Firewall space stays strong in 2014

April 18th, 2014 by tseling

Daniel Kennedy, Research Director for Information Security

The firewall, the staid and ubiquitous separator between networks of differing trust, is much maligned, even called useless, although not by anyone responsible for enterprise security, given their 100% ‘in use’ rating. No, useless is too strong – no one’s turned off their firewall yet, even if there is an understanding that it’s a baseline tool in a security portfolio.

Network Firewalls

Despite its staid reputation, there has been some evolutionary shake-up in the firewall space, and measuring spending intentions is still a good barometer of general network refresh rates. This year about 36% of respondents in the Wave 16 Information Security Study reported spending more on their firewall implementations, down from 39% in 2013. Cisco still takes the lead, with 57% of those implementations, followed by Check Point with 36%. Juniper has rebounded slightly from previous years at 15%, and Palo Alto Networks continues a steady growth pattern, rising to 13% of enterprises reporting Palo Alto’s next-generation firewall as their organization’s primary firewall. Nine percent (9%) of respondents report having plans under way for integration of an application-aware or next-generation firewall in the early part of this year.

Respondents had the following to say about their firewall implementations:

  • “We keep a very tight watch on the firewalls.” – LE, Services: Business/Accounting/Engineering
  • “The products that are like Palo Alto, around that type firewall. Large datacenter redundancy. We’re building a new datacenter.” – LE, Education
  • “Most intrigued by application firewalls – this will be space where potential for most protection exists.” – LE, Services: Business/Accounting/Engineering
  • “Check Point is the best firewall around. They have innovated better than anyone else. They know this, and that is why they are so expensive. I think that vendors like Palo Alto are nipping at their heels. However, if you are looking for a solution that does not require a Ph.D. to use it, Check Point is the answer! Downside – the pricing is an issue. Some players undercut Check Point in price, but it is not the same. Check Point needs to really educate their customers in this area.” – LE, Financial Services

Some vendors bubble above the rest in public cloud performance management/monitoring

April 17th, 2014 by tseling

Nikolay Yamakawa, Analyst for TheInfoPro

Although it’s still in the early days for public cloud performance management and monitoring tools, some vendors are starting to bubble above the rest. Most decision-makers at large and midsize enterprises have not made up their minds about the cloud strategy they want to pursue. Internal private cloud is the most frequent starting point on the enterprise journey to the cloud, but public cloud deployments are also on the radar.

About 14% of enterprises have implemented performance management and monitoring tools to support public cloud deployments in 2H 2014. The upside potential remains high for the technology, with 16% of enterprises reporting in-pilot/evaluation, near-term, long-term and post-long-term project plans.

As it did in the first half of 2013, Amazon Web Services received the highest number of selections for in-use implementations in the second half of the year. New Relic and Compuware also bubbled above the rest of the vendors in the space. Homegrown alternatives were also mentioned, as was RightScale for future adoption plans. The choice of public cloud performance management and monitoring vendor is sometimes dependent on the cloud platform enterprises choose to implement. These tools may provide a venue for service providers to differentiate their offerings.

Public cloud service providers can use performance management/monitoring tools to differentiate their offerings based on quality of service, while enterprises can use them to make better decisions in service provider selection given the requirements. A 451 Research report titled ‘Paying for it: a guide for cloud providers by their clients’ further discusses how cloud vendors with tools to measure quality of service are better aligned to establish competitive advantage.

As more enterprises take advantage of public cloud services and define their requirements, we may start seeing more public cloud performance management and monitoring vendors gain adoption and join the mix of current vendors that bubbled to the top.

