Israeli Software

My colleague, Michel Godet – sent me a link to an article that Mike Rothman recently wrote.

Michel  (rightly) thinks that it supports the approach that we have been pushing in Europe for over a year now, to justify data security technology investments by using Value at Risk calculations.

Mike’s article – building a business case for security is good. I agree with most of what he writes (I would have commented but searchsecurity doesn’t allow commenting on their Ask The Security Expert: Questions & Answers articles.

So – I will use my own blog to post a couple of my comments (I should probably ping Mogull on this too but I lost  his email)

1) I agree that if you can’t get past the first energy barrier of concern with information protection than you are a non-starter for DLP ( or any data security technology for that matter – it must fit the business needs – otherwise it’s like trying to sell a trombone to a violinist.  Total waste of time

However – once you get past the first road block, the business problem for security investment is:

What is your value at risk, what are the right security countermeasures and are they cost-effective.? Not – what are the vendors selling this quarter.

There is no reason in the world why data security should be any different than any other IT investment.

2) I totally disagree that looking only at a network-based DLP product is inherently limiting. Just because a few vendors like Websense and Symantec, have integrated end point and gateway products doesn’t  makes them cost-effective data security countermeasures, ensure success of the project or prevent the next data breach.

Let me submit  two counter-examples:

A) Suppose all your sensitive data is in the cloud – then maybe network DLP is a good fit

B) Suppose all your endpoints are in the cloud – then maybe endpoint DLP is a good fit

C) Suppose all your sensitive data is on notebooks – then maybe encryption is the right countermeasure to data loss.

The answer is that you have to measure stuff – measure your people, process and system vulnerabilities and where your assets are headed. After that you need to estimate your  VaR and only THEN start thinking about the people, process and technology countermeasures

BTW – I’ve been saying this for years

October 28, 2004 –  A guide to buying extrusion prevention products

March 17, 2005 - How to justify Information security spending

Now if only we could find a way to monetize being right.

The new Israeli administration has invited Microsoft to head a government IT steering comittee – the item caused a bit of a ruckus in the Israeli Open Source community a few months ago – although I personally feel that as the world’s largest software vendor – they have a lot to contribute.

Now I think we have reached a new level of Microsoft sycophancy with the Obama administration implementing a Bush decision to standardize IT but in a way that makes practically no sense at all – let’s ban all non IE browsers.  It’s really scary to what lengths the Obama administration will go undo Bush policy.

In keeping with the requirements of the Federal Desktop Core Configuration, all third-party browsers will be removed from customer workstations beginning Tuesday, Aug.18. Internet Explorer is the standard browser and will be maintained. Netscape, Google Chrome and Firefox will be removed.”

It does make sense to standardize on a browser – but why standardize on the most vulnerable browser and operating system?  Why not standardize on Ubuntu and FF 3 on the desktop or standardize on diskless workstations with Citrix or TightVNC?

The full item is here – USDA unit bans browsers other than Internet Explorer

The buzzword du-jour in the current economic crash of 2008 is “Cloud Computing”.

There are several interesting question around cloud computing – why now, how are people building it, what are people doing with it and what about security.

1) Why now?

Back in 2001 after the dot com crash, On-demand / SaaS started picking up. My personal  explanation is that  a) there were a lot of  programmers and entrepeneurs out of work, looking for new things to do and  b) an oversupply of bandwidth and server capacity on the Internet and c) a lot of VCs looking for the next big thing. The sales guys try to pitch an economic reason for on-demand: businesses not having the money to buy large enterprise software systems in a down-market.  Since Salesforce.com is not keeping up with the profitability of year-on-year growth of Oracle Applications and SAP – I don’t buy it. At $50/seat for Salesforce.com – if I have 100 people, it’s $5000/month or $60,000/year which is 10x more than I would pay for a free open source instance of SugarCRM or TigerCRM running on a dedicated server at rackspace.com. If SaaS is not an economically sustainable business model for service providers, it will not sustain  for end user customers either long term.

