Analysis: Security And Configuration Solutions Converge

While security-configuration management often conjures up a vision of large enterprise deployments with hundreds of servers and thousands of desktops, small businesses, which have become just as dependent on technology as large corporations, often lack the knowledge and resources to keep those systems properly configured and secure.

"PC availability is becoming even more important for small businesses, many of which now operate in knowledge-based industries. If their systems go down, their business goes down," says Ann Westerheim, CEO of Ekaru, a Westford, Mass.-based solution provider that focuses on SMBs.

"The reality is that not only do they not have automated tools, they don't have consistent platforms or policies in place. They're running 10 PCs with 10 different types of antivirus solutions," Westerheim adds. "They need help standardizing their systems, establishing policies, and bringing automation to their infrastructure to ensure that every PC is up and running," she says.

The need for those processes and a higher level of automation is especially strong for large businesses that need to consolidate the plethora of point products used for managing configurations and system vulnerabilities. This demand will continue to drive consolidation in the market, as large configuration-management companies such as BMC Software, CA, Hewlett-Packard and IBM/Tivoli are likely to acquire smaller vulnerability-management security vendors, Williams says. Last March, lifecycle-management firm Altiris acquired Pedestal Software for its security-management applications, and Internet security firm Symantec recently acquired vulnerability management and IT-compliance software makers BindView and Relicore to help round out its data-center-management and security offerings.

"Historically, this has been a point-product game," says Brian Dye, director of product management at Symantec. And the demand to be able to handle the entire configuration-management lifecycle from one management suite is being answered this year. "Organizations want to manage, fix and prevent configuration errors from a single user interface, and we're taking product steps to do that," Dye says.

The demand for solution providers that can help organizations design, implement and maintain an ongoing security- configuration-management program is clear. The growing number of software vulnerabilities discovered each week; the sophistication of spyware, network and application attacks; and the continued mix of notebooks, PDAs and other devices accessing networks, means this is an opportunity that isn't going to vanish anytime soon.

"We don't have to sell organizations on the fact that they have to get a better grip on change and configuration management. They've already come to that conclusion," Murphy says. "Ask operations people if they'd gamble their careers on whether they understand the configurations and dependencies of their systems, and most would reply 'No.'"

NEXT: Getting a knack for Cisco's NAC.