Demo@15 spotlights security

Emerging technology moves beyond the perimeter for securing data.

Of the 74 companies showing off their wares at this year's Demo@15 conference, more than half are focused on the enterprise. For a majority of those companies, the message is simple: It's about security, stupid.

No lack of cool at DEMO@15

Wireless gear, conferencing tools to debut

Additional Demo@15 demonstrators

IT managers looking to this year's emerging technology conference (produced by Network World) for hints about the direction security is taking will see a strong shift away from the perimeter to end-to-end data management .

"You cannot put a brick wall around an organization," says Demo Executive Producer Chris Shipley. "The goal [for IT executives] should be to protect data from the bad guys and to protect your CEO."

She says companies that are knee-deep in extending their companies are looking to policies and access rights as a basis for securing corporate data. "It's not whether I have a secret knock to get on the network, but do I have rights [to this data]? We're going to start looking at things on a granular basis."

Look for several compliance tools that address this mandate, she says. "The whole issue of compliance is driving innovation."

The enemy within

IPLocks' Information Risk Management Platform focuses on deterring internal threats. "More than 75% of data theft occurs by employees who have legitimate access to data," says Christine Crandell, vice president of marketing. She adds that data often lies unprotected within corporate databases.

The Information Risk Management Platform has tools for database vulnerability assessment, monitoring, audit analysis, user behavior tracking and regulatory compliance checks. Enterprise managers can set rules for how users normally access databases so that when anomalies occur, they are alerted and can react quickly. They also can equip company executives with a dashboard view of database access for instant analysis of the company's compliance and vulnerabilities.

Version 5.0 of the application, which works with major database platforms, including Oracle, IBM DB2, Sybase and SQL Server, will be generally available in April. Pricing ranges from $15,000 to $225,000, and is based on number of database server CPUs.

Keeping applications safe

CenzixCenzic is also focused on vulnerability assessment, but at the application level. Cenzic's Hailstorm 2.0 lets enterprise managers automatically test the security of their commercial and custom Web applications .

Mandeep Khera, vice president of marketing at Cenzic, says IT executives must put the same level of focus on policy compliance for Web-based applications as they do legacy applications. "You have to have internal policies and test for strong passwords and make sure you discover vulnerabilities," he says.

Hailstorm 2.0 lets enterprise managers perform stateful application inspection, test from the user level down to the source code, and either employ policies from Cenzic's library or develop their own. The application also features an API for integration with Mercury Interactive's Mercury Quality Center and Mercury TestDirector network monitoring tools.

Khera says financial services firms under mandate from the Graham-Leach-Bliley Act can use the tool to attack their applications and report on vulnerabilities. Reports then can be shown to developers to make sure the holes are plugged.

Hailstorm 2.0 is priced on a per-application and subscription basis.

New spin on password management

ImprivataImprivata is taking a different approach on security struggles that IT managers face by tackling the ever-frustrating password dilemma.

"Every user in the corporate environment has a minimum of eight to10 passwords," says Omar Hussain, senior vice president for product management. "They have passwords for everything: Hotmail, e-mail, network logins, HR applications and 401(k) informational sites. And because of compliance and other security issues, more difficult passwords are being enforced."

He says the real victims are IT organizations that have to manage and field help desk calls for creating, resetting and deleting passwords. With strict oversight, IT organizations for industries such as healthcare must verify information about a user before doing any of these tasks.

Imprivata's OneSign is a single sign-on appliance that integrates with the company's directory to manage password complexity. IT managers plug the OneSign appliance into Active Directory, which downloads user data from the network. The appliance gathers information about the network applications each user employs and then deploys agents to the desktop. The first time a user authenticates via the agent, the tool gathers passwords, and encrypts and manages them at the appliance level. For added security, enterprise managers can implement fingerprint or smart-card authentication. OneSign also features an auditing and reporting tool that lets IT managers track the users' application access.

Pricing for OneSign starts at $15,000 for less than 500 users and $180,000 for 10,000 users.

Securing voice traffic

While some companies are squarely focused on protecting data, others are trying to meld in security for VoIP as well.

KoolSpan CEO Tony Fascenda says the biggest challenge IT executives face in trying to authenticate voice and data over IP is the array of connectivity choices available, including wired and wireless networks.

VoIP works well within a network but requires significant configuration changes for remote access - too complex for most users, he says.

KoolSpan created its TrustChip, which features 256-bit Advanced Encryption Standard encryption, to establish an end-to-end connection that recreates the local user experience. "No matter where the user is, we create a secure tunnel, and once you've connected to an internal device, you're recognized as a local user," he says. Fascenda says this avoids the challenges of network address translation and IPSec tunneling.

The TrustChip can be embedded into "an IP phone, a voting machine, a laptop, a PDA, a network switch - anything that lets a machine make a connection across a network," Fascenda says. The user plugs in a USB secure token to the device to authenticate and establish a connection across the network to the internal system. "All the roles and policies map to the user as if he were inside the office," he says.

