Quocirca has written extensively about privileged user management over the years, including two research reports, Conquering the sys-admin challenge in 2011 and Privileged user management – it’s time to take control in 2009. One of the dangers highlighted in both reports is that if privileged user accounts are compromised the results can be far more serious than when the same happens with the accounts of “normal” unprivileged users. Several vendors specialise in the management of privilege and sys-admin rights including CA, Cyber-Ark, Centrify, Lieberman Software, Quest Software, Thycotic and UK-based Osirium, which sponsored Quocirca’s most recent report.

It is odd then that many businesses leave “normal” users with full admin rights in one area; their Windows desktops. IT departments are prone to do this because it makes life easy as it means they are do not get constant user account control (UAC) requests to their helpdesks (to install Active-X components etc.) However, Windows desktops with full admin rights are a gift to malware writers. Once compromised it is far easier to recruit such PCs to botnets, install key-loggers or use them as a springboard to deeper penetration of an organisation’s infrastructure. The default position should be than no desktops runs with full admin rights and that such rights should only be granted for limited periods of time and to enable certain tasks.

This has led to the emergence of a second group of privilege management vendors whose main focus is to get the problem of Windows desktop admin under control. They enable automated granting of admin rights based on predefined policies, which can apply to applications as well as users. This helps minimising the number of UAC requests as when a user needs to install or update a commonly use application their privilege level can be temporarily elevated. Most of the vendors above do not address these specific issues and are therefore partnering in this area. Quocirca has been speaking to two of these vendors recently.

First is Avecto, a UK-based vendor that is doing half its business in North America. Its product is called Privilege Guard and it has a partnership with Cyber-Ark. Its focus to date has largely been selling direct to large enterprises where it links in with Active Directory and its Group Policy engine. However, it can also now link in with McAfee’s ePolicy Orchestrator (ePO), creating a partnership which Avecto sees as key to building a multi-tenancy on-demand version of Privilege Guard that will open up the SMB market, where practices regarding management of Windows privilege tend to be at their worst.

Second is Viewfinity, an Israeli vendor, which has just opened its first European office in Amsterdam.  It already does 60% of its business via an on-demand platform; the other 40% being on-premise installs at large enterprises. It has partnerships with Lieberman Software, CA and is integrated with Microsoft Systems Centre Configuration Manager (SCCM) and, of course, Active Directory. Viewfinity has just released V4 of its product. It also has a free “Local Admin Discovery” tool, which allows you to find out for free just how widespread the allocation of admin rights is across your Windows desktop estate. The approach is a bit like those free malware detection tools that tell you of all the gremlins that are present on your PC but will not let you delete them until you cough up a fee (although Viewfinity should actually work!)

Regardless of the vendor selected (a third player is BeyondTrust), that may well be a price worth paying. At this level most malware is opportunist; it will seek out the most vulnerable and easiest to exploit PCs. Once malware has found its way on to a PC, finding full admin rights is a gift; an open invite to take full advantage of opportunities for data theft or deeper penetration into the infrastructure of the organisation that owns the device and thought it could trust it on its network.

As Quocirca research over the years has shown, there is much poor practice in businesses of all sizes when it comes to the management and privilege and sys-admin rights. Just as was stated in 2009 with regard the management of core it infrastructure, when it comes to user desktops, it is time to take control.
 
Bob Tarzey, Analyst and Director, Quocirca

This week, Quocirca had a briefing with a security vendor which provided an insight into a fundamental change going on in the use of IT and one of the major drivers for that change. The vendor was Bradford Networks, named not after the city in Yorkshire UK, but the small town in New Hampshire, USA.

Bradford provides products to carry out a range of network management and control capabilities; network discovery, end-point management, network access control and policy enforcement around network usage. None of that is unique to Bradford, which is perhaps why, when it started selling this product line back in 2005/6, it focused on a niche – higher education. Not any old aspect of network usage in the sector, but specifically student dorms, or halls of residence as they are called than in the UK.

The problem Bradford helps university IT administrators manage is the wide variety and ever-changing identities of devices students want to attach to the network services offered in such places. Even five years ago, this included Windows PCs, Macs, gaming devices and early smartphones (mainly BlackBerrys). Today of course you can add Android devices, iPhones, iPads and others. The range of devices support by Bradford, which extends to CCTV cameras, door entry systems and firewalls is impressive.

Bradford has been successful selling to this niche in the US and also in the UK, where via a single reseller, Khipu Networks, it has signed up many universities, including Oxford, Nottingham and Durham. A case study for Durham University can be seen here.

