls the market for identity management solutions because of the modular nature of the market. Although there are a growing number of companies looking to offer as many of the elements as possible, there are still several companies within each individual field that are considered to be best-of-breed. One trend over the past two years has been for some authentication solution providers to try to offer a more balanced portfolio. Examples include Baltimore Technologies, Entrust and RSA Security, who offer PKI solutions (and other authentication solutions in the case of RSA) along with web single sign-on solutions. Baltimore’s sale of SelectAccess (its web-based access control solution) to Hewlett-Packard signals the end of Baltimore as a major operator in the identity management space. While providing two solutions with a more natural fit would seem like a good idea, most of the companies have struggled to push their solutions in light of competition from other providers. Clearly, being best-of-breed in each of the identity management technologies gives those players a distinct advantage. These vendors will be best-ofbreed in their respective categories.
101
TLFeBOOK
Identification / authentication solutions
In terms of revenues the three most successful solution providers in their relative markets are RSA Security in the hardware authentication token market, Rainbow Technologies in the USB token market and Entrust in the PKI market. Single sign-on / access control
Despite declining revenues, Netegrity is still seen as the leading provider of access control solutions (certainly in the web-based market). Many of the key authentication solution providers have a strong proposition, with RSA and Entrust in particular generating credible revenues in this area. The most significant potential entrant into the market is Hewlett-Packard, with its acquisition of Baltimore’s SelectAccess solution. With its resources, HP could make a major play in the identity management market in line with its competitors in the network management space, CA and IBM Tivoli. Directory structures
Directories have been deployed by organizations for many years as stores of information. Vendors have, however, noticed a peak in sales in 2002. The legacy operators in this space who will benefit from an expansion of the market include Microsoft, IBM, Novell, Sun and Siemens. User management solutions
Many vendors expect this portion of the market to be one of the best-selling modules of any solution because of the benefits that such a solution can provide in terms of simplifying the creation, management and revocation of user profiles and privileges. The key vendors in this market include BMC, IBM (particularly following its acquisition of Access360), Computer Associates, Novell and Evidian (a subsidiary of Groupe Bull).
102
TLFeBOOK
Critical success factors
There is a series of core attributes that IDm vendors and solution providers must be able to demonstrate:
Full portfolios: in-house development, M&A and partnerships;
A highly modular approach;
Devolved administration capabilities;
Professional services back-up;
Future focus;
Understanding the legacy environment.
The likely winners of the IDm space are hard to predict. On one hand, IBM has emerged as the mind-share leader, according to the other vendors interviewed for this research. Many also believe that Sun represents the biggest challenge to IBM’s crown, with Sun itself declaring the market a two-horse-race after its acquisition of Waveset. Nevertheless, Computer Associates states that its revenues demonstrate its importance in the market, attributing “the majority” of the estimated $450m it generated in 2003 from its eTrust brand to its Identity and Access Management suite. The real dark horse is Microsoft. Because it is the most commonly deployed platform it could easily become the central point of access for any user. By exploiting emerging standards, users could log on to Windows and then simply be granted access to applications on other environments via identity federation. The market is, however, a mix of mature and nascent technologies and will need time to bed down before a clearer picture emerges of who is the overall market leader.
103
TLFeBOOK
Conclusions While the market for identity management has grown slowly over the past few years, most vendors believe that it will be the demand for flexible, collaborative ventures that will provide added stimulus. In such scenarios, companies will need to create profiles for more than just their own organizations: they will need to incorporate those of their partners too. A further complication comes with the fact that many partnerships are only temporary, making the need to manage the partner profiles’ lifecycle paramount. In order to take into account this very model, access control vendors have been working on a number of standards to ensure that the systems and profiles from different vendors can recognize each other. This is vital if web services are to be effective because ensuring security is one of the key difficulties that must be overcome. The standard that most vendors have worked towards is SAML – Security Assertion Markup Language – that translates profiles from one system so that another can read it. Most vendors have already incorporated versions of SAML into the latest release of their solutions, indicating that this could be a prerequisite for any successful product. Because of the modular nature of this model, interoperability will be the most important factor to successful inclusion in any identity management project. While standards such as SAML help to ensure this to a certain degree, companies must also ensure that their products are easy to integrate with the rest of an organization’s IT setup. In the past products have been dogged by the need for heavy professional services support, with services firms often having to create additional APIs to integrate solutions with numerous applications. As the awareness of total identity management solutions grows, the ability to link easily to as many applications as possible will be a key differentiator. Therefore, vendors should work closely with application vendors to ensure that integration with their solutions is a relatively simple process.
104
TLFeBOOK
The identity management market is not a single product like a firewall or anti-virus solution, but in reality a series of markets. For a more compelling message, many vendors are looking to build up their expertise in as many areas as possible. While some vendors can claim to have solutions in some, if not all, of the areas highlighted above, few can claim to be best-of-breed in all areas. One way around this is creating partnerships with companies who have gained a reputation in other areas of the portfolio, such as the deal between VeriSign and IBM for managed PKI services and the partnership between Entrust and Waveset to produce secure provisioning administration solutions. It is unlikely that many of the solutions deployed will come from a single vendor (particularly because the emphasis on professional services allows firms to more easily choose best-of-breed solutions). Working closely with a number of solution partners to ensure that each element works as seamlessly as possible with a counterpart from another vendor will convince systems integrators and end-users alike that that solution deserves its place as part of an overall identity management solution.
105
TLFeBOOK
CHAPTER 8
Enterprise Internet management markets
106
TLFeBOOK
Chapter 8
Enterprise Internet management markets
Summary
The strong growth currently experienced by the enterprise Internet management market will continue, rising from $201m in 2002 to an estimated $679m in 2006, at a CAGR of 36%. The majority of revenues generated in 2003 came from the North American markets (approximately 64%), which is set to grow at a CAGR of 34% between 2003 and 2006 to reach $410m. Growth in Europe and Latin America will outstrip that of the North American market, with EMEA growing the most rapidly at a CAGR of 39%, hitting $181m by 2006. The SME market is expected to grow at a CAGR of 52% between 2003 and 2006 to over $200m, compared to just under $500m for the enterprise market. There is some debate as to whether the EIM market solves a security problem or an efficiency one, but strong growth suggests that organizations see controlling their employees’ Internet activities as a priority. The markets for EIM and content filtering will continue to converge as organizations look to create a more comprehensive content control strategy.
Market overview The employee Internet management (EIM) solutions markets (previously known as both web filtering and URL filtering solutions) have attracted a great deal of attention over the last few years because they claim to solve one of the key problems associated with providing employees with Internet access. While it may be an important business tool, many abuse their privileges and use this vital business reporting tool inappropriately. There is some debate as to whether the EIM market solves a security
107
TLFeBOOK
problem or an efficiency one, but strong growth suggests that organizations see controlling their employees’ Internet activities as a priority.
Drivers and inhibitors Drivers
The strong growth previously demonstrated by this market indicates that the drivers for EIM solutions resonate with many IT purchasing decision-makers, despite the downturn in the economy and the subsequent reduction in IT spending. There are three key drivers for the strong growth of EIM:
Conserve bandwidth. Because EIM solutions restrict employee access to non-
essential sites, they free up valuable bandwidth. New versions of the solutions look to restrict the use of peer-to-peer applications, which could be used to download large files such as music, videos or games. Investing in an EIM solution could allow an organization to increase the bandwidth available to other applications and could mean that an organization doesn’t have to upgrade its infrastructure to cope with increased demand for new applications.
Prevent employees from accessing undesirable material. Undesirable material
generally falls into two categories: material that is likely to cause offense to others or material that is likely to impact employee productivity. In the case of the former, many organizations are extremely worried about potential sexual or racial harassment cases because of the images displayed on their IT screens. Blocking access to sites carrying this material demonstrates an organization’s willingness to prevent such abuses and protect other workers from the actions of a few miscreants. Employee productivity is also a key issue, which is why EIM solutions also allow administrators to block access to sports sites, web email and online gambling and trading sites. Solutions designed to block access to instant messaging solutions are also designed to prevent this form of Internet access abuse.
108
TLFeBOOK
Avoid Internet-based security risks. Another key problem for organizations that
provide employees with Internet access is that they could be downloading viruses or spyware unwittingly, which could then cause damage of confidentiality breaches. The most obvious security threat comes from Internet email attachments that would not be checked by the email virus scanners and can therefore bypass solutions that would normally have removed any threat immediately.
The success of any emphasis on one part of the message over another depends on what is happening in current affairs. If a number of enterprises fire their employees for surfing for pornography then this driver becomes more powerful. Similarly, with the increased emphasis by CIOs on security, the risk mitigation aspects become more pertinent. The drivers are strong in each case but emphasis on one or the other in relation to specific recent events has increased the chances of a successful sale.
Inhibitors
Despite the obvious benefits of EIM, there are a number of important barriers that have restricted the uptake in certain countries and organizations.
Data protection laws. Most EIM solutions are not only capable of blocking access
to certain Internet-based resources but also generate reports about the behavior of the Internet users. While in a generic form this can be useful in seeing what sites users typically visit, the solution can also monitor the behavior of individuals, potentially providing employers with information that they do not normally have the right to request such as religious beliefs, sexuality and health status. Some countries, such as Germany, therefore require employee consent before such solutions are deployed, making penetration rates low in these areas.
The Big Brother effect. Employee morale in many industries is at an all-time low
because of the pressures caused by the economic downturn and the fears over job security. Many employees are subsequently suspicious of any attempt to monitor Internet activity and may see an attempt to do so as a way of simply building a case against employees for dismissal. EIM vendors recognize this barrier and often warn
109
TLFeBOOK
enterprises against such behavior. Employees who find access to their favorite sites blocked may also consider it a loss of a valued perk. Some organizations blocking access to sports and Internet email sites, for example, have seen dramatic rises in job-seeker sites shortly afterwards.
Market value By geography Global
The positive aspects of EIM rather than the potential drawbacks will sway the majority of organizations looking to moderate employees’ Internet behavior. As such, we expect the strong growth currently experienced by the market to continue, rising from $201m in 2002 to an estimated $679m in 2006, at a CAGR of 36% (see Figure 8.19 and Table 8.13). The majority of revenues generated in 2003 came from the North American markets (approximately 64%), although interest in the European and Asia Pacific markets has begun to pick up strongly. As such, growth in these areas will outstrip that of the North American market, with EMEA growing the most rapidly at a CAGR of 39%. Vendors report that while all organizations understand the key benefits of EIM, the importance varies from one geography to another. In North America, employees are seen as more litigious and therefore the fear of being sued for sexual or racial harassment is greater. Similarly, in countries where the economy has been hardest hit by the downturn, such as in Asia, the desire to preserve bandwidth and maximize employee productivity is greater.
110
TLFeBOOK
Figure 8.19: Global enterprise employee Internet management solution markets 2002-2006 ($m)
800 700
Asia Pacific EMEA
600
$m
500
South America North America
400 300 200 100 2002
2003
2004
2005
2006
Business Insights Ltd
Source: Business Insights
Table 8.13: Global enterprise employee Internet management solution markets 2002-2006 ($m) ($m)
2002
2003
2004
2005
2006
CAGR
North America EMEA Asia Pacific Latin America
129 48 18 6
179 69 25 8
241 99 36 12
317 137 50 16
410 181 66 22
34% 39% 38% 37%
Total
201
281
388
522
679
36%
Business Insights Ltd
Source: Business Insights
Europe
The largest market in Europe is by far the UK, which has been the most mature in terms of accepting the messages and feeling that the barriers are not sufficient to prevent widespread rollout. One of the market leaders, SurfControl, for example, generates approximately 15-16% of its revenues in the UK. Tough employee rights laws have held the German market back and the market continues to advance slowly, 111
TLFeBOOK
while vendors report that other markets such as those in the Netherlands and the Nordics are currently experiencing strong growth. For the moment, most vendors see Eastern Europe as a market for the future, but one that should still be monitored for signs of increased uptake. WebSense, for example, believes that a market exists, particularly in Poland and Russia, but that contract wins have been inconsistent. As such, while the vendor does not actively target Eastern Europe, it has adopted an opportunistic approach. In this region, bandwidth management has been a strong driver because of the limited infrastructure. As with other markets, the integration of many Eastern European nations into the euro zone could see growth increase further. SME vs enterprise
While there is strong interest from many SMEs for EIM solutions, not surprisingly it is the large organizations that generate the majority of the revenues in this sector (around 78% in 2002). There are, however, EIM solutions targeted at SMEs and it is small organizations that are most likely to benefit from the traffic management capabilities. With filtering capabilities becoming increasingly built into appliances (often providing a number of security functionalities) the market is set to boom as SMEs look to go online to benefit from externally facing network services. As such, the SME sector will grow strongly at a CAGR of 52%.