Public Cloud Performance Mngmt

The following anecdotal commentary was provided by survey respondents about public cloud performance management and monitoring tools and top cloud computing projects at their enterprises:

  • “This [public cloud performance management/monitoring] will be platform dependent.” – LE, Other
  • “For our CenturyLink deployment, we do receive QoS information and metrics.” – LE, Other
  • “[Top cloud computing project:] Defining guidelines around public cloud usage, software as a service, a lot of areas have gone out and started leveraging those services.” – LE, Financial Services
  • “[Top cloud computing project:] Take advantage of public cloud offerings. Coming up with common platforms.” – LE, Industrial/Manufacturing

Blind men and an elephant, or how Actifio hit three markets with one technology

April 14th, 2014 by tseling

Nikolay Yamakawa, Analyst for TheInfoPro

Actifio is a startup with a technology that is hard to bucket into any one category – like an elephant from an Indian fable that was seen by blind men as a different creature depending on where each man touched it. Even though it’s far from the lead, Actifio’s ‘copy data management’ technology appeared on implementation roadmaps of three different markets for the first time in the Wave 17 Storage Study. The vendor appears in storage appliance, backup data reduction/de-duplication and storage virtualization markets, creating an interesting data point – increased awareness in the large and midsize enterprise space.

Actifio’s offering is not restricted to any one of those three markets. It is not strictly backup software, but it can replace it. The technology is not a storage appliance either, but it has awareness of databases. Several deployments mentioned Actifio exploiting IBM SVC, contributing to the selections in storage virtualization. Actifio’s technology is said to virtualize copy data that can also be used in dev/test, analytics, compliance and other areas. The established awareness is a good asset to have, but not a guarantee of future success.

Going forward, Actifio has several options available to capitalize on the achieved awareness and growth. Actifio pioneered the ‘copy data management’ space and popped the eyes of many when the startup received a valuation of over $1bn and raised $100m in the latest VC round. A recently published report by 451 Research titled ‘Actifio reels in $100m, bringing its total funding to $207.5m’ further discusses the latest VC round and examines the competitive ecosystem. A number of our study respondents found Actifio’s technology to be exciting, but some suggested that they would rather wait for wider adoption before implementing it.

Time will tell when and if Actifio decides to pursue IPO to achieve wider adoption, but for now, its technology has gained awareness, allowing it to seek growth opportunities on more than one landscape.

Vendor Implementation

TheInfoPro’s respondents had the following comments about Actifio:

  • “Actifio [is an exciting vendor] – offering live and backup data as one. I want to see if this will help us manage data as it’s being backed up.” – LE, Industrial/Manufacturing
  • “Actifio [is an exciting vendor] – backup approach – they take an SVC and add interesting code to it to do backup and DR.” – LE, Transportation
  • “Boutique vendors have interesting technologies out there. I wait for them to flesh out the products rather than being an early adopter. Actifio and Inmage provide storage/DR-type capabilities.” – MSE, Financial Services

Converged infrastructure: the enterprise platform of the future?

April 11th, 2014 by tseling

Peter ffoulkes, Research Director for Servers and Cloud Computing

In the five years since Cisco became a server vendor with the introduction of its Unified Computing System in March 2009, much has changed in the IT industry. Although initially received with skepticism by more traditionally server-centric vendors such as HP and IBM, the networking giant’s move into the world of x86-based ‘industry standard servers’ was a harbinger of change in the transformation of IT toward the software-defined datacenter and a cloudy future.

“The network is the computer”

John Gage, employee number 21 of the ‘late’ Sun Microsystems, is credited with coining the marketing phrase “the network is the computer,” long before the Internet and cloud computing became everyday terms. In the early days, the workstations (essentially desktop or deskside Unix-based servers with a screen and a keyboard) were still the heart of the system, with the network just providing a connection between these distributed powerhouses, but the phrase was probably more insightful about the future of computing than was realized at the time.

Since that time, the network and storage have become increasingly important, while the servers have been virtualized and the server hardware is arguably the most commoditized and interchangeable component of the hardware infrastructure. Cisco has been able to take advantage of its dominance in networking to build an ecosystem of partners to bring these converged platforms to market. Unlike end-to-end providers like IBM and HP, Cisco realized the ‘stickiness’ of storage in the enterprise, so it deliberately took a ‘storage vendor neutral’ approach by partnering with major storage vendors EMC, HDS, NetApp and others to bring converged infrastructure offerings to market.

