Latest Microsoft posts
This week, Quocirca had a briefing with a security vendor which provided an insight into a fundamental change going on in the use of IT and one of the major drivers for that change. The vendor was Bradford Networks, named not after the city in Yorkshire UK, but the small town in New Hampshire, USA.
Bradford provides products to carry out a range of network management and control capabilities; network discovery, end-point management, network access control and policy enforcement around network usage. None of that is unique to Bradford, which is perhaps why, when it started selling this product line back in 2005/6, it focused on a niche – higher education. Not any old aspect of network usage in the sector, but specifically student dorms, or halls of residence as they are called than in the UK.
The problem Bradford helps university IT administrators manage is the wide variety and ever-changing identities of devices students want to attach to the network services offered in such places. Even five years ago, this included Windows PCs, Macs, gaming devices and early smartphones (mainly BlackBerrys). Today of course you can add Android devices, iPhones, iPads and others. The range of devices support by Bradford, which extends to CCTV cameras, door entry systems and firewalls is impressive.
Bradford has been successful selling to this niche in the US and also in the UK, where via a single reseller, Khipu Networks, it has signed up many universities, including Oxford, Nottingham and Durham. A case study for Durham University can be seen here.
What makes Bradford’s story interesting to Quocirca is the speed at which its business is changing. In the last couple of years Bradford says the profile of its business has switched from almost all higher education to 85% other sectors including healthcare, manufacturing and banking. Bradford says this change has been demand driven and is not the result of deliberate targeting (for example, it still has just the one reseller in the UK, but is planning to change that).
There are two reasons for this change in the business profile at Bradford. The first is the range of devices that organisations now have to support, as Bradford says: “Now the rest of the world has started to look like [the higher] education [sector]”.
But the second reason is perhaps more profound; the students of five or six years ago are the employees of today; the change at Bradford is surely a bellwether for the growing tide of consumerisation, a big driver for which is the entry to the work place of the IT savvy “generation Y”.
Of course, Bradford is not alone in addressing this issue. It will have to make its own case against a range of larger vendors all targeting end-point management and security. This includes end-point management vendors such as Kaseya, LANDesk and IBM/BigFix, but also IT security vendors – for example McAfee, Symantec and Trend Micro are all now investing in managing end-points as well as securing them.
There is another vendor that could be added to both these last two lists: Microsoft. It too is in the end-point management business with it Systems Centre Configuration Manager (SCCM) and recently announced InTune on-demand service, which Quocirca wrote about in a previous blog post. Microsoft is also in the end security business with its Forefront End-point Protection (FEP) product, which Quocirca wrote about here.
However, as both posts point out, Microsoft is missing the point. As ever it lives in its own Microsoft bubble. Its end-point management and security products only address Windows PCs, not even its own struggling Windows Mobile operating system. Generation Y has certainly found there is more to life that Microsoft and Bradford Networks is benefiting from this. If Microsoft does not change its game its fortunes will surely head south like that of its new mobile devices partner Nokia.
For Microsoft this tide of consumerisation impacts two of its biggest product lines that account for over half its business; Windows desktop and Office. Quocirca would not be the first to speculate about the long term future of Microsoft. In its June 9th leader celebrating the 100th birthday of IBM, The Economist speculated which of today’s IT vendors might reach a similar age. Microsoft was not one of them.
Two recent Quocirca reports sponsored, by Kaseya, cover end-point security are available for free download: The IT Profit Centre and The total MSP.
Bob Tarzey, Analyst and Director, Quocirca
05 May 2011
Today more and more IT security is being incorporated into IT infrastructure. But does this mean buyers can rely on what's provided by infrastructure suppliers or should they still be turning to IT specialists?
The largest acquisition during 2010 in the IT industry was that of security giant McAfee by Intel, at $7.7bn. This clearly underlines this trend of IT infrastructure suppliers adding security to their portfolios. So far Intel has taken a fairly hands-off approach with regards to McAfee, but it's said the company wants to ensure security is more tightly integrated with products at the chip level. However, this only makes sense for some McAfee products, such as anti-virus and end-point security. Other areas that McAfee operates in (such as content security and security management), would not be implemented purely at the chip level.
HP has also been marching back into the IT security arena over the past few years. Last year it acquired Fortify for code testing and ArcSight for security and information event management. It also picked up UK-based security services provider Vistorm when it acquired EDS in 2008 and TippingPoint for network security as part of 2009's 3Com acquisition.
IBM, meanwhile, added code testing to its portfolio last year when it acquired Ounce Labs. It already had a broad range of security products through its 2006 acquisition of Internet Security Systems and existing products in its Tivoli division for identity and access management and compliance. That was enhanced by another 2010 acquisition BigFix for end-point management. Such tools are required to deliver end-point security effectively and consistently.