112
TLFeBOOK
Figure 8.20: Global enterprise employee Internet management solution market by size of organization 2002-2006 ($m)
800 700
SME Enterprise
600
$m
500 400 300 200 100 2002
2003
2004
2005
2006
Business Insights Ltd
Source: Business Insights
By vertical market
While EIM solutions are popular with most organizations with a large number of employees accessing the Internet, there are some verticals for which the benefits are more tangible. The government sector is one, especially because education falls into this category. Naturally, the main aim of Internet filtering solutions in schools is to prevent children from accessing unsuitable material and many school authorities feel that the solutions are a pre-requisite before Internet access is allowed.
Competitive landscape Three players, SurfControl, WebSense and Secure Computing, dominate the market for EIM solutions. While these operators are currently generating most of the revenues from the sales of such solutions, many have formed OEM partnerships with other security solution providers such as Blue Coat and Cisco, in order to embed their
113
TLFeBOOK
solutions into their security appliances. Overall, these three firms control 70% of the market and will continue to do so for the foreseeable future. Where the competitors differ fundamentally is in terms of the future direction of the market. While WebSense follows a pure EIM strategy, SurfControl has added email filtering to its portfolio, and both believe that their strategy is the best. WebSense feels that Internet and application management differs from email filtering in terms of process and is happy to allow firms such as ClearSwift and Trend Micro to take leadership positions in the market. While SurfControl is by no means a leader in the email filtering space, it believes that offering both solutions will be important. It argues that what the customer is looking to control is the content that employees can access and send and that, essentially, EIM and email filtering are simply mechanisms deployed to achieve these goals. While the company only generated $9m in 2002 from this market, 15% of sales in Q1 2003 came from accounts where both solutions were deployed in order to complement each other. SurfControl believes that this trend will continue and that failure to recognize this will be costly in the long term.
Conclusions While EIM solutions currently are primarily used to block access to restricted Internet sites, for many vendors this is only the beginning. New solutions enforce desirable employee behavior at the gateway level but also at the desktop level. WebSense, for example has developed a client application module that sits on the desktop and prevents undesirable applications from running and employees from accessing CDROMs and transferring files using peer-to-peer applications. As such EIM could evolve to cover all aspects of a worker’s IT environment. One vendor not going down this path is SurfControl, which believes in a more centralized model and intends to confront P2P applications and instant messaging as if they were any other protocol that should be blocked. SurfControl is wary of deploying client-
114
TLFeBOOK
based applications because of the deployment and management issues associated with such a move. This is particularly pertinent as more organizations look to wireless devices to offer connectivity and email. With such a scenario, solutions would also need to be deployed for PDAs and smart phones in order to be 100% effective, whereas if deployed at the gateway level, there would be no need to roll solutions out to cover more devices. It also points out that Microsoft has already moved to provide application control within its desktop operating systems and sees no need to develop solutions to counter this issue. The markets for EIM and content filtering will continue to converge as organizations look to create a more comprehensive content control strategy. Those vendors who do not currently have capabilities in either space should look to develop them either through acquisition or through partnership. As organizations begin to look to solutions that can be integrated effectively with other elements of the security market in order to provide more comprehensive coverage, as with the threat protection and secure content management models, they will be less favorable to solutions that are positioned as stand-alone and independent.
115
TLFeBOOK
CHAPTER 9
Network-based intrusion protection systems markets
116
TLFeBOOK
Chapter 9
Network-based intrusion protection systems markets
Summary
The global market for network-based IPS is set to grow at a steady rate of around 19% from 2003 to 2006. By 2006 sales will hit $536m. North America dominated the space in 2003, accounting for 61% of all sales. This region will grow at a CAGR of 18% to reach $310m by 2006 (58% of the total market). The EMEA region will grow at a CAGR of 20% between 2003 and 2006, increasing from $83m to 138m. While Latin America will show the fastest growing CAGR (24%), the region will represent only limited market opportunities, growing from $7m in 2003 to $12m in 2006. Customer testimonials will be vital in convincing a skeptical market that things have changed for the better.
Market overview The market for IDS (intrusion detection solutions) has gone through a complete metamorphosis in recent years. The term “detection” proved to be too unpalatable for many customers and the phrase has now largely been dropped in favor of terms such as “protection” and “prevention”. Can changing the name for such solutions overcome the many challenges that have so far held this market back? The vendors in the market say that it has not just been the name of such solutions that has changed, but the technology too. Instead of simply reporting attacks based on consulting lists of known attack patterns, solutions today have added correlation functions and bring together a number of
117
TLFeBOOK
different factors to make more informed decisions. This enhanced capability allows the solution to reduce the number of false positives, which is important in the next stage of development as solutions become more autonomous. An organization will want to be sure that false positives are greatly reduced before it allows any solution to act of its own accord and terminate sessions. There is still, nevertheless, a long way for the market to go before it justifies its title of “the next firewall” in terms of ubiquity.
Key drivers and inhibitors Drivers
Despite the uncertainties surrounding the market, demand has been relatively strong and interest in such solutions is high. The key reasons for this are:
Added protection. Intrusion protection solutions (IPS) build on the good work that
firewall and virus solutions have done but make up for some of their inadequacies. Many hackers understand the limitations of these two most common elements of any security architecture and have geared their attacks to exploiting these failings. Intrusion prevention solutions monitor traffic to ensure that any attacks do not slip the net. This is important as blended threat viruses continue to propagate. In such circumstances, an IPS solution that is fully integrated with an anti-virus and firewall system can do much to reduce the occurrences and impact of such threats.
Reduce administrator workload. While this may be contentious, many vendors say
that once the solution is working effectively and the correlation features have reduced the incidences of false positives, an IPS solution can protect the network without the need for human intervention by terminating rogue sessions automatically. This is provided the customer is happy that false positives have been eliminated as much as possible.
A more mature technology. While the problems have been many, intrusion
prevention solutions are beginning to reach the “me too” phase of deployment. The technology certainly has had its bugs in the past but the advance in technology
118
TLFeBOOK
should hopefully mean it is no longer a “bleeding edge” application. This should see the solution move beyond its role as simply a cog in the architectures of very security-aware firms such as banks and pharmaceutical firms and more into the mainstream market. This development is greatly helped by moves to add the technology to firewall devices so that the two solutions can work hand-in-hand.
Inhibitors
No matter how much the technology has moved on, there are a number of inhibitors that have dogged the uptake of solutions so far.
Cost. End-user research has revealed that this is one of the key concerns for IT
directors with regard to deploying intrusion detection systems. Many companies are interested in seeing for themselves how the technology works and the results that it yields but are put off by the cost in an uncompromising economic environment.
Detection rather than protection. Another problem with the first wave of intrusion
detection solutions was that they only pointed out when people were being attacked. Often by this stage it was too late. The solutions also did little to help an administrator deal with an attack. Today, many solutions have automated some of the functions, which can overcome many of these problems to a certain degree. This in turn, however, will be held back by fears over false positives.
False positives. One problem with the technology is that occasionally the solutions
analyze perfectly harmless traffic streams and determine that they are harmful. As a result of their “crying wolf” many companies have lost faith in the solutions’ ability to accurately detect attacks and decided that they are not yet mature enough to warrant full-scale deployment. This situation is exacerbated by the moves toward automation. Most organizations will simply not tolerate the idea that perfectly good connections are being terminated because of over-zealous security software.
Management overheads. Another issue that dogged IDS was the demands they
placed on systems administrators. Because the solutions generated a large number of alerts, some of which were benign, the administrator needed to monitor their solutions closely and was often left bewildered by the sheer volume of information. 119
TLFeBOOK
While automation seeks to overcome this problem, fears over false positives will keep many solutions in “detection” rather than “protection” mode for the foreseeable future – meaning that the problem will persist for the time being.
Market sizing By geography Global
The CAGR for network-based IPS is set to grow at a steady rate of around 19% from 2002 to 2006. This is lower than many other predictions for this technology (although previous estimates have tended to have been conservative). Figure 9.21: Global market for network-based intrusion detection & prevention solutions for enterprises 2002-2006 ($m)
600 Latin America 500 400 $m
Asia Pacific EMEA North America
300
200
100
2002
2003
2004
2005
2006
Business Insights Ltd
Source: Business Insights
120
TLFeBOOK
North America continues to be the hotbed of IPS uptake with this market representing around 61% of the market. While this market will continue to grow quickly over the five-year period from 2002 to 2006, other markets will out strip it, simply because of the lower uptake of such solutions. In the short term, the EMEA market will grow more quickly, as customers look to add to their security architectures in a more meaningful fashion. The US will lead the way with new developments, however, with North American firms likely to be among the first companies switching on protection capabilities. Table 9.14: Global market for network-based intrusion detection & prevention solutions for enterprises 2002-2006 ($m) ($m)
2002
2003
2004
2005
2006
CAGR
North America EMEA Asia Pacific Latin America
162 66 32 5
198 83 41 7
237 101 51 8
274 120 63 10
310 138 76 12
18% 20% 22% 24%
Total
265
327
397
468
536
19%
Business Insights Ltd
Source: Business Insights
Europe
The UK is by far the biggest market for intrusion prevention solutions of all kinds and as a consequence it is the most mature market in Europe for accepting the need for such solutions. While the markets in most countries are growing steadily, Italy has been highlighted as one of the key markets for growth. Most vendors say that in previous years that demand from Italy has been high but actual sales were illusive. SME vs. enterprise
While network-based IPS have been developing for a few years now, the cost of such solutions is still typically too much for smaller customers to afford. Prices continue to fall and this will help stimulate the market – as will the inclusion of IPS features into firewall appliances aimed at the smaller end of the market. Until issues in the enterprise
121
TLFeBOOK
market are solved, however, it is unlikely that the main vendors will actively push SME solutions until they are easier to deploy and monitor. Appliances such as the Proventia solution from ISS and its Nokia-based cousin could point to the future, because such solutions reduce deployment headaches, but that is likely to be some way off in the future. Figure 9.22: Global enterprise network-based IPS market by size of organization 2002-2006 ($m)
600 Enterprise 500
SME
$m
400
300
200
100
2002
2003
2004
2005
2006
Business Insights Ltd
Source: Business Insights
By vertical market
The financial services sector is the most receptive to the use of network-based IPS (NIPS). The desire to improve security at all times makes financial services firms the most security-aware and vendors report that banks, insurance firms and financial markets institutions are always looking to test the latest technology in an attempt to stay one step ahead of potential threats. Network-based IPS fall neatly into this category so it is no surprise that most vendors find that financial services is the largest sector in terms of sales. 122
TLFeBOOK
Another reason for the strength of financial services sales is that these firms accept that new technologies are likely to be slightly flawed and they are happy to test the technology in-house and see where it can be best deployed. As such, FS firms with dedicated security resources are quite capable of handling the security alerts and initiating the appropriate escalation procedure. After the large manufacturing organizations (including pharmaceuticals), the government sector has become increasingly interested in deploying N-IPS, particularly in the US as part of the Homeland Security initiative.
