The Emerging Products section keeps tabs on important emerging market segments within the information security space and seeks out promising new companies and products that we think will shape the market segment. This year we will be looking at such areas as cloud and virtual system security, on-line fraud detection, mobile device security and security as a service. As one might expect there are new companies with innovative new products, old pros with creative approaches to new problems and a few good ideas that have not made it into the mainstream. Think of this new section as Innovators meets First Looks.
When we do something new we create fresh opportunities. When we change an entire computing paradigm, we create opportunities and chaos, at least to a limited degree. Out of the chaos will, eventually, fall an entirely new and well-defined market space. That chaos stage is exactly where we are with so-called "cloud computing." So-called because, as we all know, this is just old wine in new bottles. But the bottles, it turns out, are really important this time.
Taking applications, data and entire enterprises and sticking them out on the internet made absolutely no sense. It was expensive, hard to control and meant relinquishing security management over what often would amount to the crown jewels of an organization. It was a non-starter. Nobody would be that stupid, right?
But, then, virtualization took a strong foothold and some smart people started to think about how to overcome the apparent stupidity of taking everything digital and putting it who-knows-where out on an internet where it is still like the lawless Wild West. The result has been a virtual (pun intended) race to the cloud. But, sadly, in many respects, the cloud is not quite ready for its new-found fame. Virtualization is still not mature - although it is heading toward maturity at a ferocious pace - and the security issues alone ought to be show-stoppers. They are not. And some of the reasons they are not are embodied in this month's Emerging Products Group Test.
Someone told me a year or so ago that the security problems on a virtual system are no different from those on a physical system. There are just environmental issues that prevent one from solving them in the same way. There's the rub, and quite a rub it is. Environmental issues are largely technical if we are talking about our own virtual data center. When we hand that virtual environment over to someone else, there are a lot more pieces to the environment: legal, contractual, management, security and more.
Cloud providers have responded by defining clouds - really virtual environments on the internet - in lots of ways. We have public clouds, private clouds, hybrid clouds, co-locations and so on. It makes one's head swim. So how do we deal with the suite of security issues that these virtual environments generate? One of this month's developers answered that question the only way I can think of to answer it: You go for the lowest common denominator.
That means treating everything as if it was going to live in a public cloud where you have essentially no control over the security used by the cloud provider, can't audit, can't investigate an intrusion, can't do anything but use the assets(s). This helps to define one of our criteria for these new players - some of the players have been around a while. It's just their products for this environment that are emerging.
Another interesting thing happens when a new computing paradigm is born. Lots of companies carve out lots of little niches and create point solutions to point problems. Then bigger fish decide that it is safe enough to play in the same pond with the creative small fish who were willing to take risks in a new and badly defined market space. Bigger fish usually aren't risk takers. They wait around for the little fish to take the risks and then eat the survivors. We are at the early stages of that process now in the cloud security space. This month, we have six companies who are picking their niches and developing to solve a particular problem. My bet is that these little fish all will be eaten at some point by McAfee, Symantec or their ilk.
At least that's the way it usually goes, and that is the way I, for one, hope it goes this time. These six products all are interesting - one very interesting - and they will make strong contributions to how we secure the cloud, specifically, and virtual systems, generally, in the future. Each of these companies has picked out a problem to solve and have done first-rate jobs of addressing those problems. Are they perfected yet? Of course not. But this is a strong start in a young market and we believe that each one is worth your attention.