Rethinking the Security Supermarket

The Sept. 11 terrorist attacks have bred a heightened awareness of security, and as I-managers re-examine security infrastructure, a familiar question has resurfaced: Is it better to choose best-of-breed security products, or an integrated security suite

When Network Associates Inc. announced earlier this month that it was preparing to sell its Gauntlet firewall software business, it signaled an end to the companys attempt to position itself as a one-stop shop for security.

The firewall wasnt selling well and turned out to be a loss leader on NAIs balance sheet. But industry observers didnt expect that NAI would dump Gauntlet, because the company needed it to round out a complete security offering. Nevertheless, NAI shut down its PGP Security division, which included Gauntlet, and will absorb PGPs encryption technology into its McAfee and Sniffer Technologies divisions.

The Sept. 11 terrorist attacks have bred a heightened awareness of security, and as I-managers re-examine security infrastructure, a familiar question has resurfaced: Is it better to choose best-of-breed security products, or an integrated security suite supplied by one vendor? The answer depends on an organizations specific requirements and its security suppliers capabilities.

NAI learned that being a one-stop shop doesnt always have its privileges. The company found it difficult to cross-sell the Gauntlet firewall to users of its other security software.

"There were different buyers for different security products, but we didnt understand what those differences were," says Michael Callahan, McAfees director of marketing. Callahan says customers were coming to NAI for antivirus and virtual private network software, but they werent necessarily coming to it for a firewall. "What it came down to was for us to focus on what we do well."

Thats a reversal of the strategy the company adopted four years ago, when former McAfee CEO Bill Larson acquired Network General, Pretty Good Privacy and Trusted Information Systems to form what is known today as NAI. His vision was to make NAI the Microsoft of security: Just as Microsoft wraps all the desktop productivity applications a business user needs into a suite called Office, NAI would do the same with security software.

But in December 2000, Larson resigned amid unexpectedly bad earnings, and NAIs directors brought George Samenuk on board as CEO in January 2001 to steer the ship back to profitable waters.

One for All

While NAIs decision to discard its firewall may have been right for the company, other security leaders debate whether retreating from a fully integrated suite is the best approach.

Gail Hamilton, executive vice president of product delivery and response of Symantec -- a rival of NAIs McAfee division -- says that while the integrated suite approach may not have worked for NAI, Symantec thrives on it. "My belief is thats one of Symantecs strengths -- selling across all tiers of the network -- and thats what our customers are looking for," she says.

Computer Associates International also sells customers an array of security products. However, Barry Keyes, vice president of CAs eTrust security solutions division, says most of CAs customers, which tend to be large companies, dont come to CA looking for a product. Rather, they come looking for a solution to a particular need. And when they come, its nice to have a tool on hand that integrates well with the rest of the product line.

"One-stop shopping is a convenience, but solving the problem is the utmost importance," Keyes says. "When a customer has a problem, its not just [a question of] What is the best product? but What is the best product for my environment? "

Keyes says the primary benefit customers get from using mostly CA security solutions is full, easy integration throughout the infrastructure, so an I-manager has one console for his or her security set.

With one console, theres one reporting mechanism. When all of the security solutions in an enterprise are working together, it becomes simpler to identify attacks, their severity, their origin and the best ways to stop them. For example, if an attack is picked up by a companys intrusion detection system, then the firewall could be automatically instructed to tighten security parameters and watch out for suspect packets.

It doesnt always require buying products from one vendor to get these benefits. A new product from GuardedNet, an information security management company, lets I-managers use the security tools to which theyre accustomed, but use GuardedNets NeuSecure as the console and reporting mechanism.

Bob Hughes, president of GuardedNet, says the company developed the solution when it was providing security systems to government agencies and found the process of integrating the reporting mechanisms of all of them to be overwhelming.

"One thing we noticed was when we tried to correlate an attack, you would literally have to go to different consoles to find out the source of the attack," Hughes says. "Our product sits on top of best-of-breed products and presents a picture of what is happening in real-time to the enterprise."

Large companies are more likely to use best-of-breed security products and integrate them themselves, says Chris Christiansen, an IDC analyst. In fact, some I-managers at large enterprises consider their integration efforts a competitive advantage, he says. "Only they know how it works and how the architecture was really designed," making it harder for someone to hack through it, Christiansen says.

Call the Troubleshooter

A one-stop security provider offers benefits beyond product integration. When it comes to security, accountability is a major factor in determining whether a customer will purchase one product over another. When theres only one point of contact -- that is, one vendor to blame when things go wrong -- some I-managers sleep better at night.

"Within the one-stop-shop approach, its very important to have one support person to call," says Steve Collen, Cisco Systems director of marketing for security. Cisco provides the Safe Blueprint program, which encompasses Ciscos security products, as well those from other companies with which Cisco works closely. When a customer calls Cisco for support, even if its about a product from one of Ciscos partners, a company support representative will help resolve the problem.

That made all the difference for Elliot Zeltzer, Volkswagen of Americas telecommunications and network services manager. VW of America wanted a model that kept costs low, and that meant procuring services from as few vendors as possible. "We subscribe to Ciscos Safe on the basis that when it breaks, we call one person," he says.

VW of America tried to go the best-of-breed route, but Zeltzer says it became a logistical nightmare, as integrating software meant caving in to the lowest common denominator of functionality to get the software to interoperate. And using one companys security products ensures that it all works together. "Mine is as secure a network as any vendors product can make it," Zeltzer says.

Not everyone is sold on the one-stop shop. From an up-front cost point of view, it makes sense to go with a single provider because a company might get more for one price, says Joseph Dalessio, network administrator of Major League Soccer, which is also a member of Ciscos Safe program. But Major League Soccer incorporates security from several vendors, including Cisco, McAfee and WatchGuard Technologies.

"I prefer to go with best-of-breed here, because in the long run, were a lot safer," Dalessio says.