Competitive landscape The network-based IPS market has seen a few changes in terms of the companies competing in this space. While Cisco and ISS continue to be the leading players in terms of revenues and shipments, a number of acquisitions from new and existing vendors should see the market change quite considerably. Symantec, for example, was struggling to stay in the market with its previous N-IPS solution, until the acquisition of Recourse, which gave it a solution that is well thought of by many industry experts. New joiners to the market include NetScreen, with the acquisition of OneSecure and Network Associates, with the addition of IntruVert to its portfolio. These two solutions should begin to compete effectively with the other market leaders as they form part of a coordinated threat protection plan. NetScreen can leverage its rapidly growing firewall base and Network Associates its enormous anti-virus base. By positioning the solutions as complementary to previous offerings, the two companies can instantly establish themselves as major players. This is provided, of course, that the technologies they have invested in can stand toe-to-toe with the competition and that the solutions are positioned effectively. Both companies have, however, seen a significant level of interest from their customer bases and are looking to take on the leaders. Another area of competition is in the high-speed N-IPS market, which for a long time has been where the Dragon solution from Enterasys has been dominant. In response to
123
TLFeBOOK
this, however, companies such as Cisco and ISS have invested heavily in increasing the throughput and scalability of their solutions and Cisco in particular should be able to take advantage of its installed base. Previously even this wasn’t enough for highcapacity customers because they were concerned over speed issues but engineering changes from Cisco and the release of more high-end solutions should correct this imbalance.
Conclusions The problems surrounding the technology are well known, and with more “predictive” and “analytical” capabilities being built into anti-virus, content filtering and firewall solutions, the problem of false positives is going to continue to plague clients. Given the effect on the mass-market uptake of IDS, this could be a serious problem going forward. Most systems integrators and threat management solution vendors do not believe that customers will switch to prevention in the short term because the new solutions have not been effectively tested. Most vendors share this view. Network Associates, for example, expects a three-to six-month gap between companies deploying IPS technology in detection mode before flipping the prevention-mode switch, until the market establishes itself. Whether or not this will be enough to stimulate the market is not known. With numerous reports of customers trialing IDS solutions and then rejecting them because of the workload and false positive issues, vendors will have to persuade disillusioned customers that the problems that forced them to shelve proposed plans for rollout have been solved. This would mean that moving to protection from detection might not be the main problem – but that it might be convincing customers to retry a technology that they have already rejected. Customer testimonials will be vital in convincing a skeptical market that things have changed for the better. These testimonials should focus on the problems that customers 124
TLFeBOOK
had with earlier IDS solutions and then detail how those customers’ perceptions of the technology have changed. This should resonate with customers who have tried IDS before and found the solutions wanting. It would also be refreshing for customers to see that vendors are prepared to admit to problems with earlier versions of their technology but that they have worked with their customers to iron such problems out. The move away from the term “detection” is a positive step because the end-user community has largely rejected this notion. One area that has already been touched on has been the threat protection model. The failed deal between Network Associates and ISS demonstrated that both parties feel that there is a natural synergy between anti-virus and intrusion protection solutions, particularly in light of blended threat viruses such as Nimda and Code Red. The two solutions will continue to merge with application-level firewalls until it will be increasingly difficult to separate the two. As such, while many N-IPS solutions are currently to be found at the perimeter, it is likely, as with firewalls, that N-IPS sensors will be increasingly found within the network, and particularly surrounding the more sensitive areas of the network. Such solutions will either be small, stand-alone devices or an IPS option on an application-level firewall.
125
TLFeBOOK
CHAPTER 10
Host-based intrusion protection systems markets
126
TLFeBOOK
Chapter 10
Host-based intrusion protection systems markets
Summary
The global market for host-based intrusion protection products and solutions will grow at a CAGR of 20% between 2003 and 2006, reaching $186m by the latter date. The North American market will outstrip the rest of the markets to 2006 because US and Canadian firms are more receptive to the latest security technologies than their counterparts in the rest of the world. The North American market is set to grow from $69m in 2003 to $128m in 2006, a CAGR of 21%. The EMEA region market opportunity is set to grow from $19m in 2003 to $35m in 2006, a CAGR of 20%. Asia Pacific growth will match that of the EMEA region growing at a CAGR of 20% to hit $19m by 2006 (up from $11m in 2003). Vendors should make their solutions as modular as possible to ensure that they can work effectively with complementary solutions from a number of vendors.
Market overview The market for host-based intrusion protection solutions (H-IPS) is diverse and incorporates a number of different technologies. Overall, however, such solutions are design to detect, prevent or overcome unauthorized changes to core elements of the infrastructure such as changes to operating systems, router configurations and web sites. H-IPS has long been seen as the little brother to network-based IPS (N-IPS) and, certainly, vendors that also make N-IPS solutions lead the market. H-IPS will always be associated with N-IPS as part of a layered threat protection model. As this model grows, so will the market for H-IPS. 127
TLFeBOOK
Key drivers and inhibitors Drivers
The market for H-IPS is relatively small compared to its predecessor but awareness of such solutions is growing, particularly in light of relatively recent acquisitions by major security vendors such as Network Associates and Cisco. The drivers for host-based intrusion prevention are:
Targeted security. While many solutions are designed to generically block random
attacks, host-based solutions can be deployed on the most important servers to ensure that the most sensitive, critical areas of the IT system are protected.
A more holistic view. The reason why host-based IPS are often sold as part of an
overall IPS solution is that together the solutions give system administrators a more complete view of the system and ensures that alerts will be sent to the administrator no matter which area of the network is attacked.
Prevention not just detection. While network-based solutions often just detect
intrusions or changes, host-based solutions often block or prevent serious damage from attacks. Entercept’s solution, for example, allows users to lock down key servers and alerts administrators after an attack has been foiled. Tripwire’s change management solution monitors file changes and keeps copies of how the configuration files should look. Should an unauthorized change occur, not only will the administrator be alerted, but also they can easily restore the configuration file to its original state.
128
TLFeBOOK
Inhibitors Cost. As with any new technology, the cost of the solution has to cover not only the
price of producing and distributing the solution, but also represent a return on R&D investment. While covering a few servers is often not excessively expensive, a company with a large number of servers can see the cost jump enormously.
Awareness. While the world continues to learn about the potential of network-based
detection and protection, so far host-based solutions have received very little press. As a result very few companies will specifically request them. This tends also to push such solutions down the list of priorities because even when a company hears about a new solution, it will only be deployed after the other solutions on a company’s security wish list are in place.
Market sizing By geography Global
As with any new security market, the North American market is by far the biggest, representing almost 70% of all revenues for 2002 (see Figure 10.23 and Table 10.15). Because of market education issues, the technology has so far only penetrated a small minority of the organizations who will take it up over the next five years. As such, the North American market will outstrip the rest of the markets to 2006 because US and Canadian firms are more receptive to the latest security technologies than their counterparts in the rest of the world. The European market will still see strong growth as firms look to add to their investment in complementary solutions such as N-IDS. The market will begin to develop much later than in the US, however, because typically H-IPS follow after a NIPS implementation and the EMEA market still has a way to go before it is mature enough for the next stage.
129
TLFeBOOK
Figure 10.23: Global market for host-based intrusion detection & prevention solutions for enterprises 2002-2006 ($m)
200 Latin America
180
Asia Pacific
160
EMEA
140
North America
120 $m
100 80 60 40 20 0 2002
2003
2004
2005
2006
Business Insights Ltd
Source: Business Insights
Table 10.15: Global market for host-based intrusion detection & prevention solutions for enterprises 2002-2006 ($m) ($m)
2002
2003
2004
2005
2006
CAGR
North America EMEA Asia Pacific Latin America
59 17 10 2
69 19 11 2
84 23 13 2
103 28 16 3
128 35 19 4
21% 20% 20% 18%
Total
88
101
122
152
186
21%
Business Insights Ltd
Source: Business Insights
130
TLFeBOOK
Europe
Because the European market is relatively small (only $16.3m), it is impossible to break revenues down to a country-specific level. Needless to say, the Northern European markets are more lucrative despite the fact that the potential market is smaller. The UK & Ireland markets represent around a quarter of the European revenues thanks to the UK market’s greater acceptance of both the network-based IPS and threat protection models. As with many new security technologies, UK firms are more culturally inclined to test and deploy new solutions in a bid to build more effective security architectures. The central European markets of Germany, France and Benelux are slightly behind on the technology-acceptance curve but are driven by the large European financial services institutions. The southern European markets although relatively small are still significant and Italy in particular continues to see growth. SME vs. enterprise
The typical client for a host-based solution is a security-aware organization that has already invested in a number of elements of the threat protection model. Most SMEs, sadly, do not fall into this category. This means that the SME host-based market is unlikely to represent more than 15% of the market (see Figure 10.24). The market is set to grow relatively quickly, but from a smaller base and is likely to come as part of an overall, SME-customized threat protection solution. This model itself is unlikely to emerge for a few years and as a result the SME market over the next couple of years is unlikely to yield significant revenues.
131
TLFeBOOK
Figure 10.24:
Global enterprise host-based IPS market by size of organization 2002-2006 ($m)
200 180 160
Enterprise SME
140
$m
120 100 80 60 40 20 0 2002
2003
2004
2005
2006
Business Insights Ltd
Source: Business Insights
By vertical market
As with the N-IPS market, host-based solutions are currently being deployed mostly by very security-conscious firms. The financial services market in particular has been a driving force behind many installations, as security professionals look to bolster already impressive architectures. Governments too are looking to add to their defenses in light of worries over cyber-terrorism and it is little surprise, given the symbiotic relationship between the two solutions, that uptake of H-IPS is almost identical to that of N-IDS.
132
TLFeBOOK
Competitive landscape The key players in the N-IPS market are also strong in the host-based sector as they look to round out their portfolios to create a more complete intrusion protection offering. While Symantec has so far struggled in the N-IPS space, its host-based offering is seen as best-of-breed and together with ISS represents a significant proportion of the revenues in this area. Entercept Technologies was a dominant force thanks to its OEM agreement with Cisco, which saw its solution partnered with Cisco’s network-based technology. The collapse of this agreement saw Cisco acquire Okena (announced in January 2003). This gives Entercept (and subsequently the company that bought it, Network Associates) a strong base from which to grow. What will be interesting to see is how successful NAI and Cisco are at cross-selling their competitive solutions to each other’s customers. Cisco has brand loyalty, given its dominance of the router market, and is a more important player in the network space, but Network Associates is much stronger in the software space. Okena represents a departure for Cisco, which has so far shied away from providing end-to-end security (aside from VPN clients to the desktop) while NAI is already a giant in this market and can leverage its huge installed base of anti-virus solutions. This is certainly one piece that Cisco cannot claim to offer, except through partnerships. This could be crucial given the importance of anti-virus in combination with intrusion prevention at the heart of the threat protection model. Cisco, does, however, have the other part of the equation: a best-selling firewall solution. Network Associates gave up this part of the puzzle with the sale of its under-performing Gauntlet range to Secure Computing back in February 2002. While Symantec will be hoping that the Recourse acquisition will allow it to compete more equally with its rivals, the one market maverick is a change management specialist Tripwire. Tripwire’s solution sits uneasily in the H-IPS space (although it is 133
TLFeBOOK
difficult to see where else it fits) and benefits from the fact that it doesn’t try to be part of an overall threat protection solution. As such, Tripwire complements many of the other solutions, rather than trying to compete with them directly.