What makes Bradford’s story interesting to Quocirca is the speed at which its business is changing. In the last couple of years Bradford says the profile of its business has switched from almost all higher education to 85% other sectors including healthcare, manufacturing and banking. Bradford says this change has been demand driven and is not the result of deliberate targeting (for example, it still has just the one reseller in the UK, but is planning to change that).

There are two reasons for this change in the business profile at Bradford. The first is the range of devices that organisations now have to support, as Bradford says: “Now the rest of the world has started to look like [the higher] education [sector]”.

But the second reason is perhaps more profound; the students of five or six years ago are the employees of today; the change at Bradford is surely a bellwether for the growing tide of consumerisation, a big driver for which is the entry to the work place of the IT savvy “generation Y”.

Of course, Bradford is not alone in addressing this issue. It will have to make its own case against a range of larger vendors all targeting end-point management and security. This includes end-point management vendors such as Kaseya, LANDesk and IBM/BigFix, but also IT security vendors – for example McAfee, Symantec and Trend Micro are all now investing in managing end-points as well as securing them.

There is another vendor that could be added to both these last two lists: Microsoft. It too is in the end-point management business with it Systems Centre Configuration Manager (SCCM) and recently announced InTune on-demand service, which Quocirca wrote about in a previous blog post. Microsoft is also in the end security business with its Forefront End-point Protection (FEP) product, which Quocirca wrote about here.

However, as both posts point out, Microsoft is missing the point. As ever it lives in its own Microsoft bubble. Its end-point management and security products only address Windows PCs, not even its own struggling Windows Mobile operating system. Generation Y has certainly found there is more to life that Microsoft and Bradford Networks is benefiting from this. If Microsoft does not change its game its fortunes will surely head south like that of its new mobile devices partner Nokia.

For Microsoft this tide of consumerisation impacts two of its biggest product lines that account for over half its business; Windows desktop and Office. Quocirca would not be the first to speculate about the long term future of Microsoft. In its June 9th leader celebrating the 100th birthday of IBM, The Economist speculated which of today’s IT vendors might reach a similar age. Microsoft was not one of them.

Two recent Quocirca reports sponsored, by Kaseya, cover end-point security are available for free download: The IT Profit Centre and The total MSP.
 
Bob Tarzey, Analyst and Director, Quocirca

Quocirca has written a few times about end point management and security recently. There has also been comment on the upgrade of Microsoft’s Forefront security range and its end point management tools. A new Microsoft on-demand service warrants further comment in both areas.
 
Microsoft has released a “simple web-based administration console” for PCs called Intune. It is based on the Windows Update Manager code base and includes elements of Systems Center Configuration Manager (SCCM, Microsoft’s on-premise tool for PC management) and Forefront End Point Protection (FEP). The product has the flexibility to support devices both within and beyond the firewall.
 
Intune takes best practices from SCCM and requires System Centre agents on the target PCs. However, it does not provide all the functionality of SCCM; it cannot be used for operating system/application software distribution and power management and does not have full group policy support (these features may be added in time). Remote assistance, PC monitoring, alerts, updates, inventory management, security settings and malware protection are all supported.
 
When it comes to anti-malware you do not have to use FEP, but Microsoft recommend that you should not run two anti-virus engines at the same time. So you must either replace your existing product with FEP (which is included in the Intune subscription) or just keep your old one. A subscription also includes an upgrade to Windows 7 Enterprise for each PC covered, and that includes BitLocker full disk encryption, although Intune does not provide the capability to manage the enforcement of encryption.
 
If you have SCCM already, Microsoft advises to keep going with that. It sees Intune as a fast entry point for organisations that have no PC management place at present.  The quoted US price is $11 per PC per month (around £7). So when compared to existing costs for buying and maintaining end point protection and encryption, the annual cost is approaching £90 per PC per year.
 
The caveat is of course that Intune works only for Microsoft PCs (running XP, Vista or Windows 7); it does not even cover Windows mobile devices. As businesses have to increasingly manage a diverse range of smartphones, PCs and tablets running a range of operating systems other than Windows, many will see this as limitation.
 
Microsoft muttered about support for iPhones and iPads in the SCCM roadmap, so perhaps this will end up in Intune at some point in future. However, those want a comprehensive management tool that covers all end points both inside and outside the data centre that is available on-demand should look to other vendors such as Kaseya and NTR Global.
 
