IT organizations today are facing tremendous backup challenges stemming from relentless data growth. They know the antidote is to implement deduplication. Early adopters favored appliance approaches because they take all of the guesswork out of acquiring, installing, and configuring a solution, and since hardware solutions are purpose-built for processing, they don’t disappoint on performance.

Symantec recognized the inevitability of this trend and responded with its OpenStorage (OST) API technology that provides customers with a common interface to third-party disk targets. OST allows backup data to be stored on disk with whatever protocol the target device uses, such as a Fibre Channel or TCP/IP. Symantec backup software sees OST-enabled appliances as disk and enables features such as intelligent capacity management, media server load balancing, reporting, and lifecycle policies. It also delivers optimized duplication—network-efficient replication and direct disk-to-tape duplication that is monitored and cataloged by the backup software.

With OST, Symantec has a “deduplication everywhere” message. Deduplicate at the source, media server, or target storage—a key message for Symantec customers that want to 1) optimize the backup environment, 2) want flexibility to meet cost and performance concerns for different workloads in the environment, and 3) want to manage a single data protection policy engine. Its deduplication strategy and OST gave Symantec what it needed: true competitive differentiation. Today, no other vendor can rival this positioning.

The main competition (those vendors that have a lot of sales momentum) are the likes of EMC, HP, IBM, and Quantum who have enterprise-scale target-side deduplication. Symantec’s positioning for NetBackup is that deduplication closest to the data source delivers greater efficiencies (network bandwidth savings, time savings, capacity savings, and global-level deduplication). But if source-side is too burdensome on source systems, the media server can handle the processing. By delivering the NetBackup 5000 purpose-built appliance, customers are able to streamline acquisition, installation, and configuration and Symantec can be competitive with performance and cost versus target-side vendors. This move also helps Symatec to be more competitive versus EMC Avamar’s backup software with source-side deduplication since the majority of Avamar implementations are appliance-based rather than software-only.

The Nirvanix partnership is also a welcome sign. Several years ago, Symantec introduced “online storage” capabilities for Backup Exec—on-premises Backup Exec could electronically vault backup copies to Symantec cloud storage—but never followed suit with a comparable offering for NetBackup. Based on ESG research, ESG expects that backup to a cloud container will become a viable long-term retention store for backup data—potentially rivaling tape media. And, by leveraging OST, Symantec is differentiating itself again.

Read more of Lauren’s blog entries at Data Protection Perspectives.

Overview

Over the past few years, information security policies and controls were guided primarily by regulatory compliance requirements.  ESG believes this behavior is now changing.  Why?  Information security defenses based upon regulations alone can help large organizations pass compliance audits, but they aren’t nearly as effective at protecting them against the growing volume of sophisticated threats and targeted cybercrime attacks.

Addressing these new virulent threats demands a new mindset based upon IT risk management rather than regulatory compliance or reactive security alone.  Unfortunately, many enterprises have a long way to go to make this transition.  Why? Of ESG research respondents:

• Only 58% of organizations claim that they are “well aware and well protected against IT security risks.” 
• Just 3% of organizations claim to have 100% visibility into the risk posture of their IT environment.  Alternatively, more than half of all respondents said that they either had 50% or less visibility into the risk posture of their IT environment or they didn’t know. 

This data points to an alarming reality: many organizations realize that they are not only inadequately protected against security threats, but they lack the right level of visibility to understand or sufficiently address these risks.  Regrettably, many organizations are simply “flying blind” when it comes to risk management.

Risk Management Review

From an information security perspective, risk management is the process of assessing the likelihood of security threats across the organization and determining the vulnerabilities exposing organizations to each threat.  With risk management, threats and vulnerabilities are defined as follows:

• Threat: A man-made or natural event that could have a negative consequence to the organization.  Man-made examples include power failures, but also Web threats, spear phishing, and internal attacks. Examples of natural events include natural disasters like earthquakes, hurricanes, and floods.
• Vulnerability. A flaw, loophole, oversight, or error that can expose an organization to a threat.  A distribution center on the U.S. Gulf coast is vulnerable to hurricanes and floods.  Likewise, a Windows server that has not been patched with the latest operating system updates may be vulnerable to specific types of malware attacks.

With IT risk management, threats and vulnerabilities should be assessed on an asset-by-asset basis. Risk management decisions can then be made depending upon the level of exposure (i.e., threats and vulnerabilities) as well as the asset’s value (i.e., the relative significance each asset delivers in overall business operations).