Conclusions The main problem for this most enigmatic of markets is that very few potential customers see it as a stand-alone solution. This is echoed by the experiences of companies such as ISS who very rarely sell H-IPS as a stand-alone solution. By its very nature, H-IPS are destined to form part of an overall solution rather than emerge as a separate market in their own right. This is not a bad position for the technology because N-IPS solutions will appear deficient without it. Certainly in a market saturated with FUD (fear, uncertainty and doubt) it will be relatively easy to discount such offerings because of the backing of most of the other vendors of this model. Host-based solutions will, nevertheless, grow in popularity because of their ability to be specifically applied to individual servers. Because most models are based on a per sensor model, companies with limited budgets can focus their efforts on the most important applications and ensure that they can be monitored more closely. The hostbased side will grow in popularity because the marketing messages of the major vendors all now state that an end-to-end, multi-layered solution is what is needed to protect threats. This leaves little traction in the market for companies that opt for a single-element strategy. While all vendors will look to push their solutions as a single solution in order to maximize the revenues from a single customer, they should understand that any elements they sell will mostly end up as simply one part of an over-arching threat protection solution. While the synergies between host- and network-based IPS have been highlighted, it must also be noted that IPS and anti-virus systems are converging. Add to this the facts that application-level firewalls have introduced many aspects of intrusion prevention and that anti-virus vendors are bringing personal firewall solutions
134
TLFeBOOK
to servers and desktops and it becomes clear that to cover all potential areas, a patchwork of systems needs to be deployed. As with other modular solutions, the debate will continue to rage as to which will dominate: a ‘one-stop shop solution’, with as many parts as possible from a single vendor or a model based on buying the best-of-breed for each solution. While history would favor the best-of-breed approach, customers are more than ever concerned about reducing management overheads and increasing interoperability and ease of installation. There is no doubt that buying from a single vendor will ease these problems (although because most parts of the equation will come from acquisitions, the integration is unlikely to be seamless). The message is clear: companies should make their solutions as modular as possible to ensure that they can work effectively with complementary solutions from a number of vendors. With a model requiring so much inter-product cooperation this is a necessity. H-IDS vendors should also ensure that their solutions are compatible with the growing number of threat management / event correlation solutions. As the threat protection model is adopted by more and more organizations, the need to effectively manage each piece grows. Because H-IDS are effectively a spoke in a much larger wheel, vendors must ensure that they can be monitored by as many threat management tools as possible.
135
TLFeBOOK
CHAPTER 11
Enterprise PKI markets
136
TLFeBOOK
Chapter 11
Enterprise PKI markets
Summary
The global market for PKI products will grow at a CAGR of 8% between 2003 and 2006, to hit $129.7m. North America accounted for just under 50% of the market in 2003, and will continue to do so through to 2006. The North American region will grow at a CAGR of 7% between 2003 and 2006, reaching $64.7m. EMEA sales will grow at 7% CAGR to reach $48.8m in 2006, accounting for 38% of the market. Asia Pacific will grow the fastest, at a CAGR of 9%, to reach $13.6m by 2006. One of the most important recent developments, certainly in the enterprise authentication space, was the push of Microsoft’s PKI with the release of Windows Server 2003. Vendors should work closely with Microsoft to ensure not only that their solutions are fully compatible with the Microsoft PKI but also that customers looking for a more externally facing PKI can migrate easily to other vendors’ platforms.
Market overview What was once hailed as a multi-faceted security wonder has turned out to be too complicated for its own good. A few years ago many predicted that public key infrastructure (PKI) revenues would rise dramatically as end-users looked to take advantage of the ability to harness strong authentication, encryption and nonrepudiation capabilities. The truth is that vendors have been unable to convince most organizations that there is a real need for the solution and the costs associated with
137
TLFeBOOK
purchasing, implementing and running a PKI solution have dissuaded those with a casual interest. Despite this, there is still a market for PKI – with a number of organizations willing to overcome the inherent complexity in order to take advantage of the unquestioned capabilities of PKI. As such a series of individual PKI markets have emerged, each of which displays a number of unique characteristics. These include:
Enterprise authentication. Although this market is small, a number of organizations
still look to provide their employees with PKI (often stored on smart cards or USB tokens) as a form of strong authentication. Examples of organizations that have looked on PKI favorably for these deployments have been the central government in the UK and a number of banking institutions.
Public authentication. One of the key deployments for PKI recently has been with
governments looking to rollout smart card-based national identity or benefits schemes. Typically any identity or benefits card issued will have a digital certificate embedded in it in order to allow governments to offer citizens a number of electronic services. This is designed to improve the number of services for voters and reduce the cost of doing so for local and central government. Another way in which PKI is being deployed by governments is to secure online tax payment schemes. Because the digital certificates created by PKI solutions can be used to digitally sign submitted tax forms the process is legally binding and is a more costefficient way of ensuring that taxes are paid.
Transaction infrastructure. While the bursting of the dot.com bubble has held the
business-to-business model back somewhat, a number of banking institutions still look to PKI as a means of allowing customers to pay directly for goods and services from their bank accounts. Here PKI would represent the security infrastructure, allowing for strong authentication, encryption and non-repudiation. The banks would effectively create user communities that retailers could sign up for and the banks would incentivize by charging them less than the current credit card handling charges of around 2%.
138
TLFeBOOK
Drivers and inhibitors While there are a number of good reasons why an organization should invest in PKI to protect its eBusiness and IT investment, the uptake has so far been slow and even declined over the last year. This section discusses both the important drivers for PKI uptake and some of the powerful inhibitors. Drivers Strong authentication. One of the main uses for PKI is to create digital certificates,
which can in turn be used to identify a user to a system. Because software tokens are relatively easy to issue (if carefully considered) organizations look to PKI as a means of providing one form of authentication that can ensure secure access to a number of different solutions.
Non-repudiation. In order for contracts to be valid, there has to be a way of proving
that both parties agreed to the conditions of the contract in case of dispute. Because parties can digitally sign their actions and because these signatures carry legal recognition in many countries and US states, contracts can be created electronically. Therefore PKI can facilitate electronic trade by making it easier to avoid disputes in an area where there are many legal gray areas.
Web services. One potential driver for the future is web services. The WS-Security standard has been designed to offer security to protect the web services infrastructure and to ensure that only authorized parties carry out web services transactions. PKI is at the very heart of WS-Security thanks to its strong authentication and non-repudiation capabilities and as the model for collaborative web services grows, so theoretically will the uptake of PKI as a means of securing these projects. Microsoft is even quoted as saying that it cannot imagine how the market for externally facing web services can succeed without PKI.
139
TLFeBOOK
Inhibitors Cost. While the cost of PKI has been reduced, and new models, such as renting PKI
from a managed services provider, have been introduced, the cost of buying, integrating and managing a PKI cannot be justified by many customers.
Complexity. Part of the problem of cost comes with the complexity of PKI. Firstly,
it is often very difficult to integrate PKI with many existing applications. Often PKI projects that should have taken a few months to implement ballooned in scope because the integration work was more complex than was anticipated. Secondly, it can be difficult to manage hundreds or thousands of digital certificates over their lifetime and the management overhead of doing so again adds to the overall cost of the solution.
Supporting
infrastructure.
Another
problem
that
emerged
when
PKI
implementations were carried out was how to securely store the certificates. If they were to become portable and were to be stored securely, companies typically needed to install extra solutions, which added to the complexity and cost of the final solution. The most common means of carrying this out was through the use of smart cards – but smart cards require separate readers in order to interface with an IT system. It is through this means that much of the extra cost arises, because smart cards in themselves are typically not expensive to deploy. Another means is through USB tokens, which do not require additional infrastructure.
Lack of a clear need. One of the most common accusations leveled at PKI is that
there is no real need for the technology. Many customers have struggled to justify the cost of an implementation because they do not feel that the benefits of doing so warrant such an investment. While PKI vendors have tried to overcome this problem by looking to offer PKI as a means of securing a number of applications such as remote access VPNs and portals, they have so far done so with limited success.
140
TLFeBOOK
Market sizing By geography Global
While North America is the largest market, the EMEA sector (and the European market in particular) is also an important market for PKI with many major implementations (particularly in the public sector and financial services spaces). The slowdown in overall demand will lead to a decline in overall revenues from 2002 to 2003 (see Figure 11.25 and Table 11.16). This is not, however, expected to be as significant as from 2001 to 2002, as vendors begin to stabilize their revenues. The Asia Pacific market will remain relatively stable as vendors have reported slowly increasing demand in this region. Figure 11.25:
140
Global enterprise PKI markets 2002-2006 ($m)
Latin America Asia Pacific
120
EMEA North America
100 80
$m
60 40 20 2002
2003
2004
2005
2006
Business Insights Ltd
Source: Business Insights
141
TLFeBOOK
Table 11.16:
Global enterprise PKI markets 2002-2006 ($m)
($m)
2002
2003
2004
2005
2006
CAGR
North America EMEA Asia Pacific Latin America
48.5 36.8 9.7 1.9
47.5 36.5 9.8 1.9
49.4 38.3 10.4 2.0
54.4 41.7 11.5 2.2
64.7 48.8 13.6 2.6
7% 7% 9% 7%
Total
96.9
95.7
100.1
109.8
129.7
8%
Business Insights Ltd
Source: Business Insights
Europe
The overall European market has seen a number of successful engagements, particularly in the government sector, where initiatives are in place to trial or rollout PKI-based national identity card initiatives, online government services or tax schemes to citizens. Such schemes have been rolled out in most European countries and represent a significant source of revenues for vendors who are selected. The number of potential implementations, however, limits the overall addressable market. The enterprise market has not been particularly strong in any country although acceptance is slightly higher in Germany, the UK and the Nordics. Italy has continued to grow as an important source of revenues as government initiatives to secure business-to-business eCommerce have pushed PKI to the forefront. By vertical market
Certain key vertical markets have adopted PKI more readily than others. The government sector, for example, is the leading vertical in terms of uptake in 2002, with many governments looking at PKI as a means of providing both employees and citizens with digital certificates as a means of strong authentication. The desire to use this form of authentication to back up key eGovernment initiatives means that this sector generated the largest slice of PKI revenues in 2002. Entrust, for example, generated over half of its 2002 revenues from the public sector (although not all of this was PKI license revenues).
142
TLFeBOOK
The financial services sector has also looked at PKI for similar deployments, offering PKI to employees as well as looking at it as a means of providing transaction infrastructure to business and consumer customers alike. Banks in the Nordic region, for example, have looked at the potential of PKI as a means of providing direct payment from customer accounts. This has the benefit of bypassing traditional payment schemes such as credit cards in order to retain as much of the transaction value as possible, instead of losing a few percent to the likes of Visa and MasterCard.
Competitive landscape The leading vendor of PKI solutions in terms of overall revenues was Entrust, generating around one third of the total, global PKI license revenues in 2002. One reason for Entrust’s stronger position has been its continued relationships with the government sector. Indeed, its focus on this and the financial services sector has given it a number of important reference sites that it has been able to leverage. VeriSign is the next most important vendor with license sales backed up by its strong services capability and its dominance of the certificate authority services. Its partnership with IBM has seen it become the preferred vendor in terms of handling the certificate issuance side of any IBM PKI deployment and IBM has in turn started to migrate its own Tivoli PKI customers across to VeriSign. Other vendors who have suffered with the decline of PKI have been Baltimore and RSA Security. Baltimore has been worse off because it has less of a portfolio to fall back on in comparison. Certainly, however, sluggish growth in the web single sign-on market has restricted the revenue potential of both organizations. Possibly the most important development, certainly in the enterprise authentication space, is the renewed push of Microsoft’s PKI with the release of Windows Server 2003. Many PKI vendors and those offering supporting infrastructure solutions see the rollout of a more advanced PKI solution in Windows 2003 as an important means of improving the overall perception of the technology. By increasing its focus on the
143
TLFeBOOK
technology, vendors hope that once the Microsoft marketing machine has convinced enterprises of the benefits of deploying PKI in their organizations, the clients will then look to roll PKI out to more platforms than just Windows-based solutions and will look to use digital certificates for external solutions such as partner extranets and external web services. While many of the PKI vendors say that they do not see the PKI in Windows 2003 as a threat, some of the vendors of periphery solutions such as smart cards, USB tokens and hardware security modules (HSMs) say that Microsoft is already a leading provider of PKI. HSM vendor nCipher, for example, rates Microsoft’s as one of the most widely deployed solutions, while Rainbow counters claims by some vendors that the solution is not one for the high-end market by conducting implementations for governments and projects with more than 5,000 users. Indeed, Microsoft states that the claim that its PKI will only be deployed in Windowsbased environments, leaving the PKI vendors to clean up in multi-platform environments, is mostly FUD (fear, uncertainty and doubt). With security decisions increasingly being taken at higher levels within the enterprise, a strong marketing push by Microsoft could see it enter the markets that the PKI vendors believe to be safe.