As Cisco UCS celebrates its fifth birthday, our surveys show continued traction for converged infrastructure as successful platforms to underpin the foundations of cloud-ready datacenters.

Converged Infrastructure

Anecdotal commentary illustrates the reaction to converged infrastructure platforms by TheInfoPro’s respondent community:

  • “Saw a demo, very exciting, and if I had to start all over again it would be great. When you have a well-defined virtual infrastructure, it is too hard to implement. Great for a new datacenter.” – LE, Financial Services
  • “IBM is pushing some replacements to go to PureFlex, not sure yet.” – MSE, Education
  • “We looked, but we do not see it as a fit in our environment due to the different storage we are using.” – MSE, Financial Services
  • “Migration to Cisco UCS, moving from HP.” – LE, Healthcare/Pharmaceuticals
  • “We moved internal cloud infrastructure to the Cisco UCS platform.” – LE, Financial Services
  • “Will look at FlexPod and Vblock next year [but to evaluate, not in plan].” – LE, Financial Services

Differing views on network access control

April 10th, 2014 by tseling

Daniel Kennedy, Research Director for Information Security

A small handful of technologies that touch both network and security concerns are tracked in both the Networking and Security studies, so direct comparisons can be made among the responses from both enterprise constituencies. Network access control (NAC), a way to predicate user access on certain endpoint security requirements (e.g., up-to-date antivirus), is one such technology. Two weeks ago, a Thursday’s TIP covered the Networking Study’s results on NAC; this week offers a direct comparison to the results from the Wave 16 Information Security Study.

Looking at that Networking Study data, we see a short-term growth projection of 9 percentage points in the near term, with Cisco being the primary beneficiary as the dominant NAC provider. Aruba Networks’ ClearPass, Microsoft’s Network Access Protection (NAP) and Juniper’s Unified Access Control (UAC) place a distant second in enterprise implementations. The NAC market itself appears to be gaining share again after a number of years of stagnation, as new mobility initiatives are raising old concerns about unsecured endpoints accessing corporate networks.

Network Access Control (NAC)

Looking at the responses from information security managers at large enterprises offers a slightly different NAC leaderboard (although it should be noted, neither study attempts to offer a definitive view of market share in any technology). Cisco retains its position of dominance, but is instead followed first by ForeScout and then by Aruba Networks. Juniper and Microsoft offerings remain part of the conversation, but Sophos’ NAC product also comes into play. Why the differences between studies? It depends largely on who is making the NAC decision within the enterprise, the network or security manager. And while 26% of network managers thought they might spend more on NAC in 2014, 42% of security managers felt the same, potentially giving the edge to information security as the NAC solution arbiter.

Security respondents had the following to say about their NAC implementations:

  • “Cisco’s ISE. We talked NAC for years, but it was kind of a bad word. Everybody was afraid to throw in a NAC, fearing major outages. Now, with ISE, we can go into a major discovery phase.” – LE, Healthcare/Pharmaceuticals
  • “ForeScout – a NAC appliance, the best on the market.” – LE, Consumer Goods/Retail
  • “We have a big NAC agenda this year; we are having trouble finding a solution that will fit our IT requirements.” – LE, Energy/Utilities
  • “We attempted implementation three years ago and had to pull out. We have FY ’14 plans to investigate a NAC solution again.” – LE, Consumer Goods/Retail

Functionality and cost are top reasons for changing networking vendors

April 4th, 2014 by tseling

Nikolay Yamakawa, Analyst for TheInfoPro

Functionality and cost are the most common motivators for large and midsize enterprises to take on the extra effort to switch from their in-use networking vendor to a competitor. Functionality was cited as a top primary reason for switching by 40% of respondents, followed by cost, with 33% of selections. When considering functionality, decision-makers take into consideration not only their current experience, but also future requirements for scalability and vendors’ future roadmaps for integration with other technologies. Similarly, cost consideration involves not only current fees, but also the learning curve that may be required for employees given future upgrades.