Read more…

I had heard about this EMC startup but didn’t know much about what they really do. My friend Arik Blum from HP takes the time to send interesting technology updates to his own private distribution list.

Atmos is  COS “cloud optimised storage”, with web services such as SOAP and REST for access. Cloud Optimized Storage(COS) systems are geographically disperse yet managed as a single entity.

Information inside the Atmos repository is stored as objects. Policies can be created to act on those  objects allowing Atmos to apply different functionality and different service levels to different types of users and their data, for example – Replication,DE-duplication, Deletion etc.

Atmos is designed for multi-Petabyte deployments. There are no LUNs. There is no RAID. There are only objects and metadata : Billions of objects globally distributed with policy based information management.

As new data gets written into the Atmos infrastructure it gets synchronously mirrored to N locations (depending on the policy).  The goal for Atmos was to provide a low cost bulk storage system for these emerging markets, like Web 2.0 companies or other industries with lots of user generated content.

• From a hardware perspective, there’s nothing radical here. Drives are all SATA-II 7.2K 1TB capacity.
• Front-end connectivity is all IP based, which presumably includes replication too.

A few open questions are pending regarding ATMOS:

· What resiliency is there to cope with component (i.e a hard disk ) failure?

· What is the real throughput for replication between nodes?

· Where is the metadata stored and how is it kept concurrent?

· Where is the rich metadata going to come from?

· Is 1Gb/s enough to replicate my data to a remote site synchronously?

· Is this all battery backed write cache in case I experience a hardware failure?

· how long will it take to replicate a 1TB drive over IP?

Read more…

Show me a profitable business application-as-a-Service (SaaS) company.

There is a lot of trade talk about the success of Salesforce.com. Here is a company with a $3.2BN market cap as of Oct 26, 2008 currently trading at 24 down from 72, 5 months ago.

In 2007 – SF.com  posted a net income of $480K on revenue of $497M. Compare this to BMC Software,  a software vendor that provides system and service management solutions for the enterprise. BMC has a current market cap of $4.2BN, trading at 23 down from 39, 3 months ago. In 2007 – BMC Software posted $215M net income on $1.5BN in sales.

In plain language – Salesforce.com does not or cannot charge high enough prices for their services to sustain long-term profitability and growth.   At low price points; Free Open Source on inexpensive hosting becomes a highly-competitive alternative, especially for an SME.

Five years ago – the barrier to entry was application functionality but today, Free Open Source line of business applications like Sugar CRM Community edition are mature, full-featured applications with very little, if any, missing features and some unique advantages that Open Source offers.  Salesforce.com imposes a unique IP address/user constraint which can be very annoying. In SugarCRM, if you get User logged out when IP dynamically changed, just change 1 line in config.php

Suppose you need a CRM system (if you’re a large shop, you already have one – like Siebel). We’re a small group of 5 guys – and we were using Salesforce.com with one of our business partners and wanted to use SF.com for our own business. The cost is $325/month or almost $4,000/year for 5 users. You can get 90% of the functionality from Sugar CRM for the cost of a onetime installation (which will take less than an hour of your time or about $150 if you pay someone) and $15/month for the hosting (if you use dreamhost.com, like we do). That’s a net savings of $3,000 / year.  dreamhost give us 700GB – more than SF.com, and the response/time is at least as good.

I know you’re saying that dreamhost.com at $15/month can’t compete with the scalability, reliability and service levels of SF.com. Maybe,  maybe not – but if you want muscle – consider Mosso.

For $100 per month, Mosso will sell you 80 GB of SAN storage, 2000 GB of bandwidth, a control panel to create sites, email accounts, databases, etc. and customer support.

Mosso says it takes radically different approach to Web hosting, using enterprise-level architecture. It deploys each website across clusters of servers, so when a server crashes or a hard drive fails, the other servers in the cluster pick up the slack without downtime. Their promise: for every 1 hour of downtime, they will reimburse you for 1 day off your bill.