Conclusions There is little more that PKI vendors can do to ensure that revenues grow rather than continue to decline. Certainly the alliances with professional services firms such as VeriSign’s with IBM Global Services will continue to ensure that should the need for PKI arise, there will be integrators that offer their full support. The decline in license revenues has been countered somewhat by the growth in services, which will be important for the future of PKI vendors revenues. With web services clearly a key stage in ensuring the future of PKI as an enterprise technology, vendors must ensure that they can work together with a variety of organizations to create trusted web services environments.
144
TLFeBOOK
This is particularly important with regard to Microsoft’s push to promote PKI. Windows-based PKI will do a great deal to raise awareness of such solutions and increase the use of digital certificates for enterprise authentication. Such PKI is, however, only suitable for use within an individual enterprise because it is unlikely that digital certificates generated internally will carry as much weight as those generated by trusted third parties. As such, vendors should work closely with Microsoft to ensure not only that their solutions are fully compatible with the Microsoft PKI but also that customers looking for a more externally facing PKI can migrate easily to other vendors’ platforms.
145
TLFeBOOK
CHAPTER 12
Enterprise security management tools markets
146
TLFeBOOK
Chapter 12
Enterprise security management tools markets
Summary
The global market for enterprise security management tools will grow from $485m in 2003 to just under $1.1bn in 2006, a CAGR of 30%. The EMEA and Asia Pacific regions will see the fastest growth (CAGR 31%) through to 2006. The EMEA market for enterprise security management tools will grow from $125m in 2003 to $297m in 2006. The Asia Pacific market will more than double between 2003 and 2006, making a $120m market opportunity. It remains unclear who will succeed in this market but the threat protection and network management vendors are most likely to be the top solution providers in this space.
Market overview The security management tools market can be subdivided into two distinct categories:
Policy and configuration management solutions;
Threat management solutions.
The market for policy and configuration solutions is in some ways already a mature market, with a number of vendors providing solutions to manage a number of security solutions in their portfolio. Examples include Cisco’s CiscoWorks VPN/Security Management solution or ISS’s SiteProtector. Most of these solutions only manage the configuration of solutions within that vendor’s portfolio, while others can also manage select devices from third parties, such as SiteProtector or Nokia’s Horizon Manager. 147
TLFeBOOK
There are even firms who develop management platforms but don’t provide solutions for that area. BMC for example provides a third-party management tool for both Firewall-1 and Cisco PIX, while Intercede allows managers to more effectively deploy and manage a variety of authentication / identification solutions including smart cards, PKI and tokens. Often third parties are more easily managed if the management vendor forms a developers’ partnership or works closely with specific operators in order to create APIs to link solutions more seamlessly with the management console.
Key drivers and inhibitors Because this market contains a number of different solutions that are difficult to compare, the drivers and inhibitors will refer to individual sub markets. These will be denoted by (PCC) for policy compliance and configuration tools and (TMS) for threat management solutions. Drivers
There are a number of important drivers for the security management tools market that should see the uptake of solutions grow relatively quickly over the next five years.
Comply with legislation and avoid fines (PCC). One of the key drivers for policy
compliance is that it can be configured to ensure that organizations comply with internal market regulations or with specific laws. This can be vertical-specific acts such as HIPAA or Gramm-Leach-Bliley (GLB) in the US or data protection acts that can be found across much of the world. Many policy compliance vendors such as NetIQ and Symantec also sell modules for specific laws to help companies even further.
Ensure information confidentiality (PCC). Companies don’t want to ensure privacy
just to comply with laws: if sensitive information is leaked out about customers and the leak is publicized, the commercial impact on the business could be disastrous. Because many business relationships are built on trust, once this trust is gone it
148
TLFeBOOK
would be extremely difficult to reestablish. The best solution is to avoid the leak in the first place.
Centralized management point (PCC & TMS). The benefits of moving to a
centralized structure are that management overheads can be reduced and time can be saved to devote to other critical tasks. This applies to both the configuration and threat management solutions because without such products an administrator would typically have to deploy a number of consoles for each of the devices in the system.
Holistic view of security (TMS). One problem with point solutions by themselves is
that they can typically only provide a certain level of information on the security state of play. Threat management solutions bring a number of alerts from a series of different systems together, allowing the information to be cross-referenced. Theoretically, this means that a more accurate picture of an attack can be formed. When third-party, external threat information is taken into account, a threat management solution can compare potential threats to the situation within the network and see whether the organization is adequately prepared should a specific attack strike. Companies can then prioritize patching and security device configuration more effectively.
Inhibitors
While there are a number of powerful drivers for security management tools, the market is still relatively immature and there are a number of obstacles that vendors must overcome first.
Flexibility (PCC). One accusation leveled at security solutions is that they can
sometimes limit legitimate business practice because the rules set can be too rigid. While this is obviously an advantage should the employee attempt to do something that is illegal, if they alone are allowed to perform a certain task then an exception may need to be created for this individual. This can take time and the potential delays can be frustrating for the employees concerned. To plan for all eventualities would take a long time indeed and consequently most solutions are configured to apply to the majority of cases.
149
TLFeBOOK
Lack of common standards (PCC & TMS). The effectiveness of configuration tools
and threat management solutions depends on the number of solutions that they can effectively manage. Because the market is immature, the solutions available typically only deal with a few select devices and applications. While often these are the best-of-breed solutions or those most commonly found within the organization, it is inevitable that until more solutions are added there will be some gaps. Adding new devices is, however, complicated because there is no common standard for alerting and configuring solutions. This means that vendors must develop separate APIs.
Professional services friendly (TMS). Because threat management solutions need to
be effectively configured and set up, the integration work needed to get everything working properly can add to the overall cost of the solution. While organizations with a large number of devices will benefit the most because they get a more complete picture they will also face the longest implementation times.
Lack of integration with existing systems management solutions (TMS). Currently,
most solutions are effectively stand-alone and do not come as part of an overall systems management solution. While there is some debate in the vendor community as to whether this is a desirable feature or not, on balance, more enterprises agree than disagree that enterprise management and security management should be part of the same solution.
Market sizing By geography Global
While the North American market is again the one that will generate the most revenues, vendors report that sales in EMEA have been stronger than expected. As a result, while this region only represents 27% of global revenues at the moment, the future is bright. European firms have recognized the many benefits of security management tools and
150
TLFeBOOK
while North America should see higher growth rates than other regions during 2003, EMEA will grow more quickly over the next five years. EMEA will grow at a CAGR of around 31% from 2002 to 2006, compared to 30% in North America (Figure 12.26 and Table 12.17). Figure 12.26:
Global enterprise security & threat management markets 2002-2006 ($m)
1,200 Latin America 1,000
Asia Pacific EMEA
$m
800
North America
600
400
200
2002
2003
2004
2005
Business Insights Ltd
Source: Business Insights
Table 12.17:
2006
Global enterprise security & threat management markets 2002-2006 ($m)
($m)
2002
2003
2004
2005
2006
CAGR
North America EMEA Asia Pacific Latin America
226 100 41 4
306 125 50 4
402 165 63 5
515 223 85 7
639 297 120 10
30% 31% 31% 27%
Total
371
485
637
832
1,066
30%
Business Insights Ltd
Source: Business Insights
151
TLFeBOOK
Europe
The European market for security management tools has grown at a steady rate, with most systems integrators and VARs saying that among large organizations solutions designed to reduce complexity, improve analysis and quicken any response are highly sought after. Firms in the UK & Ireland and Germany are particularly keen on reducing their overheads after strong investments in other security technologies. The Nordic market is also strong in this respect. Because these three markets typically have higher penetration rates than the other sectors for other security solutions, there is more of a need for tools with which to manage them. By vertical market
Security management tools appeal to any organization that has typically deployed a large, complex infrastructure and is focused on reducing the cost of supporting this architecture. As such, while the desire to form a more complete threat protection & management solution going forwards is driving uptake among the so-called “security elite” (financial services, government, telecoms & pharmaceutical firms), large manufacturing organizations are also looking at security management tools as a means of reducing the cost of securing their networks. In 2002, firms in the manufacturing, extraction and services industries spent over $100m on security management tools. The financial services sector is still, nevertheless, the most important individual market for these solutions in terms of revenues, accounting for almost 30% of the market.
Competitive landscape The analysis for this particular market must focus on the fact that it incorporates two (arguably three) different markets. Nevertheless, many of the competitors in each individual market have an offering in the other. The security solution or security element management market is currently the largest. As previously documented, many solutions currently on the market only manage the other solutions within that vendor’s portfolio. There are certain exceptions when it comes to arrangements between vendors and third parties, however. Nokia, for example, offers appliances that have firewall 152
TLFeBOOK
capabilities from Check Point and Intrusion Protection solutions from ISS. With its Horizon Manager product, Nokia can manage updates and the configuration of both of these solutions, by virtue of the fact that these solutions are based on Nokia’s IPSO secure operating platform. The compliance management market is a relatively new market but is designed to translate into software that was previously only available in written form: a company’s security policy. While many products vary in scope, they all share the same basic mechanisms – the solution compares employee or system activity with a list of agreed rules and acts to enforce these rules. Symantec and NetIQ are two of the leading vendors in this space at the moment, with IBM Tivoli’s Privacy Manager also a significant product in this market. The most successful firm in this market will be the one that makes it easier for companies to get to grips with how policies and everyday business practices meet. While a strict policy may seem like a good idea at the time, if an organization later discovers that it prohibits perfectly legitimate business practices, it will become frustrated. The exception to this comes with legal requirements. By adding modules to allow organizations to meet mandatory requirements such as the HIPAA and GLB pieces of legislation, NetIQ and Symantec have demonstrated the need to help translate theory into a practical application. The threat management market is also immature and solutions are emerging and changing constantly as the competitive landscape takes shape. The competitors are likely to emerge in three key areas:
The threat protection space. Vendors such as Symantec and ISS now, and in the
future companies such as Nokia and Network Associates, will look to add increasing management capabilities to their own threat protection solution portfolios. Because many of these companies have grown to realize the modular nature of such solutions (clients rarely have a single solution of components from a single vendor), they have begun to draw in information from third-party solutions.
153
TLFeBOOK
The network management space. Companies with strong backgrounds in network
management such as IBM Tivoli and Computer Associates are also looking to dominate this market following success in the wider network management field. While Tivoli and CA have their own solutions in this area, Hewlett-Packard (another dominant network management solution vendor with its OpenView product) has chosen to partner with vendors such as Bindview and eSecurity to build security modules into its network management platform. NetIQ is another important player in this market.
Independents. This category covers a number of smaller companies whose products
tend to focus squarely on these areas. The lack of competency in other areas, coupled with a lack of size and brand image, are significant hurdles for these companies to overcome as many companies may be looking at threat management as an adjunct to a network management solution or to complete a threat protection architecture. Companies in this field include eSecurity, CONSUL Risk Management and netForensics.
It remains unclear who will succeed in this market but the threat protection and network management vendors are most likely to be the top solution providers in this space. Because of a lack of brand awareness, many solutions are likely to be restricted to their early customer successes unless they can form durable partnerships with other companies looking to offer solutions in this market. A good example of this is HP.
