Users find promise, pitfalls as security vendors consolidate
One-stop shopping and best-of-breed products aren't always compatible
The consolidation of security vendors is causing some havoc among IS managers. They're lured by attractive discounts and support options from one-stop vendors, but they're also finding that the products offered by these vendors are often not the right match for their needs. What are these IS managers saying, and what are their suggestions for making vendor consolidations work to your benefit? (1,500 words, including one sidebar)
Page was using MCI Communications Corp. as his Internet service provider at Baptist Health care, a system of hospitals and clinics in Florida and Alabama. MCI had partnered with then-independent Raptor Systems Inc. to offer Web services and security, and MCI offered Page a firewall at a very good price.
So far, so good. Many IS managers, including Page, perk up at the possibility of using multiple products from a single vendor, knowing the price breaks, smoother interoperability, and better support that can accrue. There was only one problem with MCI's offer -- their firewall was inadequate, according to Page, who is Baptist's network security analyst in charge of securing the company's mainframe, client/server, and Internet networks.
"Their firewall with Raptor was not a top-of-the-line version but an all-in-one-box, watered down version of it," he said.
Page opted to keep MCI as his ISP but went with Trusted Information Systems Inc.'s (TIS) Gauntlet firewall, thus adding not one but two companies to his firewall solution, since he went to a company other than TIS for systems integration and training. MCI had offered to set Page up with a firewall for around $7,000 for the hardware and software, and opting for Gauntlet cost Page around twice that, though it included on-site set-up, training, and quarterly audits in addition to hardware and software.
But the extra expense and effort were well worth it.
"We had to make that tradeoff," sacrificing price and convenience for the right firewall, Page said.
One-stop shopping can be replete with benefits, but users also want best-of-breed products, and those two goals are not always compatible, as Page found out. Balancing the two goals is increasingly important as security vendors, alive to the one-stop shopping preference, submit to a consolidation and partnership frenzy. (See charts in sidebar, "Tips to get the most from security vendor consolidation.")
Mediocre components lurking within an otherwise sound product line are one bullet IS managers must dodge. No less threatening is the psychological trap of unconsciously giving more credence to products from vendors with whom one already has a relationship.
Reeled in by one-stop shopping
Jim Patterson feels the allure of one-stop shopping, so he consciously ignores the provenance of the technology he is assessing.
When Patterson took over as vice president of security and telecommunications at OppenheimerFunds, the New York-based mutual-fund company was using Axent Technologies Inc.'s OmniGuard security suite. Patterson had worked with -- and liked -- Axent's product at a previous job, and since his onsite users were happy with it he made no plans to change it.
But OppenheimerFunds's remote users, mainly wholesalers spread across the country, did have complaints about their environment: They said that logging in was too cumbersome using then-independent Enigma Logic Inc.'s Data Encryption Standard (DES) cards.
So Patterson was interested, but cautious, when Axent proffered its newly acquired Defender dynamic password token software, obtained through its purchase of AssureNet Pathways Inc.
"I'm not going to allow the fact that I would like to minimize [the number of] vendors to allow me to pick something that isn't the best product fit for my company," he said.
Patterson evaluated Defender alongside other remote-access options, steadfastly focusing solely on the products' technology. Only after making a technology-based assessment did he permit himself to weigh the fact that OppenheimerFunds' existing relationship with Axent would provide an easy segue to Defender.
"If I get to a point where there's two excellent products and they're both good fits, then I'd gravitate toward" the one whose vendor is a known entity, Patterson said. "As a security professional I have to temper [convenience] with making sure that we get the best products."
But even when a technology assessment supports buying multiple products from one vendor, savvy professionals are careful to safeguard their independence.
John Halamka is an emergency physician at Boston's Beth Israel Deaconess Medical Center and a teacher of clinical computing at Harvard Medical School who designed the clinical-data intranet for the medical center's multisite hospitals.
"Clinical data is some of the most sensitive data anyone could share over a network -- HIV status, for example," Halamka said.
Doctors at any of the hospitals in the system needed to be able to log on and access patient's records, even if that patient had never been to that particular hospital before. Halamka constructed an intranet which uses security tokens from Security Dynamics Technologies Inc., encryption from Security Dynamics' subsidiary RSA Data Security Inc. and digital certification from RSA spin-off Verisign Inc.
"At least in our case Security Dynamics [and related companies] happened to have the best-of-breed in all three areas," Halamka said. But, he said, "we really don't want to be a slave to any one vendor."
At Beth Israel Deaconess, maintaining independence meant designing a security infrastructure that was object-oriented and modular, so that pieces such as firewalls could be swapped for other pieces when -- not if -- the best-of-breed landscape changed.
It's safe to go with one vendor "as long as you build your software architecture realizing that your security systems are modular," Halamka said. "If [the companies] went away tomorrow we could swap in and out their pieces."
Rebecca Sykes is a correspondent with the IDG News Service.
If you have technical problems with this magazine, contact firstname.lastname@example.org
|Date||Companies||New Company||Transaction Value in US|
McAfee Associates Inc.
Antivirus, encryption firewall, and network management software
Network General Corp.
|Network Associates Inc.||$1.3 Billion|
Axent Technologies, Inc.
Security management, resource management and intrusion-detection software
Raptor Systems, Inc.
|Axent Technologies, Inc.||$245 Million|
|4/15/96||Security Dynamics Technologies, Inc.
Authentication hardware and software; encryption software
| RSA Data Security Inc.
Encryption and authentication hardware and software
|7/14/97||Security Dynamics Technologies, Inc.
Authentication hardware and software; encryption software
Encryption hardware and software
Remote-access software; smart-card technology
|10/16/97||Trusted Information Systems, Inc.
Firewall, key recovery and intrusion detection software
|Haystack Laboratories, Inc.
Intrusion detection software
|2.1 Million TIS common shares (Estimated value based on the market on 10/8/97: $23.5 Million)|
|12/1/97||Network Associates Inc.
Formerly McAfee Associates and Network General Corp.
|Pretty Good Privacy Inc.
|Charts by Hiroko Sato, IDG News Service.|