Paramount Protection: New Ways to Safeguard Information

Last month, for example, the White House's Critical Infrastructure Protection Board reviewed a draft of the National Strategy to Secure Cyberspace, composed by White House cybersecurity adviser Richard Clarke, with help from experts at Stanford University. Meanwhile, homeland security director Tom Ridge has been visiting trade shows and private-sector gatherings to view the latest inventions and solutions in IT security. President George W. Bush also appointed members to the new National Infrastructure Advisory Council, including such IT security experts as Atlanta-based Internet Security Systems CEO Tom Noonan.

"Infrastructure," in this case, is defined as utility, transportation and financial services that are essential to everyday life in America. It's not just the federal government's own services that have leaders worried: The vast majority of those services are owned by private-sector companies.

In addition, IT analyst firm Aberdeen Group reports that new electronic assaults in the form of active Web content are wreaking havoc with users, enterprises and government agencies.

"This content is now being used for electronic reconnaissance, probing, mail-marketing, spamming, theft, cybercrime, cyberterrorism, identity theft and financial loss," says Jim

Hurley, vice president and managing director at Aberdeen, in a new report on security and infrastructure management.

So what does all this mean? Essentially, the government is sending a message that enterprises can't afford to sit back and wait to be attacked by cyberterrorists or, perhaps more important, compromised from within. While firewalls, VPNs and antivirus products have been commoditized as must-have protection measures, other areas are gaining momentum as well. Vendors are turning their attention to securing e-mail, developing more effective encryption solutions and creating more insulated data-protection environments.

VARBusiness identifies three growing areas for security technology,Internet-content filtering, authentication and encryption, and data protection,and the leading vendors that are bringing solutions to the channel.

CYA Technologies

CYA Technologies is a textbook example of security technology's growth and how it's beginning to imbed itself in other software markets, such as storage. After all, the overall concept of protecting data is the same for both security and storage.

CYA began in 1998, developing application-aware, business-continuity solutions that included disaster-recovery and backup products.

"CYA started because of a deficiency I saw in the market," says Elaine Price, CEO and founder. "The way enterprise information is integrated, it made it impossible for companies to protect and ensure that information."

But after a few years, customers were asking for more. They wanted solutions to keep crucial data confidential and uncompromised. So last month, the software-maker took the leap into security. CYA UniVault is its newest Command Console product, a software solution that acts as a virtual repository for essential data. UniVault protects content by offering limited viewing time for documents, along with restrictive editing, saving, copying, communication, and print or print screen capabilities. Through the security solution, administrators can determine exactly how long an employee has access to confidential data and which pages the employee can view. They can also prevent specific information from being changed or captured.

"It's insane what information companies let out and how employees are doing just about anything they want," Price says. "People don't think proactively, but instead wait for something to happen."

Diane McAdam, analyst for IT research firm Illuminata, says UniVault addresses the need to control content and prevent data from being misused once access has been granted. UniVault is XML- and J2EE-compliant and is currently available for Microsoft Office and Adobe Systems PDF formats.

CYA also has a strong alliance with Documentum, a content-management software company, and a handful of international integrators, such as CSC, but the company is looking to expand its reach in the security market through the channel. It will devote much of its energy to educating current customers, partners and new integrators on UniVault. Price believes the market is ready for new security solutions.

"The business-continuity market is finally catching on," Price says. "We have to raise expectations for security and business continuity because we're carving out a new frontier."

Elron Software

Viagra advertisements. Hair-loss remedies. Pornography. Chances are, your e-mailbox is filled with annoying, unsolicited messages such as these. Spam is on the rise, and so is the backlash from consumer and electronic-privacy groups. So bad is the problem that Federal Trade Commission officials say they receive more than 40,000 samples of spam daily.

It's not surprising then, that Elron Software has spent the past few years focusing on Internet-policy-management solutions to protect valuable content and data through its Internet Manager (IM) product family. While the company offers traditional firewall and antivirus software solutions, its core business comes from two areas: Web-content-filtering via IM Web Inspector, and e-mail and messaging-content-filtering via IM Message Inspector.