Conclusions The market is relatively new and it is difficult to predict at this stage what direction it is likely to take. One means by which companies are likely to compete in the future is through features, and one way that vendors can achieve this is by partnering with as many security solution providers as possible to ensure that alerts and other information from their products can be read by the threat management vendor’s offering. This puts the smaller players at a disadvantage in one way because they will have less scale with
154
TLFeBOOK
which to cope with the engineering challenges this creates. They will, however, be at an advantage from a competitive point of view. Some vendors may not extend full cooperation to solution providers that they compete with in other markets – automatically limiting the number of devices they can support. Another potential future scenario for security management tools is the merging of the various subsets of this market. This is most likely to occur between threat management / event correlation and security configuration solutions. In this way, as described earlier, a company will be able to respond immediately to any potential attacks. A third element to this would be a service capability, whereby information on new threats could be pushed to administrators based on the security set-up in their network. When this is combined with a scan of the vulnerabilities within the system, an administrator will instantly know the likely impact of any attack on the network and be able to respond appropriately. This model could represent the future of security management. Realizing this model is, nevertheless, only a distant goal for many vendors and a great deal of work must be done in the meantime. Vendors in this space should look to create as many partnerships as they can to ensure that they can provide as many elements of the threat protection model either themselves or through partnership. Because the threat protection model is likely to be highly modular, a partnership / alliance model is likely to yield the most success.
155
TLFeBOOK
CHAPTER 13
Enterprise vulnerability assessment markets
156
TLFeBOOK
Chapter 13
Enterprise vulnerability assessment markets
Summary
The global enterprise vulnerability assessment market is set to grow from $344m in 2003 to $606m in 2006, a CAGR of 20% The North America region will offer a $381m opportunity by 2006 (up from $217m in 2003), accounting for 63% of the vulnerability assessment market. EMEA will grow at a CAGR of 21% reaching $142m by 2006 (up from $78m in 2003). It will account for 23.4% of the market by 2006. Asia Pacific will match EMEA growing at a CAGR of 21% to reach $72m by 2006. VA vendors should look to build VA reporting capabilities into the rest of their solutions and create proactive, intelligent threat assessment modules. Stand-alone vendors should look to partner (as Bindview has done with HP for OpenView) and should work closely with IPS vendors and threat management players to ensure a more dynamic role at the heart of a much larger solution.
Market overview The term vulnerability assessment (VA) means a number of different things to different people. Some vendors for example would consider an unauthorized wireless LAN attached to a network to be a serious threat to the integrity of that system. This definition, however, only covers solutions designed to detect code vulnerabilities that can be exploited by hackers and/or viruses and that need to be corrected with patches. As with intrusion prevention, Vulnerability assessment is an integral part of any future threat protection solution and that such solutions will form the backbone of any proactive defense system.
157
TLFeBOOK
Key drivers and inhibitors The vulnerability assessment market has gained a great deal of press attention in recent times because it can overcome part of the problem associated with patch management – where there are vulnerabilities in a system that could be exploited by hackers and viruses. Drivers
There are a number of important trends driving the vulnerability assessment market forward and keeping it in the public eye:
Part of a patch management system. Few companies would dispute the fact that if it
is discovered that there is a vulnerability in a specific system – and indeed that should the vulnerability be exploited then a great deal of damage can be done to the system – that vulnerability must be patched. To do this, however, the system must first detect where the vulnerabilities lie.
High-profile failures. The SQL Slammer worm virus outbreak, led to a
condemnation not just of Microsoft for buggy code, but of systems administrators for sloppy patching practices. This is because a patch for the vulnerability that Slammer exploited was available for six months prior to the release of the worm. Consequently, the thousands of organizations affected could have prevented this from happening had they patched their systems properly.
Proactivity in a reactive world. While many security technologies aim to block
attacks as they occur and alert administrators of attacks as they happen, what an organization would ideally want is to prevent these attacks occurring in the first place. Covering known vulnerabilities ensures that even if an attack evades the devices on the perimeter, if it cannot exploit the vulnerability in question, it is unlikely that it can cause any damage.
158
TLFeBOOK
Inhibitors
There are, nevertheless a number of reasons why vulnerability solutions have not achieved greater success in the market.
Definition of “vulnerability” varies. The differences in definitions of what
constitutes a “vulnerability” have led to a certain degree of confusion. As such, customers may think that the solution is going to be more comprehensive than it actually is. In such cases, vendors may have to manage expectations.
Lack of prioritization. The job of a vulnerability assessment solution is simply to
point out where patches should be applied. Often, however, such solutions give very little information on the potentially negative aspects of patch applications – for example whether the patch may affect the performance of other systems. The solutions also typically do not link the vulnerability to known attacks, making it difficult for a manager to prioritize which patches should be applied first.
Do not solve problems themselves. Another problem with vulnerability assessment
solutions is that they only warn administrators that patches are missing. As such, VA solutions only provide administrators with a certain level of information and then leave the application of patches to be carried out separately. While self-healing systems are a long way off, the potential advantages of self-patching systems is something that many firms would consider (provided they have the opportunity to test the patches first to remove the risk of undesirable effects).
Market sizing By geography Global
Vendor revenues indicate that the North American market is again the main source of income, with this market representing around 63% of global revenues. The US market will initially grow at a faster rate because penetration rates in this market have not reached sufficient levels to slow the market. The EMEA market will begin to take off a 159
TLFeBOOK
few years after North America and should begin to grow quickly within a few years, followed by the other markets. The emerging markets will not begin to see strong growth until they have invested in more conventional security solutions. The global VA market will reach $606m by 2006, up from $344m in 2003, a CAGR of 20% (see Figure 13.27 and Table 13.18). Figure 13.27:
Global enterprise vulnerability assessment market 20022006 ($m)
700 Latin America 600
Asia Pacific EMEA
500
$m
North America
400 300 200 100 2002
2003
2004
2005
2006
Business Insights Ltd
Source: Business Insights
Table 13.18: Global enterprise vulnerability assessment market 2002-2006 ($m) ($m)
2002
2003
2004
2005
2006
CAGR
North America EMEA Asia Pacific Latin America
182 66 35 6
217 78 40 7
267 95 47 8
321 116 57 10
381 142 72 13
20% 21% 21% 20%
Total
289
344
417
506
606
20%
Business Insights Ltd
Source: Business Insights
160
TLFeBOOK
Europe
Vendors report that the UK is the leading market within Europe for vulnerability assessment solutions. This represents almost a quarter of the market (24%). The German market is also strong, with the penetration rates of many base-level security solutions very high. As a consequence, companies in this market are looking to nextgeneration security solutions to fortify their architectures and vulnerability assessment solutions fit neatly into this category. Other nations such as Spain and Italy are currently increasing their investment in security technologies but are currently looking at other areas first. By vertical market
The financial services market is the most mature individual sector, in terms of penetration and revenues gained from this vertical. The natural predilection of firms in this market for solutions that improve their risk assessment capabilities means that vulnerability assessment will continue to be popular for such firms. As a consequence, this market will also be the front-runner in terms of revenues generated for the wider portfolio of threat protection solutions. Other sectors where demand has been strong have been other security-conscious areas such as government (including healthcare), pharmaceuticals and utilities & telecoms.
Competitive landscape The vulnerability assessment market is a curious mix of vendors from the intrusion prevention world, although there are some independent vendors (as well as some open source solutions to further confuse matters). Because of its role as part of an effective threat protection solution, the firms that are currently investing in IPS and threat management will make a big push to add to or improve their offerings in the VA market too. Companies such as Cisco and Symantec already have vulnerability assessment solution while companies such as Network Associates do not have any significant offerings in this space. NAI has already indicated that it too feels that vulnerability assessment is a complementary element to its recent acquisitions and this 161
TLFeBOOK
means that it will either build up its expertise based on previous work in the field or will look to acquire to fill the gap. Another potential competitor of the future could be Microsoft. Because it has moved into the security space more openly with the acquisition of GeCAD for anti-virus and because of the well-publicized problems Microsoft has with vulnerabilities in its system, this would also be a natural fit for it. We stress, however, that it has seen no specific indication from Microsoft that it is looking to address this space actively in the near future.
Conclusions Vulnerability assessment is the core element of a proactive threat protection and management solution. The ideal threat management system would contain external threat information such as the latest viruses compared with an active assessment of the system’s vulnerabilities to provide a proactive view of how such viruses are likely to affect the systems targeted. If, for example, a new virus targeted several vulnerabilities but most of them had already been patched then an organization would be more capable of determining the likely impact of an attack on its systems. Taking Slammer as an example, most companies with such a solution would have been able to react more appropriately to the threat because it would be put in context and much of the devastation could have been avoided. It is this level of insight that organizations are crying out for and together the solutions provide a compelling proposition. Vulnerability assessment is similar in certain respects to intrusion prevention – as a stand-alone solution it is useful but comes into its own when the information it provides is cross-referenced with a number of other sources. While organizations are capable of doing this themselves, home-grown solutions can be manpower-intensive and lack the ability to compare what is evident within the network and what is happening in the outside world. 162
TLFeBOOK
As such, VA vendors should look to build VA reporting capabilities into the rest of their solutions and create proactive, intelligent threat assessment modules. Stand-alone vendors should look to partner (as Bindview has done with HP for OpenView) and should work closely with IPS vendors and threat management players to ensure a more dynamic role at the heart of a much larger solution.
163
TLFeBOOK
CHAPTER 14
Enterprise wireless LANs
164
TLFeBOOK
Chapter 14
Enterprise wireless LANs
Summary
The global enterprise WLAN market was worth approximately $650m in 2002. This report estimates a CAGR of 19% through to 2006, when the market is estimated to be worth over $1.3bn. Approximately 750,000 access points were deployed in the enterprise market globally in 2002 and expects this number to increase to over 1.3m by 2006. The strongest regional growth in the coming years will be in Asia Pacific where price pressures have been high and WLAN equipment is very good value for enterprise IT managers. The vertical market with the highest revenues in EMEA has been and will continue to be the manufacturing sector, which was worth approximately $50m in 2003. The fastest growing vertical market for WLAN infrastructure revenues in EMEA is the education sector. Strong growth will also come from ‘white collar’ enterprise vertical markets such as financial and professional services with the productivity benefits of WLANs increasingly resonating with IT managers in these industries.
Market overview In 2002, approximately 50% of wireless LAN sales were to the consumer/SOHO market, with sales to enterprises of all sizes constituting around 43% and the public WLAN market making up the remaining 7%. There is a clear possibility for a virtuous circle of growth between the various WLAN sub-segments. Success in other WLAN markets will drive growth in the enterprise market and vice versa.
165
TLFeBOOK
Given a natural tendency to migrate to higher bandwidths and offer more demanding applications, the current dominance of the 802.11b standard is likely to be eroded in the coming months by newer standards. With the management of WLANs an issue for IT managers, a number of equipment manufacturers have developed Ethernet switches specifically designed for WLAN networks. Customer focus
There are a number of potential vertical markets that vendors can target with wireless LAN solutions. The early adopters, retail and manufacturing, have been joined in recent years by vertical markets such as education and healthcare. Increasingly, enterprises are now deploying WLANs in a horizontal capacity. Enterprises vary in their infrastructural requirements by location type and size band. Consequently equipment vendors and integrators should be aware of variations in margin opportunities. Network equipment vendors must effectively position the WLAN standards, ease enterprises’ migration strategies through product developments, look for cross-sell and up-sell opportunities, educate the market and build brand recognition, view solutions for security and network management as opportunities, and invest in effective channel strategies. SIs and VARs must verticalize their solution offerings, target lines of business rather than IT departments, trial the technology as much as possible, position WLANs as part of a wider networking solution, and understand and position different types of WLAN solutions. One factor that is important for both network equipment vendors and their channel partners is demonstrating ROI. Given that investment in WLANs is unlikely to be considered mission-critical, vendors should strongly emphasize the financial returns available.