To minimize customer attrition, vendors should align their future strategy for integration and product upgrades with the needs of their clientele based on future requirements and existing skill sets. At the same time, it is critical to innovate, so having several options available is optimal.

Some of the other factors that can make a difference in a decision to switch vendors include customer service, with 14% of selections, specialized needs, with 9%, and brand security/longevity, with 5%. Some of these factors provide vendors with opportunities to differentiate, but do not carry as much weight as functionality and cost for most enterprises in the decision to make a switch. In addition, adoption of a vendor in a related function, like storage, may impact the decision to switch if the newly adopted vendor has offerings in the networking space as well.

Changing vendors requires additional effort for enterprises and will only take place when required or when a competitor’s value is expected to exceed that of the existing relationship. It is important for vendors to establish a proactive two-way communication with customers to identify gaps in value and make adjustments where possible to ensure continued future competitiveness.

Reasons to Switch Networking Vendors

Decision-makers had the following comments about reasons for changing networking vendors:

  • “Riverbed costs twice as much as Blue Coat, but is better as it can cache objects.” – LE, Industrial/Manufacturing
  • “The biggest factor will depend on what their 11.ac product rollout looks like. As a result, we will look at other options.” – MSE, Education
  • “Designs on 10Gb.” – MSE, Services: Business/Accounting/Engineering
  • “Because we replaced IBM on server and storage side with Dell; we switched out some Cisco switches to Dell, but only those related to servers and storage.” – LE, Consumer Goods/Retail
  • “When we purchased the SolarWinds tool, we were a smaller company. We have reached a level where monitoring needs to be more on an enterprise scale. SolarWinds is a great tool – very cost effective, but limited. What you pay is what you get.” – LE, Other

Securing the cloud: What are the top concerns?

April 3rd, 2014 by tseling

Peter ffoulkes, Research Director for Servers and Cloud Computing

With security being cited by 37% of respondents as the biggest pain point when implementing cloud computing architectures, it isn’t surprising to find that security is a major consideration when selecting a cloud provider. Seventy-three percent (73%) considered security to be extremely important, 19% rated security as very important, and 8% as important, leaving no respondents who considered security to be anything less than important.

Trust and verify

Cloud security issues are not really about whether Amazon Web Services, Microsoft Azure or any other cloud provider has good security. The preponderance of evidence suggests that the established providers have high levels of security, but the question for cloud consumers is how do they establish an acceptable level of trust, and how do they verify that the security levels meet their organization’s requirements? Data privacy and security tops the list of concerns, cited by 41% of respondents, followed by access and control at 35% and auditing and compliance at 32%. Control of data, security models and toolsets, and contractual/legal issues were raised by between 15% and 26% of respondents.

Top Security Concerns with Cloud Computing

Security is a very personal thing, and each organization has individual requirements, which presents a challenge for cloud providers to address with standardized offerings. The availability of APIs, and a range of popular toolsets together with appropriate access privileges is one possible approach, but no provider stands out today as having cracked the code in a way that satisfies a wide number of consumers.

