Companies that specialize in helping businesses speed delivery of their applications and Web content are increasingly involving themselves in IT security as the continued proliferation of systems-defense technologies has become a potential roadblock to the performance and quality of the services they already provide.
Business leaders at applications acceleration providers like Akamai Technologies and Symphoniq contend that as their customers continue to layer additional security devices and programs into their IT infrastructures, they are creating new obstacles to maintaining swift delivery of everything from customer-facing e-commerce systems to supply chain networks shared among partners.
As a result, the technology and service providers are moving to help growing numbers of their customers find the most effective manner to tailor their security systems in a way that reduces the strain on their applications while maximizing protection.
Security has always been a major consideration in the applications delivery world, but the continued explosion of new technologies that customers want to utilize to prevent attackers from compromising their systems has forced companies like Akamai -- which claims to handle performance and availability issues for 300 of the top 500 e-commerce sites in the world -- to up the ante in recent years, executives said.
"As an overlay on the network, we're an overlay for users both good and bad who want to access to these applications," said Keiran Taylor, senior director of product marketing at Akamai. "Whether you're talking about denial-of-service threats or other types of attacks carried out against these systems, in many cases we're actually the first line of defense that can thwart something before it harms an enterprise customer."
In addition to a number of homegrown technologies that the company already uses to ensure that its customers' applications and sites are running at full speed, many of which are delivered as an element of its core services -- such as tools that monitor for activity that might indicate emerging DoS attacks -- Akamai also sees new business opportunities helping companies deal with other security-related headaches.
Earlier this month, the company launched its first service aimed at aiding customers who process credit and debit cards maintain compliance with the Payment Card Industry (PCI) Security Standards Council's DSS (Data Security Standard).
Backed by the world's largest credit card providers, the PCI DSS mandate requires businesses to bolster their security systems to protect cardholders' sensitive personal data.
Akamai's service includes additional "assurance" for securing card data involved in online transactions as well as its new Dynamic Site Accelerator PCI service, which includes an audit management portal, systems configuration validation tools, infrastructure scanning reports, service integration guidelines, and an SSL network tailored to meet the regulation's specific terms.
Thus far, the PCI service is only available as a beta, but Akamai is planning to make it a commercial offering in 2008.
"If you look at what Visa and these other card companies have said, caching secure content is a key component of meeting the requirements," said Taylor. "In the quest for performance sometimes people let security take a back seat, but clearly it can come back to bite you, so we're trying to deliver both pieces of the equation and make it as simple as possible for our customers to do business."
Symphoniq sees an opportunity
At Symphoniq, company officials are now marketing the firm's Real User Monitoring Web applications performance measurement service as an ideal way to head off potential attacks carried out against online transactional systems, including e-commerce sites.
Architected to help companies understand what the in-the-browser experience is like for users of their online systems, Symphoniq is now pitching the product's ability to sniff out attempts to break into online applications to steal data, carry out fraudulent transactions, or launch attacks such as cross-site scripting threats.
"The customers are trying to solve these problems by adding a lot of security devices and applications into the pipeline, which is having a huge effect in some cases on the performance and reliability of the applications themselves, so we are being asked to do more around security," said Hon Wong, chief executive of Symphoniq.
"Without ever touching the code of the applications themselves, we can provide end-user monitoring that catches any bad transactions, and then trace that down to a specific user session, which is a lot less intrusive," he said. "Many companies are struggling to balance security and performance issues for their applications, so it's a clear opportunity for those of us on the delivery side to get involved."
In addition to selling its tools directly to end-users, Symphoniq is also marketing its technologies through partnerships with others in the space, including F5 Networks, a maker of applications delivery network appliances.
"This is a natural progression for this industry," said Ed Colonna, vice president of marketing at Symphoniq. "These companies can't spend all of their time trying to decompose the haystack to find the needle that is getting in the way of performance, and I think a lot of companies don't fully understand the effect that today's layered security environment has had on the way their applications behave."
Industry watchers said that the push by applications delivery providers into the security space is unsurprising as the vendors have a unique vantage point into the infrastructure that attackers are increasingly attempting to target with their malware.
The movement is similar to the ongoing drive by large telecommunications carriers and Internet service providers to offer more network-based security services that tap into their widespread network intelligence capabilities and attempt to head off threats further upstream, said Andrew Jaquith, an analyst with Yankee Group.
"The applications delivery specialists see this as an extension to their business, the question will be whether they can create something enterprises want to buy," Jaquith said. "Companies like Akamai know a gravy train when they see one, and this could be an opportunity for them to peel off a little extra revenue."
Much like carriers, however, the analyst said, applications delivery companies eager to get into the security market need to understand that they may be forced to sell into different constituencies within their customers than those that they currently do business with.
Another challenge for the vendors is that security and compliance interactions often mandate on-site work, something that the companies may be less interested in based on the related overhead expenses, he said.
"These companies could have the same problems that carriers are experiencing in terms of targeting the right people to sell their technologies to inside the enterprise. Compliance isn't really a network operations issue, for instance, it's more of a security and legal issue," said Jaquith.
"And with anything related to security and compliance you often need to get your hands dirty on-premises," he said. "It will be interesting to see if that's something that these companies want to pursue."