Users mistrust bundled security products

The renewed user interest in the security product bundling concept comes from the heightened awareness of security after Sept. 11, along with the general sense that networks are now more mission-critical because they support e-business initiatives and remote employees, analysts say (see main story). But these experts point out that most enterprises haven't committed to full-scale adoption of bundled security products.

"Certainly, [companies] now have allocated extra money for security. And yes, they are looking at things like vulnerability assessment and IDS. But honestly, integrated appliances don't seem to be their first pick, though they are on the radar," says Joel Conover, an analyst at Current Analysis.

Analysts acknowledge that service providers, such as Divine, and small to midsize businesses account for the bulk of integrated security product sales, despite vendor attempts to appeal to larger corporations.

"Many [companies] still think they'd be going out on a limb with such products, but they are inviting them into the evaluation space. Vendors seem to be counting those evaluations as shipped products," Conover says.

Communications Supply in Carol Stream, Ill., is one user that recently invited integrated product offerings into an IDS evaluation. But Robert Fischer, director of technical services, is quick to point out the uphill battle ahead for those vendors. He expresses skepticism that a firewall/IDS product will provide the same set of checks and balances as distinct firewalls and IDS devices.

"They will have to prove to us that one feature set will find problems in another feature set," he says. Another prickly point is vendors' claims that these products reduce duplication of security features. Users who have pieces of their security strategy in place tend to view integrated offerings as redundant. Plus, integrated packages are frequently more expensive, he says.

"A lot of this is just packaging," Chris Christensen, an analyst with IDC, says of added security features. "And a lot of companies already have a large range of existing products doing security and management."

Jim Slaby, an analyst with Giga Information Group, agrees. "With Swiss-Army-knife appliances comes the potential for duplication of functions,'' he says.

On top of that is the hesitancy among users to rely too heavily on one provider. " One downside is getting entrenched with single-vendor solutions. After the dot-com bomb, you've got to be careful who you choose," Phil Ruenhorst, director of ChimeNet, an affiliate company of the Connecticut Hospital Association in Wallingford, says. Even something that seems as common sense as bringing authentication techniques into laptops will meet with user resistance, analysts say.

"It is pretty well-known at this point that the information on the laptop is worth far more than the actual device," Christensen says. "There is also a desire to protect the connection to the LAN or corporate network."

So vendors will likely integrate tokens and biometrics into mobile devices, and possibly into operating systems, Christensen says. "But margins on laptops are thin. Building authentication into these devices begs the question of whether there will be enough buyers," he adds.

While users are dabbling with integrated products, traditional strategies that mix dedicated offerings are still the preferred route for many corporate users.

"Large enterprises would rather go with best-of-breed solutions, since they consider their own internal integration efforts as a competitive advantage," Christensen says.