Cisco, the world's leading networking supplier, has also been building on its established firewall business with acquisitions such as IronPort for email security in 2007 and ScanSafe for web content security in 2009. EMC, the world's largest storage supplier, acquired the major player in identity and access management, RSA, in 2006. Looked at through the lens of the joint venture – the Virtual Computing Environment (VCE) coalition – Cisco and EMC (along with VMware) can boast a broad, all-round security portfolio.
During 2010, Microsoft launched new versions across much of its Forefront security range, which has been built up over a number of years through the acquisition of various small and relatively unknown security suppliers. The motivation for Microsoft's long journey into IT security is clear: to make sure its customers can use its products more safely. Security was one of the key pillars of Microsoft's Trustworthy Computing initiative, launched in 2003. Many gauge that to have been a success, with Microsoft's products generally considered more secure than a decade ago. But Microsoft only protects Microsoft, often scrapping support for third-party products provided by suppliers it acquires.
Yet for most organisations, IT security needs to cover a wider range of heterogeneous platforms. The situation looks set to get worse as the diversity of devices and operating systems increases, particularly when it comes to end points. Although Microsoft continues to dominate the PC OS market for the moment, it is currently an also-ran when it comes to smartphones and tablets. It hopes to reverse this through its new partnership with Nokia, but only time will tell if it can succeed.
The need to secure and manage heterogeneous IT environments is the reason why security specialists exist in the first place. Whatever Intel chooses to do with McAfee, it would be crazy to focus on securing only Intel-based devices. McAfee once proudly claimed it was "the world's largest independent security supplier", a crown it took from Symantec only because the latter had diversified into storage software through the 2004 acquisition of Veritas. Despite its previous bluster, it seems likely McAfee will maintain its credentials as a specialist with the ability to manage security across much of its customers' infrastructure, just as Symantec and CA have done.
Following the loss of its independence last year, McAfee passed its crown to Japan-based Trend Micro, whose revenues for 2010 approached $1.1bn. Trend Micro has a fairly broad IT security portfolio, but it has started to diversify, for example into data protection with its 2010 acquisition of Humyo (rebadged SafeSync).
Israel-based Check Point, the original firewall supplier, is not far behind with 2010 revenues of $830m. Behind these two are a host of smaller security suppliers, including Blue Coat, SafeNet, Websense, Sophos, Webroot, SonicWALL and Kaspersky. All have their own focus, which generally needs to be supplemented with products from elsewhere. All are potential targets for infrastructure suppliers to plug further gaps or acquire market share. Who knows who will be wearing McAfee's former crown 12 months from now.
Buyers should evaluate what is available from their chosen infrastructure suppliers in the first instance, but this will rarely meet all requirements. More importantly, they must make sure they have in place a coherent IT security strategy across all their IT assets with the ability to manage it. Many will find it is still the IT security specialists who will enable them to best keep ahead of the rapidly changing threat landscape.
Bob Tarzey, Analyst and Director, Quocirca
15 Apr 2011
Microsoft has announced Surface 2.0, an evolved version of (surprisingly enough) its original Surface product. The original version looked like a little pool table, and was aimed at a small set of verticals where a horizontal, multi-touch system made sense. The system provided an environment where a group of people could get together and share information in a multi-touch environment, for example to bring together different items onto a single screen and move them without any need for a mouse or other external device. Graphics and documents could be resized through what we now see as standard touch movements – but the system was too bulky and costly for broad deployment.
This could be due to change with the new release. At the moment, the only product to be brought to market will be in conjunction with Microsoft’s partner, Samsung, and it will be called the Samsung SUR40 for Microsoft Surface – a 40in touchscreen, thin form factor device that can be used in both horizontal and vertical modes. In essence, Surface takes the idea of the touchscreen systems we are all becoming used to through our smartphones, tablets and slates and takes it to the nth degree through the provision of complex multi-touch capabilities.
The new system is far thinner, making it capable of being wall-mounted with standard VESA brackets as used for mounting TVs in home and commercial environments. Although this opens up a range of new uses, the problem is that horizontal and vertical use cases tend to be completely different. For example, in horizontal mode, users are far more likely to push items around on the screen; in vertical mode, they are far more likely to point at them. In horizontal mode, people can easily understand a desktop metaphor, whereas in vertical mode, it is more like working with a picture. Microsoft says it believes the horizontal mode will be used for longer interactions whereas vertical will be far more useful for short ones such as digital signage, where the user will just want to gain access to information rapidly and move on.
Taken a bit further, working between the two leads to Surface possibly being used for fully interactive design, if used as a draughtsmen’s easel. Artists could use a Surface device at a 75° angle for “painting” an interactive, multimedia picture.
