Users find promise, pitfalls as security vendors consolidate One-stop shopping and best-of-breed products aren't always compatible By Rebecca Sykes

February  1998

The consolidation of security vendors is causing some havoc among IS managers. They're lured by attractive discounts and support options from one-stop vendors, but they're also finding that the products offered by these vendors are often not the right match for their needs. What are these IS managers saying, and what are their suggestions for making vendor consolidations work to your benefit? (1,500 words, including one sidebar)

Mail this article to a friend

Boston (February 10, 1998) -- When Earl Page needed a firewall for Baptist Health Care Corp.'s network, he ran smack into the darker side of the consolidation and partnering currently underway in the IT security industry.

Page was using MCI Communications Corp. as his Internet service provider at Baptist Health care, a system of hospitals and clinics in Florida and Alabama. MCI had partnered with then-independent Raptor Systems Inc. to offer Web services and security, and MCI offered Page a firewall at a very good price.

So far, so good. Many IS managers, including Page, perk up at the possibility of using multiple products from a single vendor, knowing the price breaks, smoother interoperability, and better support that can accrue. There was only one problem with MCI's offer -- their firewall was inadequate, according to Page, who is Baptist's network security analyst in charge of securing the company's mainframe, client/server, and Internet networks.

"Their firewall with Raptor was not a top-of-the-line version but an all-in-one-box, watered down version of it," he said.

Page opted to keep MCI as his ISP but went with Trusted Information Systems Inc.'s (TIS) Gauntlet firewall, thus adding not one but two companies to his firewall solution, since he went to a company other than TIS for systems integration and training. MCI had offered to set Page up with a firewall for around $7,000 for the hardware and software, and opting for Gauntlet cost Page around twice that, though it included on-site set-up, training, and quarterly audits in addition to hardware and software.

But the extra expense and effort were well worth it.

"We had to make that tradeoff," sacrificing price and convenience for the right firewall, Page said.

One-stop shopping can be replete with benefits, but users also want best-of-breed products, and those two goals are not always compatible, as Page found out. Balancing the two goals is increasingly important as security vendors, alive to the one-stop shopping preference, submit to a consolidation and partnership frenzy. (See charts in sidebar, "Tips to get the most from security vendor consolidation.")

Mediocre components lurking within an otherwise sound product line are one bullet IS managers must dodge. No less threatening is the psychological trap of unconsciously giving more credence to products from vendors with whom one already has a relationship.

Reeled in by one-stop shopping
Jim Patterson feels the allure of one-stop shopping, so he consciously ignores the provenance of the technology he is assessing.

When Patterson took over as vice president of security and telecommunications at OppenheimerFunds, the New York-based mutual-fund company was using Axent Technologies Inc.'s OmniGuard security suite. Patterson had worked with -- and liked -- Axent's product at a previous job, and since his onsite users were happy with it he made no plans to change it.

But OppenheimerFunds's remote users, mainly wholesalers spread across the country, did have complaints about their environment: They said that logging in was too cumbersome using then-independent Enigma Logic Inc.'s Data Encryption Standard (DES) cards.

So Patterson was interested, but cautious, when Axent proffered its newly acquired Defender dynamic password token software, obtained through its purchase of AssureNet Pathways Inc.

"I'm not going to allow the fact that I would like to minimize [the number of] vendors to allow me to pick something that isn't the best product fit for my company," he said.

Patterson evaluated Defender alongside other remote-access options, steadfastly focusing solely on the products' technology. Only after making a technology-based assessment did he permit himself to weigh the fact that OppenheimerFunds' existing relationship with Axent would provide an easy segue to Defender.

"If I get to a point where there's two excellent products and they're both good fits, then I'd gravitate toward" the one whose vendor is a known entity, Patterson said. "As a security professional I have to temper [convenience] with making sure that we get the best products."

But even when a technology assessment supports buying multiple products from one vendor, savvy professionals are careful to safeguard their independence.

John Halamka is an emergency physician at Boston's Beth Israel Deaconess Medical Center and a teacher of clinical computing at Harvard Medical School who designed the clinical-data intranet for the medical center's multisite hospitals.