166
TLFeBOOK
Market sizing The global enterprise WLAN market was worth approximately $650m in 2002. This report estimates a CAGR of 19% through to 2006, when the market is estimated to be worth over $1.3bn (see Figure 14.28). Figure 14.28:
Global revenues from enterprise WLAN infrastructure by region to 2006 ($m)
1,400 Rest of the world 1,200
North America Asia Pacific
$ millions
1,000
EMEA
800 600 400 200 0 2002
2003
2004
2005
2006
Business Insights Ltd
Source: Business Insights
The largest regional market for enterprise WLAN infrastructure is currently North America and this will continue to be the most lucrative region for vendors in the coming years. The EMEA market is approximately 12 to 18 months behind the North American market with regard to the deployment of the latest WLAN technology. The strongest regional growth in the coming years will be in Asia Pacific where price pressures have been high and WLAN equipment is very good value for enterprise IT managers. The vertical market with the highest revenues in EMEA has been and will continue to be the manufacturing sector, which was worth approximately $50m in
167
TLFeBOOK
2003. However, the fastest growing vertical market for WLAN infrastructure revenues in EMEA is the education sector. Strong growth will also come from ‘white collar’ enterprise vertical markets such as financial and professional services with the productivity benefits of WLANs increasingly resonating with IT managers in these industries. The opportunities for deploying enterprise WLAN infrastructure vary by size band. Revenues from large enterprises, with 1000 or more employees, will far outweigh those from medium enterprises, especially in North America. Approximately 750,000 access points were deployed in the enterprise market globally in 2002 and this number will increase to over 1.3m by 2006. The enterprise market is currently dominated by the 802.11b standard, which made up over 90% of enterprise shipments in 2002. However, the market share of 802.11b is certain to decline over time as enterprises migrate to higher bandwidth standards such as 802.11g. The penetration of WLAN technology in the enterprise will increase significantly in the coming years. For example, the overall penetration of WLANs in enterprises in North America should reach around 80% by 2006. At the same time, the number of WLANenabled laptops in use globally by enterprises is set to increase substantially, from 3.44m in 2002 to 20.67m in 2006.
168
TLFeBOOK
Conclusions The coverage and data rates offered by WLAN technology, make it ideally suited for deployment within the enterprise. With a range of up to 100 meters per access point, and theoretical bandwidths of 54 Mbps with the newer 802.11 standards, WLAN technology clearly has the potential to address high bandwidth communication needs within enterprise environments. Increasing proportions of laptops are also shipped with integrated 802.11 functionality. The voice over WLAN market is still a very small, immature market. However, it is clearly one with an increasing amount of interest and potential. A number of vendors are eyeing this opportunity and have introduced products that both extend and replace existing voice functionality in the enterprise. Wireless LAN security has certainly achieved some marked improvements in the past two years, as issues with WEP and other weaknesses have been addressed. However, despite these developments it is clear that security remains one of the primary factors inhibiting the uptake of WLANs. There are a number of factors driving the adoption of wireless LANs within the enterprise. These include improvements in employee productivity, return on investment (ROI), networking needs at greenfield sites, reduced costs associated with office adds/moves/changes, reduction in voice costs through voice over WLAN, increasing familiarity with WLANs outside the enterprise, investment from leading technology vendors, decreasing price of laptops, and the provision of guest WLAN access. The primary inhibitors for the deployment of WLANs in the enterprise are concerns regarding security, confusion regarding standards and their ratification, lack of market education, low device penetration and complexities relating to network management.
169
TLFeBOOK
The TKIP and EAP developments are obviously improving the inherent security of WLANs with regard to encryption and authentication. Further improvement came from the ratification of the 802.11i standard, which introduces stronger encryption techniques such as Advanced Encryption Standard (AES). 802.11i is likely to improve enterprises’ perceptions with regard to security and users will invariably be drawn to some extent to products with the AES brand. A continual improvement in the knowledge and understanding of best security practices is also ensuring that security breaches are becoming less commonplace. The deployment of VPN tunneling technology, for example, is now widely recognized as an effective means of ensuring a secure connection back to the enterprise LAN. Personal firewall software is recommended to ensure that other users within range of the WLAN do not gain access to a user’s own laptop. In addition, single sign-on solutions are also now advisable. However, a large part of the technology’s appeal is its simplicity and solution providers must ensure that the need to improve security does not add to WLANs too many layers of complexity that may potentially impair their performance or usability. In short, wireless LAN security has certainly achieved some marked improvements in the past two years, as issues with WEP and other weaknesses have been addressed. New specialist security vendors have emerged, such as Integralis and Bluesocket, to plug some notable gaps in WLAN solutions. However, despite these developments it is clear that security remains one of the primary factors inhibiting the uptake of WLANs. The likelihood is that this will continue to be the case for the foreseeable future since, in its most cost-effective form, the technology still has some security weaknesses.
170
TLFeBOOK
171
TLFeBOOK
CHAPTER 15
Conclusions
172
TLFeBOOK
Chapter 15
Conclusions
Summary
The security market is set to grow at levels well above those predicted for the rest of the market for the next five years largely due to the strength of demand following increased awareness of the continuous need to stay on terms with hackers and virus authors. Security appliances continue to thrive as companies look for security solutions that are easy to integrate and set up. While standards have been slow to take off in the mass market they have become a prerequisite in areas where purchasing is made at an individual level but rules for such purchasing have been set centrally within an organization. The future of the enterprise security products market as a whole will certainly not entirely depend on vendors adapting their solutions to meet these needs, but in the future these drivers will increase in importance and may be a prerequisite for success in many markets. Four key messages have emerged from the analysis for this report. These are: Embrace the merging multi-product solution models; Increase the focus on partnerships and strategic alliances; Constantly look to improve the channel model; Verticalize the sales and marketing message.
Enterprise security markets The security market is set to grow at levels well above those predicted for the rest of the market for the next five years largely due to the strength of demand following increased awareness of the continuous need to stay on terms with hackers and virus authors. This section of the report will look at some of the key future developments that will ensure not only that the market will grow at the rates predicted but that solutions are easier to manage, provide greater levels of protection and are interoperable with
173
TLFeBOOK
other security products. Five key market developments will have a significant impact on security products in the years to come. These are:
The continuing move towards hardware-based security and the growth of appliances;
The need to extend security products from the wired world to the wireless world and ensure that enterprise mobility solutions receive adequate levels of security;
The greater promotion of standards and the need to use standards to address some current concerns;
New legislation and regulations, which should force many organizations to improve their security architectures;
The development of new models – because this has been discussed earlier in the Competitive Landscape section of this chapter, this point will not be developed further.
Appliances Security appliances continue to thrive as companies look for security solutions that are easy to integrate and set up. While they may not be cheaper from a list-price point of view, most are easier to deploy and run on performance-engineered devices or hardened operating systems, meaning a number of costly improvements and service costs can be avoided. There are four key forms of appliance deployed:
Multi-function enterprise appliances. These solutions are effectively network
devices that have security functionality added on top or as part of the overall machine. A good example of this is Cisco routers running the IOS operating system. Cisco has engineered these solutions so that they can run a number of security solutions including firewall & VPN capabilities and intrusion detection. The primary use of the solution is, however, not typically security.
174
TLFeBOOK
Dedicated enterprise-level appliances. One reason why organizations look to
appliances is that they provide them with an off-the-shelf, optimized solution that will not need additional upgrades to allow it to perform as it should. A good example is IP-VPN functionality. If a customer installed IP-VPN software on a server in order to ensure that the encryption process didn’t affect network throughput they would need to add encryption accelerators. By buying appliances such as the NetScreen 500 or Cisco’s PIX firewall, companies can expect the solutions to be optimized at the factory with no additional hardware needed.
SME / branch office appliances. Some organizations buy appliances because of
their ability to fit neatly into the network and because they may perform more than one security task. Vendors have seen the opportunity to push their solutions into the potentially lucrative SME and branch sectors – often sacrificing speed and functionality for price. SMEs, however, are specifically looking for solutions that give them the security they need, in a single box but with a simplified management console and at an affordable price. Dedicated appliances are one way of achieving these goals.
SoHo / home worker appliances. A relatively new addition to the appliance family
is solutions designed to help very small business (typically with five users or fewer) and individual teleworkers. While at the moment such solutions are limited to firewall and IP-VPN solutions, it is not hard to envisage such appliances carrying out EIM or anti-virus functions too. For businesses that are looking to roll out remote access solutions to their employees, such devices may be a popular, lowmaintenance way of securing the files stored on home PCs.
Appliance sales in some markets have already outstripped those of software sales. CheckPoint estimates that around half of its sales come from OEM agreements with appliance vendors such as Nokia and NEC. As the overall market matures, vendors are increasingly looking to add more features to their devices. Not everyone may need these features immediately, however, but may decide that they would benefit from the added functionality later. This puts pressure on vendors to come up with products that
175
TLFeBOOK
have all of the features embedded now but which can only be activated once the user upgrades their license. The IP120 from Nokia, for example, has both firewall / VPN and intrusion detection capabilities but can be deployed for either purpose depending on the license. Once the correct license has been arranged, the extra capabilities can then be activated remotely. The appliance market will continue to grow in size, particularly with the advent of SSL appliances for remote access. With the increasing emphasis on layered security, however, those offering appliances for the enterprise market should also ensure that customers can combine these devices with host-based software so that all areas of the IT system can be protected. At the moment, most appliances are found at the edge of the network rather than within it.
Standards The growing acceptance of standards as a means of determining which solution is best for a specific deployment has become increasingly important, especially in areas such as government and financial services. Standards have emerged to demonstrate improved performance and interoperability, such as ICSA certification, FIPS (Federal Information Processing Standards) and CC, the common criteria. The idea of standards is to improve the effectiveness of security in a number of ways. There are two types of standard that apply to IT security products:
Component standards. When companies deploy security solutions from one vendor
they are always conscious that at some stage that solution may need to work in tandem with a similar product from another vendor, either because different regional divisions have different purchasing structures or because they could acquire another firm. In order to ensure interoperability between systems, many vendors look to bodies such as the Internet Engineering Task Force (IETF) or the Institute of Electrical and Electronics Engineers (IEEE) to develop common protocols that all vendors can use. LDAP (a directory protocol used in access control solutions and PKI), X509 (the standard for digital certificates used in PKI)
176
TLFeBOOK
and IPsec (the standard agreed by the IETF for securing IP packet exchange) are all examples of this kind of standard.
Security level standards. When companies buy security solutions there is often very
little information for them to go on except that provided by the vendor (which is heavily biased). This makes it difficult for companies who do not have their own laboratories to adequately test equipment to ensure that they get the best solution that they can afford. As such, many testing standards have emerged against which solutions can be tested so customers can ensure that they get solutions of a minimum quality. There are two key types of standard or certification bodies who draw up these comparison lists: government bodies such as the US government, which mandates that its departments should buy FIPS certified solutions, and the UK government, which developed the IT Security Evaluation Criteria (ITSEC) for this very reason, and private institutions such as the TruSecure Corporation which developed the ICSA interoperability standard.
The effectiveness of standards has varied. Component standards are seen as vital for driving a technology forward because they reduce the cost of the technology (avoiding excessive R&D costs) and help ensure interoperability. Security level standards and management standards are seen by many as useful but achieving compliance can be an expensive process and few companies are willing to pay for this. Many companies instead use the standards as a guideline and until a stronger reason to deploy them is found will look to comply with the standards rather than seek official certification. While standards have been slow to take off in the mass market they have become a prerequisite in areas where purchasing is made at an individual level but rules for such purchasing have been set centrally within an organization. This is particularly pertinent in the government sector where the desire to adhere to common standards has been greatest. In general, component standards have been more successful than security level standards and have allowed technologies such as IP-VPNs to proliferate. Often standards compete until eventually one emerges victorious. This can sometimes delay the uptake of new solutions as customers wait to see which standard will prevail. As
177
TLFeBOOK
such, companies should work more closely together to ensure that the number of competing standards is minimized.
New legislation and regulations One way of increasing the uptake of security solutions within an organization is by forcing that organization to protect particularly sensitive information by law and by imposing stiff penalties on companies that violate these regulations. An alternative model would see self-regulation within an industry. Industry bodies may create this or government agencies that look at specific vertical markets or sectors to ensure that there are certain standards those organizations under their control must adhere to. There are three key forms of industry regulation or legislation that have emerged.