KoolSpan is licensing the TrustChip on an OEM basis to VoIP and other companies.

Analyzing data faster

Another key element of security is information monitoring and analysis. The advent of real-time data streams and the need for instant analysis of that data poses challenges for IT managers.

StreamBase Systems is launching its StreamBase product, which is supported by the company's Stream Processing technology.

Based on SQL, Stream Processing enables on-the-fly analysis of real-time data, such as data generated by radio frequency identification tags and other sensor technology. Instead of gathering and storing information in a database and then running a query against it, StreamBase lets users perform similar queries in real time. The system can do computations against the data as it moves.

Bill Hobbib, vice president of marketing, says this allows for much quicker reaction to the results of the queries. For example, the military could use StreamBase to track its soldiers, enabling a rapid response if data shows they are missing. Today, he says, users of query technology must wait to pore through the data, which slows response times. "In many cases, data is only useful for minutes after it's arrived. Why not get the results when you can use them?" he says.

IT executives can use StreamBase, which features low latency in microseconds, to find errant activity on the network and deter it in real time. This is important for compliance and regulatory mandates, Hobbib says. The information gathered can be archived to study historical patterns.

StreamBase is available via a subscription model for $60,000 per year or $200,000 for three years.

Better message management

Companies worried about compliance are taking a hard look at not only their security and analysis tools but also their message archiving systems. Because e-mail is at the heart of many security and liability concerns, managing messaging is a challenge for IT managers.

Praising Gaw, director of marketing at Fortiva, says IT managers are buried under the requirements for e-mail retention. Fortiva is launching an e-mail archiving service that lets IT managers offload the duty of record keeping.

IT managers, especially those in the financial industry, must store e-mail for up to seven years in case of lawsuits or audits. Gaw says that's a big chore, and the cost to manage and store the data can add up.

The Fortiva Archiving and Compliance Suite is a plug-and-play appliance that connects to a company's Active Directory and Exchange servers. Messages are encrypted at the appliance and stored off site. Users can search through the off-site message store despite the encryption. However, Gaw says employing appliance-level protection means that if hackers attacked the off-site machines they would not be able to access the messages. IT managers get the benefit of storage scalability without the hardware and software investment or compatibility headaches, she says.

Gaw says Fortiva also provides policy templates for IT shops so they can improve their compliance initiatives. In fact, IT can offer compliance managers their own tools to keep tabs on the archive.

The Fortiva Archiving and Compliance Suite is available for a monthly licensing fee per user mailbox, with average pricing around $12 per mailbox per month.

Squishing the phish

Security is also top of mind for Cloudmark, which is launching its SafetyBar for Internet Explorer Internet tool. While Cloudmark's other SafetyBar products focus on attacks made against and via messaging systems such as Microsoft Outlook and Outlook Express, this product is targeted at stopping phishing and fraud attacks via the browser.

By addressing the vulnerabilities of Internet browsing, Cloudmark says it hopes to help companies cut down on threats. CEO Karl Jacob says SafetyBar for Internet Explorer can help thwart phishing attacks that might occur from a user trying to purchase something online with a company credit card or fraudulent attempts to gather information from back-end databases.

The tool, deployed to desktops, lets users mark Web sites they feel are a threat. That data is checked against feedback from Cloudmark's user-based network, which Jacob hopes will grow to be as large as the SafetyBar for e-mail network of 1.2 million users. If the information aligns, then the Web site is automatically blocked for all users on the LAN. IT managers can configure SafetyBar for Internet Explorer to block sites they feel are a threat or that have been identified by the Cloudmark community.

The base application of SafetyBar for Internet Explorer is free; add-ons will be available in early 2006.

Knowing what you've got

Network visibility is also a key component for companies trying to get a handle on their compliance. Having a clear picture of IT assets is critical for decision-making and policy setting.

Calling its new tool a "virtual MRI for IT," Blazent is debuting its Blazent 3.0 application. The software gathers information about all devices on the network and how those resources are being used. It then matches that information with benchmarks set by the company for IT asset use. With this data, executives can perform a financial analysis on IT investments, ensure compliance with government and private sector mandates, and develop policies around IT resources.

A company can visually map all of its leased machines, including detailed information about leased PCs and servers, to assess purchase, renewal, penalty and maintenance costs.

The tool also can be used to expedite IT tasks by offering a help desk manager real-time details about the configuration of a user's PC.

Blazent 3.0, available in March, supports Tivoli, SMS and Remedy. Pricing starts at around $300,000, based on the number of assets being collected and reported, the analytics modules the customer needs, and specifics of integrating with the customer's other systems.

Learn more about this topic

Gittlen is a freelance technology editor in Northboro, Mass. She can be reached at

DEMO Letter

Keep up with the latest news from DEMO presenters and alumni.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2005 IDG Communications, Inc.

IT Salary Survey: The results are in