Armed with these metrics, organizations can make qualitative and quantitative risk management decisions such as risk acceptance, risk assignment, or transfer (i.e., transferring potential risk to a third party such as an insurance company) or risk reduction (i.e., mitigating risk by implementing security controls, policies, and procedures).  In this case, a control is defined as a mechanism used to restrain, regulate, or reduce vulnerabilities.

Risk Management:  What’s Needed?

The data cited above demonstrates that IT risk management needs a lot of work.  Why?  First, IT risk management is relatively new and undeveloped; this will improve over time. But IT risk management faces another challenge beyond immaturity alone.  The fact is that IT is a rapidly-evolving system: large organizations are currently in the midst of a massive IT metamorphosis driven by SOA, virtualization, cloud computing, consumerization, and mobility.  In this environment, threats, vulnerabilities, and even IT assets change on a daily basis.  This situation is exasperated by the rapid rise in threats; the convergence of the two results in a perfect storm for CISOs.

How can CISOs maintain sound risk management practices in an environment of constant change?  Today’s risk management must be based upon (see Figure 1):

• Instantaneous knowledge. Given the dynamic nature of both IT and the threat landscape, it is no longer adequate to perform risk assessments at predefined internals (i.e., weekly, monthly, quarterly, etc.).  Rather, asset changes, vulnerability assessments, and threat data must be available in real-time.  Security tools must correlate this information and immediately report on new types or levels of risks.  Security practitioners must be trained to digest these inputs, present them to business managers, and expedite risk management mitigation without delay.
• Comprehensive visibility and coverage. IT is composed of a multitude of assets like hardware devices, databases, business applications, and virtual appliances.  It is no longer enough to understand a sub-segment of the entire IT portfolio alone or adopt a piecemeal view of the entire IT infrastructure through a potpourri of tools.  To keep up with assets and their associated vulnerabilities, CIOs need a consistent data, visibility, and alerts across the entire IT spectrum. It’s not enough to get a partial picture (remember that more than half of all respondents said that they had 50% or less visibility into the risk posture of their IT environment). Organizations need to understand all of the vulnerabilities that exist and how they impact the environment.
• Constant controls assessment and adjustment. Security controls don’t fit into the “set-it-and-forget-it” category.  Rather, controls need persistent assessment to ensure that they adequately address new or changing risks.

The Rise of Real-Time Risk Management

CISOs should anticipate a new category of security management solutions for “Real-time Risk Management.”  Real-time Risk Management demands wide (i.e., across the entire IT infrastructure), deep (i.e., strong technical insight into each technology), and constant visibility into threats, vulnerabilities, assets, and controls.  The best real-time threat management systems will also be supported by:

• Threat monitoring intelligence. To keep up with rapid changes in the threat landscape, real-time risk management platforms will be constantly updated by the latest threat data from leading security researchers, academics, and public organizations. Along this line, security practitioners require vulnerability assessment content that delivers depth and breadth of coverage to ensure proper controls can be dispatched to thwart risks that materialize from the ever-changing/evolving threat landscape. Don’t be caught with partial coverage—finding 100% of half of the vulnerabilities still leaves a business highly exposed.
• Deep security knowledge. To help security professionals sort through mountains of threat, vulnerability, and asset data, real-time risk management will be instrumented with heuristics, correlation engines, and alerting capabilities.  The goal?  Help security professionals understand where best to focus security controls.
• Automation. Aside from gathering and sorting through information, real-time risk management platforms will also integrate with security controls and enforcement technologies in order to automate risk management responses.  When the risk management system detects un-patched laptops on the network, it can prompt security operations teams to begin an immediate patch cycle or other security control.

The Real-Time Truth

Real-time Risk Management is more than a new evolving set of security tools; it is a mindset shift.  CISOs should begin with more frequent security assessments, asset discovery, vulnerability scans, and configuration management.  It is also worthwhile to implement IT best practice models like ITIL, COBIT, or the NIST-800 series.  These guidelines will help lock down error-prone activities such as IT provisioning, configuration management, and change management.

CISOs should also take a pragmatic look at risk management blind spots.  How current are asset databases?  Do existing tools discover and alert IT when new assets are added to the network?  Do vulnerability scanning tools cover all technology elements or just a subset?  Do those tools use timely content and cover the spectrum of databases, applications, systems, and devices that define the organization with a comprehensive set of vulnerability checks? Remember that visibility gaps represent security vulnerabilities and should be analyzed and mitigated as such in a risk management context.