The freely available Quocirca reports review the use of end-point management:
The Total MSP – using managed service providers for end-point management
Remote IT management – the value of on-demand end-point management services

Bob Tarzey, Analyst and Director, Quocirca

Back in December Microsoft released Forefront Endpoint Protection 2010 (FEP), a suite that provides protection for Windows PCs from malware etc. Used in conjunction with Microsoft System Center Configuration Manager 2007 (MSCCM) businesses can make sure their Windows PC user end points are up to date and secure. In conjunction with BitLocker, Microsoft’s full disk encryption capability, and other security features that come with Windows, such as the Windows firewall, Microsoft now has a comprehensive capability to protect and manage Windows PC end points.
 
A further worry for its competitors is that business take-up of Windows 7 since its launch in October 2009 has been fairly slow, but this is expected to accelerate rapidly during 2011. A Microsoft large account reseller (LAR), which provides end point management services, told Quocirca that many of its customers are asking to upgrade in the next 12 months. One thing seems certain; when they do this they will review their Windows end point security in light of the offerings from Microsoft. For example, one CISO Quocirca spoke to stated:
 
“When we move to Windows 7 we will include an evaluation of Forefront and BitLocker alongside existing end point security”
 
So is Microsoft set to take the end point security market by storm and see off the security specialists that dominate at present such as Symantec, Trend Micro, McAfee and Sophos? In Quocirca’s view probably not; Microsoft has three problems.
 
First, although Windows 7 is expected to do well in 2011, it is no longer true that Windows based PCs are the only end point most businesses have to worry about. Microsoft has failed to make much of an in-road into the smartphone market; its market share languishes at below 5%. Nokia/Symbian, Apple/iOS, Google Android and RIM are much more widely used and look set to remain so.
 
Furthermore, more tablet computers are increasingly being used to access business IT resources. Gartner predicts 55 million unit sales of Apple’s iPad in 2011 and other hardware vendors are entering the market, many using the Google Android operating system. A CISO from a diehard Microsoft shop, that was an adopter of the forerunner to FEP, Forefront Client Security, told Quocirca that even they now have a “few iPhones and iPads” to worry about.
 
Vendors that specialise in end point security and management struggle to keep up with this diversity, Microsoft is not even trying. Worse still, Microsoft does not even support old versions of its own products, FEP is only available for Windows XP and later (not too bad) but BitLocker is only in Windows 7 and Vista (few businesses adopted the later). As for Windows Mobile, don’t even bother – no FEP or BitLocker there. So if you are looking for a common security suite across all end points, Microsoft does not have the answer and it probably never will.
 
Microsoft’s second problem is that IT security is about much more than user end points. It is about servers, datacentres, networks and the increasing use of on-demand computing services. The revamped Forefront range includes offerings in these areas; Forefront Server Security (for Windows Server SharePoint, Exchange, Lync), Forefront Threat Management Gateway 2010 (was ISA Server) and Forefront Unified Access Gateway 2010 (was Intelligent Application Gateway). But, where businesses can no longer rely on the user end point devices being purely Microsoft, few have ever had such homogeneity at the backend. Most of those wanting a single vendor to cater for the majority of their security needs must look beyond Microsoft.
 
The third problem Microsoft faces is the channel. It is rolling out Forefront via a new value added distributor (VAD) programme. Its existing distributors are keen to join and capitalise on the Forefront opportunity. However, the resellers they must win over for this to succeed are less convinced. One told Quocirca:
 
“We always include Microsoft [security products] in a review but it has never come out on top”
 
Other resellers complain that there is little margin for them in Microsoft security products and they have to fall back on services, which at least there is a requirement for, as some find Microsoft’s products more complicated to deploy than those from other vendors. Furthermore, resellers have their existing relationships with security vendors whose products they have rolled out to their customers; Microsoft must overcome this double incumbency.
 
One final groan from resellers actually works in Microsoft’s favour. They complain that because Enterprise Agreements and Enterprise CALs (client access licences) – two ways larger businesses can license Microsoft technology – now include many Forefront products; their customers already have paid for the right to use them. When this is the case, there is no incremental product revenue for the reseller. End users must work out for themselves if they have such rights and if the Microsoft security products provide the protection they need – many resellers seem unlikely to highlight it for them.
 
Microsoft Forefront security will become more widely used in 2011, but there will be few organisations that will be able to rely solely on Microsoft for their IT security needs. There is plenty of opportunity left for the specialist security vendors.
 
Bob Tarzey, Analyst and Director, Quocirca