Anecdotal commentary illustrates the range of concerns expressed by TheInfoPro’s respondent community:

  • “Data leakage/privacy breaches. For us it’s all about the data and securing it. Intellectual property loss would be far less damaging than losing customers’ data.” – MSE, Services: Business/Accounting/Engineering
  • “Marrying together internal roles, policies and security clearances with what is available in your cloud vendor.” – LE, Financial Services
  • “Multi-tenancy is unproven, no audit trail.” – LE, Telecom/Technology
  • “Federated security models.” – MSE, Public Sector
  • “Auditing. We have to be audited, making sure the external companies are doing their own audits and being able to provide that data to us and being able to do our own audit. A lot of companies say ‘we’re PCI or HIPAA compliant’; we say we’d like to see the data, they say ‘no.’” – LE, Financial Services
  • “We’re trusting someone else with our information. So we have less visibility to their security, short of what they tell us on paper or PowerPoint slides. It’ll come down to contractual agreements – if we put any data out there that requires SOX or PCI controls, they’ll have to sign documents to indemnify themselves, we aren’t gonna fail an audit because of their failure of hygiene.” – LE, Transportation

Storage pros rate Dell highest in value for money

March 31st, 2014 by tseling

Marco Coulter, Research Director for Storage

Enterprises are tightening their storage budget belts in 2014. Taking the pulse of our currently active storage study, we see two-thirds of storage pros either flattening or decreasing spending. Dell storage received an average rating of 4.0 in value for money, leading the 11 vendors detailed in Wave 17. The picture is not all rosy, as a year of ownership uncertainty led to Dell having strategic vision as its lowest category.

October 2013 saw Dell move into private ownership under founder Michael Dell and Silver Lake Partners after months of speculation. Vulnerability scores for Dell are likely to be higher in the current study, as clients assess how going private impacts Dell’s storage strategy. Private ownership may allow more flexibility; however, having a large debt to service can also drive a more conservative focus on cash flow. The company is unlikely to maintain the rate of acquisitions seen over the past few years.

Customer Ratings

Dell is a top 10 exciting vendor in Wave 17, and most of that excitement has to do with pricing, per the narratives below. The 2010 Compellent acquisition gave it a significant second place in automated tiering. By 2013, it had ceded ground in the technology to vendors such as HDS, NetApp, HP and IBM. Support for technologies like hybrid flash support and converged server/storage/network offerings kept Dell competitive without delivering leading ratings. Dell’s other strong rating is 3.9 for ease of doing business, again highest among all 11 vendors.

In last year’s ‘Dell: the Enterprise Storage Vendor,’ we noted Dell gaining a foothold in larger enterprises. This quarter will be telling, as the bulk of storage-related spending with Dell occurs in Q2. It has a healthy stable of software and hardware technologies for traditional and newer hypervisor-converged storage architectures, and acceptance as a ‘value for money’ vendor. The story might be bright for Dell if it can overcome enterprise nerves about its strategic vision for storage.

  • “Dell Compellent – it’s doing what we need to do for a very good price compared to the others.” – LE, Industrial/Manufacturing
  • “We switched from DAS to Dell because it was more cost-effective for archiving.” – MSE, Services: Business/Accounting/Engineering
  • “Dell still offers pretty good value for the money.” – LE, Industrial/Manufacturing
  • “Dell has some very good pricing. We like that … a lot. We are still nervous about reliability as well as top-end storage. The jury is still out before we go to the next, higher level.” – LE, Financial Services
  • “Dell can do a better job with increasing their market share. They need to do a better job working with enterprise customers.” – LE, Industrial/Manufacturing
  • “Good pricing from Dell.” – MSE, Education
  • “Dell makes a good product. The products and support is decent. Storage, they are still a small player. No real big arrays in their offerings.” – LE, Industrial/Manufacturing

Infrastructure software vendor lock-in perceptions shift

March 28th, 2014 by tseling

Nikolay Yamakawa, Analyst for TheInfoPro

A decline is emerging in large and midsize enterprise perception of lock-in strength for Microsoft, Red Hat and VMware.

Microsoft, which had the highest lock-in strength among infrastructure software vendors in the prior study, experienced a decline from 100% of respondents considering it to be ‘hard’ or ‘very hard’ to switch from in the previous study to 84% now – 77% consider it to be very hard to make a switch now, vs. 96% previously. Lock-in strength remains high for Microsoft, and according to the respondents, the incumbent’s offerings are improving.