Finally, ESG firmly believes that early Real-time Risk Management systems are already available today. Smart CISOs will research available solutions, query vendors on product roadmaps, and evaluate leading solutions as soon as possible.  The goal?  Deploy Real-time Risk Management tools that can keep up with business-driven IT changes and help establish a Real-time Risk Management discipline throughout IT.

A a very high level, the strategy calls for the formation of a standards-based interoperable identity ecosystem to establish trusted relationships between users, organizations, devices, and network services. The proposed identity ecosystem is composed of 3 layers: An execution layer for conducting transactions, a management layer for identity policy management and enforcement, and a governance layer that establishes and oversees the rules over the entire ecosystem.

There is way more detail that is far beyond this blog but suffice it to say the document is well thought out and pretty comprehensive in terms of its vision. This is exactly the kind of identity future we need to make cloud computing a reality. Kudos to Federal Cyber coordinator Howard Schmidt and his staff for kicking this off.

I will post my feedback on the official website, but a few of my suggestions are as follows:

1. Build on top of existing standards. The feds should rally those working on things like Project Higgins, Shibboleth, Liberty, Web Services, Microsoft Geneva, OpenID, etc. Getting all these folks marching in the same direction early will be critical.
2. Get the enterprise IAM vendors on board. No one has more to gain — or lose — than identity leaders like CA, IBM, Microsoft, Novell, and Oracle. Their participation will help rally the private sector.
3. Encourage the development of PKI services. PKI is an enabling technology for an identity ecosystem but most organizations eschew PKI as too complex. The solution may be PKI as a cloud service that provides PKI trust without the on-site complexity. This is why Symantec bought the assets of Verisign. The Feds should push Symantec and others to embed certificates in more places, applications, and devices.

There will be lots of other needs as well. The document recommends identity and trust up and down the technology stack but it doesn’t talk about the expense or complexity of implementing more global use of IPSEC, BGPSEC, and DNSSEC. There is also the need for rapid maturity in encryption, key management, and certificate management. Good news for RSA, PGP, nCipher (Thales), IBM, HP, Venafi, and others.

The key to me is building a federated, plug-and-play, distributed identity ecosystem that doesn’t rely on any central authority or massive identity repository. This is an ambitious goal but one that can be achieved — over time — if the Feds get the right players on board and push everyone in the same direction.

You can read Jon’s other blog entries at Insecure About Security.

This offer really highlights the potential cloud storage has to help companies or local governments get fast and easy access to disaster recovery capabilities they could never afford in the past.  No hardware to buy, just download the software, map the drives and start a copy process.  Robocopy is free and you already have it, so no investment there.  And I’ve used the Nasuni software – I am certainly no system administrator but I was able to figure out how to add files and create snapshot copies, as well as restore from snaps, pretty quickly.  And because the environment is virtual – getting up and running in the event of an actual disaster can be done by spinning up a virtual machine from anywhere, provided you have the proper credentials.

This offer gave me one of those head shaking moments where I sit back and think about just how far technology has advanced in these recent few years – think about what it would have taken just 3 or 4 years ago to create a DR site and actually get back up and running in the event of a disaster - the remote site, hardware (servers and storage), advanced storage arrays capable of creating remote mirrors or host-based replication software, the software licenses and management overhead.  The cost and complexity of creating that type of environment is far beyond what many small to mid-sized companies could afford, never mind what state and local government budgets can pay for.  The cloud changes everything, this can all be bought as a service, in a shared model to lower administrative and capital costs, with near perfect economics (100% utilization).

Other vendors can learn from this example.  Aside from the obvious user benefits, this offer is also a good example of innovative marketing, presenting an offer that can really make a business impact to help users with true business issues – disaster preparedness and, if needed, recovery.  Steve blogged a while back about how technology marketeers are promoting cloud everything without tying solutions to business needs and items that users actually create a budget line item for.  This Nasuni offer is a great example of someone hitting the mark.

You can read Terri’s other blog entries at IT Depends.

