IT security and management on collision course

As security companies push into systems management, and vendors in the management space push back, convergence of the two is ongoing and largely unavoidable

According to some industry analysts, as many as 90 percent of all enterprise businesses currently assign oversight of anti-virus technologies to their desktop management teams, rather than ceding the work to security specialists.

The reasons behind this fact are simple, market watchers maintain, as the process of keeping AV agents up-to-date, distributing new virus signatures to end points, and monitoring PC configurations for anomalies are exactly the types of tasks that IT operations teams are expected to carry out.

If you add in the fact that many companies are looking at their IT security and management functions from the perspective of handling regulatory compliance demands, experts say, it becomes clear how much commonality exists between the security and management camps.

As such, it should come as no surprise that a growing number of organizations are beginning to view much of their traditional security work -- in specific chores that don't involve warding off attacks -- from a systems management standpoint.

That's the reason why security market leader Symantec plunked down $830 million for management software vendor Altiris in Jan. 2007, and why so many IT management technology providers are dipping their toes in the security waters, said Neil MacDonald, analyst with researcher firm Gartner.

"In most cases clients are looking to reduce complexity and costs, and improve overall systems manageability; today it's very hard to configure and manage security products made by multiple vendors, so we're seeing this trend toward what you might call Darwinistic operationalization," MacDonald said.

Based on the growing management headaches created by the presence of so many security tools in the modern enterprise, businesses are looking for ways to centralize oversight of the various technologies and hand off their control to operational specialists, the analyst said.

That is why Symantec and McAfee are pushing expanded management capabilities, and why so many companies with management backgrounds -- such as BigFix, Kace, and LanDesk -- are now actively marketing their security skills, MacDonald said.

"This is a very important trend, because most security issues actually arise in systems management, and even if you love Symantec and are on a path to acquire their various products, there's a pretty good chance that you'd at least consider the security solutions being offered by these other providers coming from more of an operational side," the analyst said.

"These companies on the operational side will definitely come head-to-head with the security companies, and really, that's a good thing for everyone," MacDonald said. "Because the endgame is that users should end up with more integrated functionality at a lower price."

Of course, major IT systems management platform providers including CA, EMC, IBM, and Microsoft are also competing in the security market, and are doing so with increasing success based on their management skills, the analyst said.

"If a security person can do a better job by using management applications, and vice versa, then why not; even though these companies look at things through a different lens, there's a great amount of value in eliminating duplication of tasks such as inventory management," MacDonald said. "All the management vendors have a great case to make; convergence may be too strong of a word, but there will certainly be increased integration across security and operations-type applications."

Strategy leaders at Symantec agreed that the confluence of security and systems management is seemingly unavoidable, especially as each of the processes becomes so much a part of the other.

The shift is the primary reason why the massive AV and systems defense company was compelled to make such a significant investment in management expertise through its buyout of Altiris, executives said.

"When we looked at this area and how we wanted to approach the market, we saw management as changing the entire game right now because of a number of factors," said Tim Brown, senior director of architecture and strategy for Symantec.

"The bar for management has risen in the last few years with issues such as virtualization placing a heavier demand for coordination between security and management," Brown said. "We really needed to become a leader in both disciplines and offer a consistent fashion through which customers can manage and remediate their systems in a tightly integrated way."

Symantec has been helping companies manage compliance issues for a decade, Brown noted, but alerting customers to problems that auditors might find is no longer enough, he contends, because users are also asking the vendor to provide the mechanisms necessary to remediate any issues it finds.

Emerging technologies such as network access control (NAC) that involve everything from testing systems configuration to updating AV tools won't be as broadly adopted by end-users if vendors such as Symantec can't offer the ability to cover both the security and management tasks they require, the executive said.

Leaders of systems management companies such as LanDesk echo Symantec's observation that their products are increasingly becoming the tools through which customers handle a great deal of security work.

"Many of our customers are having a hard time differentiating between systems and security management as so much of what they do to secure the device is around traditional systems management work," said Steve Daly, who took over as general manager at LanDesk at the beginning of 2007.

"Customers are looking for tools that give them a view into inventory, the known state of their systems, to do the remediation and bring everything into compliance, which is really the traditional realm of systems management," Daly said. "They're talking about moving to service management, but the reality is that they're caught up being reactive in break-fix mode; they want to move into more of an over-arching process focus, and that's driving a philosophical change for IT and how we deliver our products."

Those factors are the very reason that a systems management specialists such as LanDesk was pushed to launch its maiden host intrusion protection system (HIPs) earlier this year, Daly said.

"Our opportunity comes from being able to lock down the device and watch the device and defend it in a preemptive manner, versus after an attack hits the device," Daly said. "I think it will be more of a challenge for the Symantecs of the world to build a single client that covers both security and management, coming from their side of the business."

Other management technology vendors said that they have long considered security as one of their core strengths, even if they didn't market their products as such.

Marty Kacin, co-founder and chief technology officer at systems management appliance vendor Kace, said that midsize companies have been approaching the issue from a more unified standpoint for years, and that enterprises are merely beginning to follow suit in viewing the issues together.

Along with covering issues of inventory and systems image provisioning, Kace's appliances provide features including security patch distribution and desktop vulnerability assessment.

"We've never differentiated security from management from the get-go, yet we never marketed around security until recently when it became clear that this was a message that resounds with customers," Kacin said. "And really when you think about it, it's not just that patching and configuration management relate to security, the issue is that the processes of systems management and security are fundamentally interdependent."

Companies such as BigFix, which has marketed itself as a security and management vendor for some time, claim that their existing business models illustrate the very approach that enterprises must take when considering the individual strategies.

"When your job is to sit on the end point and tell it how it needs to look and behave, it's clear that we're ideally suited to tackle both of these problems from a management perspective," said Greg Toto, vice president of products and operations at BigFix.

"CIOs are annoyed with the volume, complexity and integration issues driven by the use of all these security and management point products in unison," Toto said. "The value proposition of a company like ours is to provide control for a broad range of these agents via a single management console."


Copyright © 2007 IDG Communications, Inc.

How to choose a low-code development platform