Data protection legislation. Until recently, the global region that was the pioneer
for data protection legislation was Europe. Such laws are passed typically in countries where the citizens are particularly concerned with the privacy of their personal details and don’t want organizations they leave these details with to give them out to other organizations without their permission. In order to respect these wishes, most countries in Western Europe (especially those in the EU, for whom the adoption of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data is mandatory) have adopted data protection legislation. While forms of this legislation have spread across the world (with such governments typically basing their laws on those from Europe), data protection legislation has not been particularly effective in prompting greater security uptake, with many companies willing to risk fines rather than spend precious resources on improving their security.
Industry-specific legislation. While Europe has so far introduced horizontal
legislation that applies to all industries, the US has looked to protect sensitive information in those areas where revealing confidential data would be catastrophic. As such the Health Insurance Portability and Accountability Act of 1996 and the
178
TLFeBOOK
Financial Services Modernization Act (otherwise known as Gram-Leach-Bliley) represent examples for the healthcare and financial services sector specifically. Clearly if customer or patient information is compromised, the effect for that individual could be devastating. As the rest of the world looked to Europe when implementing data protection laws, so as governments around the world look to toughen up on areas where data loss would be more damaging, it is to such laws that they may look. Vendors in the North American markets name compliance with these pieces of legislation as among the key drivers in these industries.
Industry-specific regulations. One critical development in recent times has been
moves by central bodies from certain industry sectors to help ensure that organizations are better protected from the numerous risks that they face to their operations. This may be on a national level (such as the Financial Services Authority (FSA) in the UK) or on a global level such as the second report from the Basel Committee for Banking Supervision (BCBS) on risk management (otherwise known as Basel II). Basel II effectively forces companies to create more farreaching risk assessment models than those that they previously deployed or they may be forced to keep more assets in reserve.
The fact that improving security may help such firms generate more money (indirectly) has excited many security products vendors because it allows them to create more understandable ROI models. In a recent report, Datamonitor predicted that total spending on Basel II (including business strategy, business process and organizational change) in Europe will grow from $875m in 2002 to $1.6bn in 2006, peaking at $2.0bn in 2005. Within that, IT spending will vary between 45 and 70% of total spending over the period, increasing the $375m of IT spending on Basel II in 2002 to over $950m in 2006, peaking at $1.3bn in 2005. A significant proportion of this technology spend is likely to go on security technologies in order to improve their preparedness for threats. At the moment the guidelines for such models have not yet been fully decided, meaning that it is difficult for vendors to specifically attribute their technologies to meeting specific requirements.
179
TLFeBOOK
Most banking institutions, however, understand that protecting their critical infrastructure from attacks by hackers and viruses is one way of proving that they have taken steps to mitigate risk.
Conclusions The future of the enterprise security products market as a whole will certainly not entirely depend on vendors adapting their solutions to meet these needs, but in the future these drivers will increase in importance and may be a prerequisite for success in many markets. Making general recommendations is difficult because the unique market conditions for many solutions mean that specific actions need to be taken that may not apply in other product areas. Four key messages have emerged from the analysis for this report. These are:
Embrace the merging multi-product solution models;
Increase the focus on partnerships and strategic alliances;
Constantly look to improve the channel model;
Verticalize the sales and marketing message.
While there are other important steps that vendors can take to improve their market opportunity, paying particular attention to these should significantly increase an organization’s success in the market. Multi-product solution models
This report has highlighted the emergence of a number of models that involve the closer cooperation of different security technologies to achieve a single aim. The most important of these are the layered security model, the threat protection model, the identity management model and the secure content management models. The benefits 180
TLFeBOOK
of embracing such models are that because many other vendors in this sector will also be pushing the same concepts, the chances of customers believing that such methodologies are the right ones increase. These are an excellent way of cross-selling customers from one product line into another and thereby increasing the average revenue per customer. Such models are, by definition, a double-edged sword, however, because if you do not have a certain part of an equation or are considered weak in one area, it is much easier for mud-slinging competitors to pick holes in your arguments. There are two key ways of overcoming this problem:
Offer these solutions yourself by either acquiring a vendor from this market or developing solutions yourself;
Partnering with companies who operate in these markets (especially those who are considered best-of-breed).
The partnership model may be a way to leverage another company’s strength in a different area, such as Symantec’s strategic arrangement with ClearSwift’s MIMEsweeper solution set. This allows the two companies to leverage their best-ofbreed status in the anti-virus and content filtering markets to create a more compelling secure content management solution. The problems of this are all too apparent, however, from events in 2002 and 2003. Symantec’s strategic alliance with Entercept fell through when Entercept was acquired by its bitter rival Network Associates. ISS’s desire to fill the gap in its threat protection portfolio with an alliance with Network Associates also fell through when NAI decided that it couldn’t get exactly what it needed from this arrangement and instead bought IntruVert and Entercept. As a consequence, ISS is developing its own anti-virus technology but must be disappointed that it cannot leverage such a strong brand in this space as that of NAI’s McAfee. On the whole, however, the moves by most of the major vendors to fill gaps in their portfolio suggest that many are banking on the developing models as a means of increasing revenues in their non-core areas. This would suggest that building a credible
181
TLFeBOOK
portfolio could be a critical success factor in the future, but that doing it all yourself is not necessarily the answer. Improving partnerships
The previous point demonstrates how important a successful partnership model can be in helping a company that is looking to offer its solutions in a modular model. There are a number of other benefits, however, of successful partnerships. Three of these are:
Improving interoperability. When customers look to build their security product
architectures, many seek to ensure that the solutions they deploy will work effectively with those of other vendors. There are two ways in which this can happen: by adopting common standards or by working closely with peers to develop common methodologies (or standards). Working together for the mutual benefit of all vendors in the market is the only way that the security market can mature and reach its potential.
Promoting common messages. When a vendor approaches a customer and tells them that they should adopt a certain technology, it is not uncommon for the customer to be skeptical, particularly if there is no apparent ROI for a solution or they have already invested in other security technologies. If a number of vendors all promote a common message, however, the sales pitch is much stronger because it has gained industry recognition. Vendors should work together to promote awareness of their markets to ensure that clients are not confused by mixed messages.
Share technologies. One point highlighted earlier with respect to the emerging technology models (e.g. identity management or threat protection) is the need to provide as full a portfolio as possible, so as to maximize potential revenues from any implementation. Filling the gaps, however, can be tricky and there is no guarantee that the products will work well together. One way around this is to work closely with other firms who are experts in their fields to create hybrid solutions that effectively incorporate elements of each technology. While this may still create
182
TLFeBOOK
stand-alone products, it should ensure that the shared features have greater interoperability.
The security products market has seen a significant number of partnerships but not all of them have been successful. Such partnerships are, nevertheless, an important step in taking the market forward and ensuring that interoperability is developed and maintained. Channel strategies
One key development in this area has been to increase the direct touch that vendors had with clients. While the indirect model effectively remained, because few companies looked to move to actively providing the final product themselves, vendors are doing more to increase the awareness of themselves and their products by the final customer. The need to listen more closely to customers not only improves the quality and relevance of the products but is vital if a company wants to respond quickly to changes in customer demands. In a highly structured, multi-tiered channel model, this can be nearly impossible: by the time the information has filtered back to the vendor, a crucial advantage may have been lost. This strategy is not, however, without its drawbacks. Some vendors who have actively deployed this model have noted that their resellers have greeted such initiatives with a certain degree of skepticism because some may feel that it undermines their ownership of the customer. Such vendors cite the importance of trust within their channel partnerships (so many areas of the IT security world) to ensure that the resellers understand that such an education program can only help to increase the number and scope of deals. Another important channel strategy that many vendors have deployed is to limit the number of resellers in one area. This is designed to limit competition between resellers and is vital for maintaining a “direct touch – indirect fulfillment” model.
183
TLFeBOOK
Verticalizing the sales and marketing message
All solution providers in the IT market have realized that the best way to maximize sales of their product is to demonstrate a deeper understanding of the needs of their customers than their competitors do. While many vendors feel that most security issues impact all enterprises – and that selling most security solutions is a horizontal issue – the professional services approach has always been to help enterprises prioritize their risks and protect the areas of IT investment that are mission-critical. One way of doing this is by examining the market environment in which an organization operates. Typically firms within a specific vertical market have similar internal processes and demands for externally facing technologies (including buying, selling and distribution dynamics) and face the same competitive pressures. By understanding these business needs and determining which technologies are most often deployed to meet them, an IT security solutions provider can ensure that a potential customer instantly appreciates how each IT security solution will protect its missioncritical IT assets. One methodology commonly deployed by professional services firms is risk analysis. Even large, security-conscious organizations can only implement the levels of security that their budgets allow. In order to make informed decisions they will hire professional services firms to instruct them on the security measures that will most increase their levels of protection and provide protection for mission-critical applications or particularly sensitive data sets. Few vendors today can offer this level of support to every customer they have. However, vendors can significantly increase their ability to more closely match client needs by developing a verticalized strategy. Organizations within a specific vertical market suffer similar risks, have similar business goals and have deployed many of the same IT solutions to meet these needs. It stands to reason, therefore, that a provider of any IT solution, security or otherwise, who can display a comprehensive understanding of the business needs of an IT director is more likely to make a sale than one who doesn’t. This is especially true in the case of a competitive tender.
184
TLFeBOOK
By highlighting the potential threats and detailing which systems they would affect, a security solution provider’s message is immediately more powerful, simply because it is relevant. In order to get to this stage, however, the solution provider must first understand what the business needs are and the IT solutions that they must deploy to meet them.
185
TLFeBOOK
Index Latin America, 11, 13, 14, 15, 34, 46, 49, 50, 60, 61, 70, 78, 83, 95, 104, 108, 114, 118, 127, 139, 148, 157
Anti-virus, 23, 46, 47 Appliances, 119, 171
Layered security, 24
Asia Pacific, 16, 17, 18, 34, 50, 60, 61, 70, 83, 95, 107, 108, 118, 124, 127, 134, 138, 139, 144, 148, 154, 157, 162, 164
Network-based intrusion protection, 15, 113, 114
Content filtering, 23, 57, 58, 61 North America, 10, 11, 13, 14, 15, 16, 17, 25, 32, 33, 46, 49, 50, 56, 60, 61, 70, 82, 83, 90, 95, 96, 104, 107, 108, 114, 118, 124, 126, 127, 134, 138, 139, 147, 148, 154, 156, 157, 164, 165, 176
EMEA, 11, 13, 14, 15, 16, 17, 18, 25, 34, 35, 50, 56, 60, 61, 70, 78, 82, 83, 90, 95, 96, 104, 107, 108, 114, 118, 124, 126, 127, 134, 138, 139, 144, 147, 148, 154, 157, 162, 164
PKI, 16, 23, 30, 91, 98, 99, 102, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 145, 173
Encryption, 23, 68, 167 Enterprise, 11, 12, 13, 14, 16, 17, 18, 40, 45, 46, 51, 55, 56, 62, 65, 66, 72, 77, 78, 85, 89, 90, 97, 103, 104, 133, 134, 135, 143, 144, 153, 154, 161, 162, 170
Security management, 23, 149 SME, 10, 11, 12, 13, 14, 32, 33, 36, 37, 46, 50, 51, 56, 61, 62, 66, 71, 72, 78, 79, 83, 84, 85, 96, 97, 104, 109, 118, 119, 128, 172
Firewall, 145
VPN, 13, 25, 33, 66, 67, 68, 74, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 130, 144, 167, 171, 172, 173
Host-based intrusion protection, 15, 123, 124 Identity management, 23, 92
Vulnerability assessment, 23
Internet management, 14, 23, 63, 103, 104, 108, 110
Wireless LAN, 23, 166 WLAN, 18, 74, 162, 163, 164, 165, 166, 167
186
TLFeBOOK