From the early announcement, it seems that vShield is composed of:

• vShield Edge. To enable secure multi-tenancy, vShield Edge virtualizes data center perimeters and offers firewall, VPN, Web load balancer, NAT, and DHCP services.
• vShield App. VMware calls this hypervisor-based application-aware firewall that creates application boundaries based upon policies. It’s a bit confusing, but I believe it manages and secures VM-to-VM traffic in a logical virtual application. VMware needs to clarify this as the term “application firewall” has a completely different meaning.
• vShield endpoint. This one’s much easier to understand: rather than run endpoint security software on each virtual endpoint, vShield endpoint virtualizes security components like signature databases, scanning engines, and schedulers. Much more efficient than pretending that virtual endpoints are physical devices.
• vShield zones. Again, a bit confusing, but it seems like basic ACL capability built into vSphere.

Now I’m not at VMworld, so I’m reading between the lines. Nevertheless, I like the direction VMware is taking. ESG Research indicates that security is a big issue with server/desktop virtualization. This is true for everyone from virtualization newbies to sophisticated shops.

The vShield products are a great foundation for VMware, but I believe there is still a lot of work to do beyond clearing up the messaging. I suggest that VMware:

1. Dedicates ample resources for user education. ESG Research points to a general lack of virtualization knowledge and skills, especially with security professionals. Note to VMware: If security professionals don’t understand the ESX environment, they won’t buy your products.
2. Clarifies its partnering strategy. I can’t really tell if VMware intends to partner with or compete with companies like F5, Juniper Networks, Check Point Software, etc. I’m sure I’m not the only one.
3. Works on standards. If my standard firewall is a Juniper SRX, I really don’t want a one-off VMware product in my virtual infrastructure. If vShield can’t “talk” to other products through some new security standards, no one will want it.
4. Stop talking about “better than physical security.” I get the concept, but the vast majority of users don’t have the baseline knowledge about server virtualization to believe this. Improved security should be a destination/vision and not an overly bold tag line.

NetApp and Syncsort have long been partners. They’ve kicked the relationship up a notch with this announcement since they’re offering an integrated solution via mutual distributors (Arrow and Avnet) and resellers. How integrated is integrated? Well, the actual packaging for each vendor’s component is separate; IT organizations procure NetApp FAS disk systems, NetApp Protection Pack software, and Syncsort BEX data protection software via a single distributor SKU. The integration is more in how the solutions work together. Syncsort BEX clients work with NetApp APIs to invoke SnapVault—to create point-in-time backup copies stored on another NetApp system. The backup data path is BEX client direct to NetApp FAS storage, with no device server required. There’s a BEX Master server on the network, but it serves as the central point of management, the policy engine, and the backup catalog. Offsite copies can be facilitated by NetApp SnapMirror (which enables site-to-site mirroring) or physical tape.

The key benefit is simplicity and ease-of-use. It’s also cost-effective—not only because it’s an integrated hardware/software solution, but because it includes replication to facilitate DR at no additional cost and has integrated deduplication to optimize network bandwidth and storage capacity. The solution is designed to be cost competitive at 40% less than comparable EMC offerings.

Recovery is a big focus, too. Recovery options range from catalog searchable snapshots, mountable snapshot images, and integrated virtual machine recovery as well as recovery from physical tape. Syncsort’s secret weapon for server virtualization environments, such as VMware (EMC Avamar’s sweet spot), is its ability to provide P2V and V2V recovery via a bootable virtual machine based on any backup image.

The Syncsort-NetApp solution provides a boost to backup and recovery … and each company’s competitiveness. Syncsort benefits from the heightened exposure to NetApp’s channel partners. NetApp gains technology integration that complements its data protection portfolio, offering its clients a more full-featured solution. And, the combined solution is compelling versus EMC’s portfolio. Sounds like a win-win-win … for NetApp, Syncsort, and NSB customers.

Read more of Lauren’s blog entries at Data Protection Perspectives.

Veeam is taking advantage of VMware snaps to capture VM images and store them on the Veeam backup server’s datastore. The VM image can be Storage vMotioned to a production datastore or it can be replicated to a production datastore via Veeam’s own replication technology (this is a manual cut over … about 10 minutes of downtime). Essentially, this is the ability to boot a VM directly from the backup copy without having to do a full restore.

Vizioncore offers something similar. Its vRanger’s FlashRestore feature reduces recovery time for a VM image to seconds. Instead of waiting for the VM file to be copied from the backup repository to the recovery system over the network, the VM image can be booted directly from the vRanger Pro backup repository, making it immediately available.

Funny thing is, these solutions sound an awful lot like something Syncsort has had for years: BEX Instant Availability, which provides immediate recovery of critical applications and data without a need to transfer data.