For the moment, usage is likely to be a little more prosaic – it makes sense for hotels to use these devices to interact with guests, allowing them to book services, identify the location of hotel amenities and so on. Visitor attractions can provide interactive installations that are driven by the visitors themselves, who can move through much larger volumes of information in a more interactive manner than through one which can work only against Next/Previous buttons.
Retail outlets can allow shoppers to not only identify where a certain department is, but to preview items and even for a group of people to build up an outfit by dragging and dropping clothes onto a mannequin – even changing the clothes’ colours. A group of people could work together to create a set of wedding outfits, for example, ensuring that everything matches and that everyone is happy with what they would be wearing on the day – all created against one of a set of standard backgrounds, or maybe a background created from an image provided by the bride-to-be.
However, the exciting stuff is far more likely to come down to the efficiency of the development community. Surface uses a vision-based system to identify touch – and does it to a very fine level of granularity. Many people can interact at the same time. To those who have used an Xbox 360, this may sound familiar. Microsoft’s Kinect games sensor works on a similar basis, but performs only gesture recognition, picking up the moves of people some distance away from the device. Surface can easily do both touch and gesture through being able to deal with near and far sensing. Smart technology may be required to identify when a person is only pointing, compared to when they are reaching out a finger ready to touch, but once a hybrid solution is in place, the possibilities of a highly powerful system emerge.
How about creating a mesh of Surface devices? A manufacturer in China, for example, could interact directly with designers and specialists around the world to ensure that the components of a final item all fit and work together, with the various individuals being able to move the items around in real time using gestures and touch rather than mice and keyboards.
Although the current systems are not aimed directly at consumers, the idea of a fully interactive media centre becomes closer to reality. Imagine a single system where video, image, voice and data all come together in a manner where the individual can choose how to interact. A voice message comes in – and it takes just a gesture to answer it (or not to) and then speak. An email – use touch to open it, read it, respond via touch or gesture and speech, then file through touch to a folder on the desktop. Want to watch TV? Have it over the whole of the 40in screen, then use touch or gesture to make it smaller – but not too small – so that you can deal with something else at the same time. Another person wants to interact with part of the screen while you’re doing something? Surface enables people to work in their own area and choose whether each person is sandboxed from each other, or can interact with what others are doing.
Surface 2.0 looks good, and will undoubtedly be welcomed by the high-end retail and hospitality organisations, as well as being useful in Microsoft’s existing Surface markets of education, defence, automotive and healthcare. Provided sales increase and more hardware partners join Samsung to drive sales, costs should come down and so make Surface-based devices more available to the lower end of the possible market. We may yet see the likes of Wal-Mart, Tesco and Carrefour using Surface-based devices to interact with shoppers and enable them to find out what wine goes best with the meat they have just chosen.
Overall, we’re getting close to what was shown in the film Minority Report, with its walls of interactive information – but Microsoft has to ensure that commercial value is perceived and then gained, rather than Surface-based devices being seen as the next executive toy. Again, the development community will be the main factor in this, and Microsoft must ensure that what is seen coming down the line has all the capabilities to boost prospective buyers’ revenue and profits.
Clive Longbottom, Service Director, Business Process Analysis, Quocirca
Quocirca has written a few times about end point management and security recently. There has also been comment on the upgrade of Microsoft’s Forefront security range and its end point management tools. A new Microsoft on-demand service warrants further comment in both areas.
Microsoft has released a “simple web-based administration console” for PCs called Intune. It is based on the Windows Update Manager code base and includes elements of Systems Center Configuration Manager (SCCM, Microsoft’s on-premise tool for PC management) and Forefront End Point Protection (FEP). The product has the flexibility to support devices both within and beyond the firewall.
Intune takes best practices from SCCM and requires System Centre agents on the target PCs. However, it does not provide all the functionality of SCCM; it cannot be used for operating system/application software distribution and power management and does not have full group policy support (these features may be added in time). Remote assistance, PC monitoring, alerts, updates, inventory management, security settings and malware protection are all supported.
When it comes to anti-malware you do not have to use FEP, but Microsoft recommend that you should not run two anti-virus engines at the same time. So you must either replace your existing product with FEP (which is included in the Intune subscription) or just keep your old one. A subscription also includes an upgrade to Windows 7 Enterprise for each PC covered, and that includes BitLocker full disk encryption, although Intune does not provide the capability to manage the enforcement of encryption.
If you have SCCM already, Microsoft advises to keep going with that. It sees Intune as a fast entry point for organisations that have no PC management place at present. The quoted US price is $11 per PC per month (around £7). So when compared to existing costs for buying and maintaining end point protection and encryption, the annual cost is approaching £90 per PC per year.