"Clinical data is some of the most sensitive data anyone could share over a network -- HIV status, for example," Halamka said.

Doctors at any of the hospitals in the system needed to be able to log on and access patient's records, even if that patient had never been to that particular hospital before. Halamka constructed an intranet which uses security tokens from Security Dynamics Technologies Inc., encryption from Security Dynamics' subsidiary RSA Data Security Inc. and digital certification from RSA spin-off Verisign Inc.

"At least in our case Security Dynamics [and related companies] happened to have the best-of-breed in all three areas," Halamka said. But, he said, "we really don't want to be a slave to any one vendor."

At Beth Israel Deaconess, maintaining independence meant designing a security infrastructure that was object-oriented and modular, so that pieces such as firewalls could be swapped for other pieces when -- not if -- the best-of-breed landscape changed.

It's safe to go with one vendor "as long as you build your software architecture realizing that your security systems are modular," Halamka said. "If [the companies] went away tomorrow we could swap in and out their pieces."

Rebecca Sykes is a correspondent with the IDG News Service.

If you have technical problems with this magazine, contact webmaster@sunworld.com

URL: http://www.sunworld.com/swol-02-1998/swol-02-secvendors.html
Last modified:

Tips to get the most from security vendor consolidation

• First and foremost, evaluate a product on its technology. Consider its connection to its vendor, as well as its price, only after it becomes a contender based on its technical merits.

• Security needs may change as fast or faster than security products, so make sure the two stay synchronized. "We do an annual evaluation of what we're using vs. what's currently available," said OppenheimerFunds' Jim Patterson.

• "Best-of-breed" is a fleeting designation. Make sure your esteem for a product is based on its current capabilities vis a vis the competition and not its past performance.

• Companies may offer a banquet of snazzy security offerings, but don't forget to evaluate small, one-product companies. Small companies have no choice but to be lean and cutting-edge, and their technology often outshines the big boys, which is why they often get bought.

• But don't think small companies necessarily stay lean and mean once they've been acquired. Recently acquired companies usually gravitate toward their new parent company's operative ways, rather than vice versa, according to Earl Page, network security analyst for Baptist Health Care. "The little guy gets lethargic [and] starts relying on the same release of the software longer, milking that for awhile because it's a money issue," Page said.

• Be skeptical when one company says they can fulfill multiple roles. Baptist Health Care's Page was very happy with MCI as an Internet service provider but found its firewall to be a watered down version of a popular product. In security, less may be more. "What I'm looking for [in security] is a company that is focusing on one area in IS," said OppenheimerFunds' Patterson.

Mergers
Date	Companies	New Company	Transaction Value in US
10/13/97	McAfee Associates Inc. Antivirus, encryption firewall, and network management software Network General Corp. Network analysis software	Network Associates Inc.	$1.3 Billion
2/5/98	Axent Technologies, Inc. Security management, resource management and intrusion-detection software Raptor Systems, Inc. Firewall software	Axent Technologies, Inc.	$245 Million
Acquisitions
Date	Buyer	Bought	Transaction Value
4/15/96	Security Dynamics Technologies, Inc. Authentication hardware and software; encryption software	RSA Data Security Inc. Encryption and authentication hardware and software	$200 Million
7/14/97	Security Dynamics Technologies, Inc. Authentication hardware and software; encryption software	DynaSoft AB Access-control software	$115 Million
9/8/97	Cylink Corp. Encryption hardware and software	Algorithmic Research Remote-access software; smart-card technology	$83 Million
10/16/97	Trusted Information Systems, Inc. Firewall, key recovery and intrusion detection software	Haystack Laboratories, Inc. Intrusion detection software	2.1 Million TIS common shares (Estimated value based on the market on 10/8/97: $23.5 Million)
12/1/97	Network Associates Inc. Formerly McAfee Associates and Network General Corp.	Pretty Good Privacy Inc. Encryption software	$36 Million
Charts by Hiroko Sato, IDG News Service.