Veeam vigorously defends that what it does is different … and Veeam’s right. One of the advantages of having VM image is the ease of manipulation and portability. Syncsort uses raw device mapping (RDM) in physical compatibility mode to link VMFS volume to a raw LUN, which creates a virtual machine disk image file (.vmdk) pointing to the raw LUN. You can instantly recover the VM by mounting the data as a physical RDM, but you can’t Storage vMotion it back to production storage since Storage vMotion doesn’t support physical RDMs.

With the tolerance for downtime rapidly decreasing, it’s a sure bet that IT organizations are continually on the hunt for solutions that can help meet aggressive recovery objectives. Veeam, Vizioncore, and Syncsort all support this objective.

Read more of Lauren’s blog entries at Data Protection Perspectives.

RSA Security made one of these by introducing virtualization intelligence in its Archer compliance suite.

What’s the big deal? IT operations needs standard server configurations to meet compliance mandates and auditors need visibility into both physical and virtual servers. Neither group wants to jump through hoops to get what they need. This is a pretty big deal. When ESG asked security professionals what security-specific developments need to take place in order to enable more widespread server virtualization usage, 27% responded that their organizations needed, “compliance management tools that recognize virtual server events.” This was the third most popular of all possible responses.

RSA is on to something here. When I move workloads to the cloud you can be damn sure that my auditors want to know what’s going on. I’d like to see more vendors follow RSA’s lead and I’d really like to see security and cloud computing vendors start to discuss data standards for compliance, event management, and log file formats as well as secure transport protocols. Alas, I’m getting ahead of myself.

The RSA announcement won’t get much pick up, as it lacks the buzz of some cloudy/virtualization vision thing. Nevertheless, it is exactly what customers are looking for.

You can read Jon’s other blog entries at Insecure About Security.

via NetApp, Syncsort Team up on Data Protection – PCWorld Business Center.

Hmm. First of all, anyone familiar with ArcSight was sure this was coming. The company is a leader in a growing market segment, has a great Federal business, and is one of few real enterprise players. It is interesting to me that the Wall Street Journal is spreading rumors but that’s another story.

Let me weigh in by handicapping the field:

1. Oracle. This would be a bold strategic move as Oracle plays in security tools and the identity management space, but not the broader security market. ArcSight is an enterprise software company so it fits with Oracle sales and channels. ArcSight also runs on an Oracle database (for better and for worse). To me, Oracle makes sense as a potential suitor.
2. HP. HP people always tell me that they want to be in the security services, not the security products business. The company backed this up when it sold its identity management portfolio to Novell. ArcSight fits with OpenView/Opsware as enterprise software so it may have changed its mind, but HP probably wants to be careful with acquisitions in the wake of the Mark Hurd scandal. Heck, HP put in a bid for 3PAR this week and Wall Street went nuts. Given these factors, I’d be surprised if it were HP.
3. EMC. Forget this rumor. EMC already bought one of ArcSight’s primary competitors (Network Intelligence, now RSA EnVision). There are a dozen security acquisitions I could think of that would make more sense for EMC/RSA.
4. IBM. Great fit in terms of enterprise software but this would be IBM’s third security management offering (the original Tivoli security manager and then GuardedNet which IBM got as a result of the Micromuse deal). Neither of these products have really resonated in the market. If anyone can erase two previous products, IBM can. I rate this one as likely as Oracle.
5. CA. CA’s security presence is really limited to the identity space. Like IBM, CA has tried several times to penetrate the security management market with little success. I can see CA wanting ArcSight but if Oracle or IBM jump in, the price may quickly get too high for CA.

Given the Intel deal, McAfee is likely out of the running. I’ve heard through the grapevine that McAfee made several attempts at ArcSight but the price tag was just too big. Symantec, like IBM and CA, has also developed security management products that haven’t taken off in the market. If Enrique Salem is up for another big acquisition, ArcSight would be a great fit.

Finally, wherever ArcSight ends up, there are plenty of other innovative security management companies that may quickly follow. Feisty Q1 Labs would be a natural for Juniper. Brainy Nitro Security could be a fit for Cisco or CA. LogRhythm could be a good addition for HP, Check Point, Websense, etc.

ArcSight deserves what it gets as it really guided the security market moving forward. Its fate will greatly influence the enterprise security market moving forward.

You can read Jon’s other blog entries at Insecure About Security.