The caveat is of course that Intune works only for Microsoft PCs (running XP, Vista or Windows 7); it does not even cover Windows mobile devices. As businesses have to increasingly manage a diverse range of smartphones, PCs and tablets running a range of operating systems other than Windows, many will see this as limitation.
Microsoft muttered about support for iPhones and iPads in the SCCM roadmap, so perhaps this will end up in Intune at some point in future. However, those want a comprehensive management tool that covers all end points both inside and outside the data centre that is available on-demand should look to other vendors such as Kaseya and NTR Global.
The freely available Quocirca reports review the use of end-point management:
The Total MSP – using managed service providers for end-point management
Remote IT management – the value of on-demand end-point management services
Bob Tarzey, Analyst and Director, Quocirca
In February, Symantec released a new version of its Endpoint Protection suite – SEP 12 and the associated small business editions SEP SBE 12. It contains all the usual stuff you would expect to find in such suites: antivirus/spyware, desktop firewall, intrusion prevention and so on. So what’s new?
Well, as ever, Symantec has focused on performance, to ensure that the product has minimal impact on desktop performance – a focus all desktop security vendors must have. It has also improved support for virtual desktops, where scans can have a big impact on the performance of the servers that run them if multiple scans are invoked at the same time. However, the feature Symantec was keenest to talk about was an upgrade to the way its Insight file reputation service works.
Insight is a cloud-based service that backs all Symantec malware protection products including Norton for consumers. Insight assesses the threat an executable file might represent based on a number of factors including prevalence, age, provenance and reputation, and returns a rating that can be used when setting security policies, sometimes called greylisting (as opposed to whitelisting = good, blacklisting = bad).
For example, a file over two months old with thousands of users is likely to be safe, while one created yesterday, with no known users, looks decidedly risky. With V12 it has made a change that allows security administrators to set policies rather than end users, as was the case in previous versions.
With Insight “executable” files include traditional EXE files, driver files (including printer drivers), screen savers, DLLs, OCXs, MSI Installer files, etc. Insight does not rely on file extensions to recognise such files but examines all files to see if they are known and, if not, checks to see if they are actually executable. At present Insight has a community-based security rating for 2.5 billon files – good, bad and grey. This data is collected by Symantec’s Global Intelligence Network, which consists of more than 175 million endpoints that run Symantec’s security software and have opted-in submission of threat data and from Symantec’s hosted services or gateway products.
All well and good, but all the major security vendors have protection networks and these all include file reputation services. So, is Symantec catching up with or jumping ahead of the competition? Here are three examples:
McAfee’s Global Threat Intelligence also includes file reputation. It catalogues known bad files and grey-lists files that might be bad. Like Symantec Insight it uses a file scoring algorithm, however McAfee does not whitelist. Quarantine thresholds can be configured depending on a given customer’s tolerance for risk. McAfee is not just relying on the file itself, but other information such as network connection reputation and mode of arrival, for instance is it attached to a “spammy” email.
Trend Micro’s Smart Protection Network (SPN) has been around for over five years and has included file reputation since 2008; it also greylists files as suspicious. To do this it looks at the file's behaviour and heuristic information. Suspicious files are checked against white-lists to minimise false positives. Information on new files is then fed back to SPN for analysis and confirmation as to whether they are truly malicious or not.
Blue Coat’s threat protection network is called Web Pulse. It has been profiling web traffic for over five years and it is central to all its security products. It greylists malware based on provenance, history, behaviour, mode of arrival and previous knowledge of a particular file.
The truth is, as Blue Coat’s spokesperson told Quocirca, threat protection networks are “table-stakes” for security vendors. You have to have one and it has to work. The vendors vary in the approaches but they all do the same sort of things. The speed at which new threats are discovered will depend on the size of the network, and as one of the biggest suppliers of security software to both businesses and consumers, Symantec’s is big.
Perhaps the biggest such network sits behind Microsoft Forefront security offerings and the Microsoft Malware Protection Centre (MMPC). But as Quocirca has reported before, Microsoft has other shortcomings when it comes to security, mostly to do with its inward focus – only protecting its own infrastructure. This is where specialist security vendors definitely have the upper hand, for example Symantec’s SEP 12 includes protection for Mac OSX and Linux. An on-going race will be to extend protection to smartphones and tablets with their new range of operating systems. SEP 12 does not address this, but then nor do most of its competitors.
Bob Tarzey, analyst and director, Quocirca
About The big picture blog
Business and IT insights from research and analyst firm Quocirca
Doug Laney on Big data – big misunderstandings, big mistakes?
John Long on Computer aided or computer dependent?
Andrew on Defining telepresence
Clive Longbottom on AmEx Travel: A case study in poor CRM process