VMware also experienced a decline in lock-in strength, with 72% considering it to be hard or very hard to make a switch now vs. 72% previously, where 36% selected very hard now vs. 46% in the previous study. Many enterprises are familiar with VMware from virtualization, contributing to a steep learning curve for alternate vendors. Red Hat’s lock-in strength also went south, falling from 39% of respondents considering it hard or very hard to make a switch in the previous study to 26% today. That said, Red Hat scored above average in the ‘value for the money’ category, and its integration capabilities with automation tools, such as Chef, were cited as one of the reasons for switching to the vendor.

Lock-in Strength for Selected Infrastructure Software Vendors

Positive feedback for Citrix and SolarWinds shows that high lock-in strength is not a critical success factor, as there are other variables that vendors can capitalize on to stay competitive.

In the latest study, CA, Citrix and SolarWinds were ranked by a sufficient number of respondents to be included in the lock-in rankings for the first time, with SolarWinds landing at the opposite side of the spectrum from the other two vendors. Sixty percent (60%) of respondents said it would be hard to switch from CA, and an additional 40% believe that it would be very hard. Sixty-seven percent (67%) think that it would be very hard to switch from Citrix, and the rest said it would be ‘normal.’ Only 17% of respondents said it would be hard to switch from SolarWinds, and 50% said it would be ‘very easy.’

Even though Citrix and SolarWinds lie on different sides of the lock-in spectrum, they both received positive feedback from respondents who chose to rank them. Citrix scored at least half a standard deviation above average for technical innovation, competitive positioning and interoperability, indicating that even though enterprises are locked in, they have a positive experience. Similarly, SolarWinds scored above average in value for the money, product quality and interoperability, showing that even though it may be easy to switch, enterprises are satisfied and are less likely to switch.

TheInfoPro’s respondents had the following comments about different infrastructure software vendors:

  • “We’ve been switching small pieces [from Microsoft] over to Red Hat – better integration with automation tools like Chef.” – LE, Telecom/Technology
  • “They’re [Microsoft] a major datacenter player, and we’re locked in, but luckily their offerings are improving.” – LE, Education
  • “[VMware:] Because we need to change the skills to retrain the people, change the third-party software we’re using. We would lose five years of experience.” – LE, Services: Business/Accounting/Engineering
  • “It would be hard to switch because of a lot of customizations that were made for us by CA and us.” – LE, Financial Services

Trustwave acquires Cenzic, deepens application security playbook

March 27th, 2014 by tseling

Daniel Kennedy, Research Director for Information Security

Trustwave announced its acquisition of dynamic assessment application security tool provider Cenzic on March 18 for an undisclosed sum, giving the assessment company a dynamic assessment tool in the Hailstorm platform. In doing so, Trustwave enhances its offering in a space historically dominated by IBM and HP (via acquisition of tools such as SPI Dynamics WebInspect), and in which more recently WhiteHat Security gradually has gained share.

Application Security Testing

Both primary flavors of application security tool, assessment via code or binary (static analysis) and assessment via external vulnerability testing (dynamic analysis), are contracting in large enterprise usage, with the latter falling from 40% to 35% in use between 2012 and 2013. Web application firewalls (WAFs), an indirect competitor, grew during the same time period in usage from 34% to 40%, propped up by both being easier to implement than a full-fledged application security program (with a corresponding drop-off in effectiveness) and WAFs’ prominent placement in the PCI standards around application security.

Respondents had the following to say about their dynamic analysis tools, Trustwave and application security in general:

  • “Trustwave runs pen tests and assesses Web-related threats.” – LE, Other
  • “Issues with their [Trustwave’s] services.” – LE, Financial Services
  • “Application security. Doing secure coding [is our top project].” – LE, Consumer Goods/Retail
  • “We’re very weak here [application security] – we use an IBM product, but don’t use it effectively.” – LE, Services: Business/Accounting/Engineering