"The quality of content-filtering and user-tracking is of utmost importance," says Adam Bosnian, vice president of marketing at Elron. "There's a value that we bring to the channel and customers with our focused view because it raises awareness about content-filtering."

More important, the IM products also help keep valuable information inside the enterprise and reduce data loss via messaging or e-mail. Confidential data loss via e-mail is up an eye-popping 356 percent since 1999, according to Elron. Web Inspector offers policy-based control, real-time monitoring and user-tracking, while Message Inspector features full-text analysis and lets users customize policies and block spam lists. The solutions reduce spam and potentially dangerous e-mail, and limit access to harmful or improper Web sites, lessening the traffic burden on the network and protecting worker productivity. Message Inspector also acts as a two-way street, protecting confidential

e-mail, documents and data within the enterprise through policies that prevent unauthorized communications. In addition, both IM solutions can be easily integrated and deployed within 15 minutes, according to the company.

Earlier this year, in an effort to lure solution providers, Elron constructed a partner program and partner extranet, dubbed Diamond Mine, with the help of PRM software-maker ChannelWave. Accunet Solutions, for example, recently became an Elron Diamond Partner and will resell the IM products as part of its overall security offering.

"We offer antivirus, VPN and intrusion-detection services, but e-mail

security and Web-filtering are huge right now, and that's what we're getting the biggest call for," says Alan Dumas, president of Boston-based Accunet.

Elron officials hope to bring in more partners and educate VARs on its e-mail and messaging security products. "We're seeing migration from vendors who don't have our technology flexibility," says Rosette Catalado, director of channel sales at Elron. "A lot of security vendors out there have broad offerings,they're jacks-of-all-trades, but masters of nothing."

RSA Security

RSA Security is also focusing on messaging, albeit with a different solution. The company recently introduced a new authentication solution, RSA Mobile, which uses one-time access codes for secure entry into Web-based applications. Users can access the solution via mobile technology or short messaging services. RSA Mobile is similar to SecureID, its popular authentication solution.

Overall, RSA is making encryption and authentication solutions its bread and butter. Take, for instance, the SecureID Token, a two-factor authentication solution based on a user password and a device with a 64-bit symmetric key that generates a new, unpredictable code every 60 seconds,all housed in a keychain-sized fob. RSA says the technology is virtually hack-proof because only the RSA ACE Server inside the enterprise knows which code is valid at the exact moment the user seeks authentication. Even if a user had his or her token stolen, it would be useless without the password.

The technology can be used to authenticate access to VPNs, remote-access applications, Web servers and networks. SecureID authenticator devices are also offered as Smart Cards or PIN cards. The SecureID 4100 Smart Card is slightly different from the key-chain token, acting as a cryptographic Java card that can protect private keys and digital certificates in a PKI environment. Through SecureID Passage software,

the cards log users directly into Microsoft Windows 2000 Server or Active Directory environments. The cards have 16 KB of memory and can store multiple applications for network passwords, building access or PKI credentials.

SecureID is RSA's biggest channel product,with more than 10 million users worldwide,and, like most novel or emerging security technologies, it accompanies firewall/VPN/antivirus suites. For example, for RSA's SecureID/

Ready Program, the company partners with more than 140 software vendors to support SecureID, along with other security or network software.

"Our mission is authentication," says Amy Speare, senior product manager at RSA. "We don't want to get into other markets like antivirus, but we'll partner with other vendors. We got our market share by partnering and making sure we offer customers interoperability."

Like Elron, RSA is currently concentrating on building its partner program, SecurWorld, which now features online training tools for its 500 VARs, as well as a strong certification program. Akibia, a solution provider based in Westborough, Mass., is an RSA Select Partner and sees roughly $3 million a year in revenue around RSA products, according to Steve Tassinari, vice president of Akibia's Network and Security Solutions division.

"The majority of our RSA business is around authentication solutions and user authorization," Tassinari says. "They're the only vendor with a two-factor authentication solution accepted in the market."

Speare says the company has made significant strides training and educating partners on authentication technology, and the maturing security channel has paid dividends for RSA. "We've seen a lot of growth in tactical buying," she says. "People want authentication solutions as part of their overall security system today."