Securosis

Research

New Feature: LiveChat

Got questions? Think I might know the answer? Just bored and need someone to pretend to be your friend? All you have to do is look on the sidebar and click on the LiveChat link. If you’re running AIM, that will connect you to the account I’ve set up to support the site. This is a bit of an experiment and feedback is welcome. If you aren’t running AIM, let me know in the comments what IM provider you prefer. And no, I won’t pretend to be… something… to satisfy any of your twisted fantasies. This is for security stuff only, okay? Share:

Share:
Read Post

DLP Is A Feature, CMF (Or Whatever We’ll Call It) Is A Solution

Here I am, just off the bench after six months of watching from the sidelines, and when I’m still two feet away from the darn batter’s box Hoff lets loose with a hundred mile per hour fastball right at my head. Thanks Chris, it’s not like you didn’t know exactly when I’d be back at bat. I really suggest you go read both of Chris’ posts, but here’s a snippet so I have something to work off of: Known by many names, what I describe as content monitoring and protection (CMP) is also known as extrusion prevention, data leakage or intellectual property management toolsets. I think for most, the anchor concept of digital rights management (DRM) within the Enterprise becomes glue that makes CMP attractive and compelling; knowing what and where your data is and how its distribution needs to be controlled is critical. The difficulty with this technology is the just like any other feature, it needs a delivery mechanism. Usually this means yet another appliance; one that’s positioned either as close to the data as possible or right back at the perimeter in order to profile and control data based upon policy before it leaves the “inside” and goes “outside.” I made the point previously that I see this capability becoming a feature in a greater amalgam of functionality; I see it becoming table stakes included in application delivery controllers, FW/IDP systems and the inevitable smoosh of WAF/XML/Database security gateways (which I think will also further combine with ADC’s.) I see CMP becoming part of UTM suites. Soon. First a little bad news; I mostly agree with Hoff, and this is such a big subject I’m only going to cover part of it today. Consider this the first part of a multipart series on DLP/CMF/CMP. Today I’ll cover a little bit of history and what I look for when figuring out if the latest widget is just a feature of something else, or likely to be a stand alone solution. What most people call DLP started about 5-6 years ago as an extra feature of about the only Acceptable Use Enforcement product on the market- Vericept. Vericept monitored network communications, mostly as a sniffer near the gateway, to detect things like porn, gambling, sexual harassment, and “hacker” research. A lot of people tried to position it as a network forensics tool, but instead of full packet capture it just looked for policy violations and recorded that traffic. It also came with usable business reports, not just lists of IP addresses and packets. Vericept could also detect things like credit card and social security numbers leaving the organization. Vontu, Vidius (later PortAuthority and now Websense), and Tablus started becoming more visible, each with their own somewhat unique approach to the problem. Vontu cleaned up in the early years by really focusing on the business problem of preventing data leaks and building a tool the business guys could grok. Once Reconnex, Fidelis, and a few others appeared the marketing machines really started cranking and bringing more attention to the entire space. In 2005 Vontu had a big lead in a small market, but the competition learned fast and became MUCH more competitive in 2006, after more than a few management changes. Early on we had a hard time naming this space. Not just us analyst types, but the vendors themselves. I even had a phone call with two of the bigger ones in 2003 or 2004 where myself and two competitive marketing managers tried to hash it out. I went with the term “Content Monitoring and Filtering” because I felt the core technology was about a lot more than just leak prevention. New technologies pop up all the time and sometimes it’s hard to figure out which will succeed, fail, or succeed as part of something else. I ask one simple question to place my bets on something being a feature vs. a solution: What’s the business problem, and does the technology solve it? If not, what percentage of the problem does it solve? Okay, I cheat, because this is hard. Something like, “it blocks USB ports” isn’t a business problem; at least not with a capital B. This is also where we tend to see all the BS business-speak like “holistic” and “synergy”. I should probably do some posts just on this alone, so let’s look at DLP. The business problem for DLP is, “tell me where my sensitive information is and help me protect it”. Chris is correct- Data Loss Prevention is just a feature focused on one part of the problem. Monitoring data moving through the perimeter is a throwaway. The DRM part, which all DLP solutions will eventually include, is also a throwaway; let someone else do that part. Content scanning and classification for storage, email integration, internal network monitoring, and so on are all just features somebody can put into something else. The product, and I really like Chris’s Content Monitoring and Protection term, is the policy management server, content analysis, and workflow and reporting tool. It’s the central console for managing all these enforcement points that will be part of UTM, endpoints, and everything else. Today the “DLP” vendors need to build most of this themselves since it’s hard to sell a product when you have to tell your client to buy 20 other components from other vendors. This isn’t part of UTM because the people setting the policies for content and dealing with enforcement aren’t the same as those dealing with inbound threats. This isn’t part of Application Firewalls, Application Delivery Controllers, or database security gateways because those are also managed by different teams, with different responsibilities. Actually, those tools are going to consolidate into a database and application security stack, while DLP evolves into a Content Monitoring and Protection solution. We’re solving the problem of identifying and protecting sensitive content being used by our employees (and other insiders). Those responsible for solving this problem often include non-technical types like corporate legal, risk, and compliance. The problem is different

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.