The Security Relationship

Security is a vast, amorphous term that seems to span dozens of product categories. At bottom, though, one could define computer security as the pursuit of protecting data and system resources from unwanted use or catastrophe. That could mean deletion, corruption, public exposure, theft, or any number of things.

A spyware agent that tracks your Web surfing habits is obviously not a risk to your files (unless the code is poorly made and interferes with other elements in your configuration), but it can expose your data—including, say, which sites you frequent for purchasing and what you buy there—to unwanted third parties. Viruses have been in the data and drive trashing business for decades. An unsecured access point frequented by non-malicious college kids only looking for free bandwidth to IM with friends still poses a drain on corporate bandwidth and presents a secondary risk: What if one of those friendly interloping notebooks harbors a virus that replicates onto the company server?

"Resellers need to explain to clients the pros and cons of being or not being protected," says D&H vice president of marketing Dan Schwab. "To some degree, it's like insurance. To what level of insurance do you want to protect your information? For most companies, it's mission critical. They need to go to the n-th degree, so I think it's imperative that the solution provider show a good/better/best scenario, because more often than not the intelligent user will migrate to the ‘best' solution. And those are the ones with the highest revenue and highest integration opportunity."

According to Bill Kerrigan, senior vice president, McAfee consumer, enterprises tend to have very good security with a very high percentage of properly configured, secure systems. At the consumer level, security is far worse. The AOL/NCSA Online Safety Study report stated that 84% of consumers surveyed maintain "sensitive information" on their PCs, but only 28% felt very safe from online threats. In particular, only 13% felt safe from hackers. A remarkable 67% of survey respondents were running with either no antivirus software or outdated antivirus definitions. Eighty percent of scanned systems contained spyware agents with an average of 93 agents on each infected machine.

The level of effective protection across common security threats decreases as you move down the chain from enterprise to consumer. This means that if you're a reseller who specializes in catering to small businesses, the opportunity to rack up security sales is substantial. Small businesses need protection every bit as much as enterprises. The difference is that small businesses tend not to have a security-aware IT staff and so are both unprepared to meet today's threats as well as uneducated about the issues and liabilities surrounding security.

"All SMBs have one thing in common," says Steve Groom, director of security for Technology Integration Group (TIG), a large security-focused VAR based in San Diego. "They're challenged with the same problems as a large organization. They get hit by the same viruses. They might be affected by California 1386 [see our sidebar on compliance]. Maybe they accept credit cards and are affected by Visa. So they have the same problems, but they don't have any security expertise in-house. My advice is to build out a little managed security service. Provide best of breed antivirus solutions, some patch management, and help those SMBs get their arms around security and implement good standards."

Last month, we discussed some of the top industry certifications for security resellers, such as CompTIA's Security+, and it's worth reiterating here that these are practically essential if you want to move beyond simply selling off-the-shelf products. Becoming a security resource for your clients is about becoming an advisor as well as a point of purchase. You need to know which are the right product's for a client's needs and how to set up those products properly for optimal security.

"If I'm a reseller," says George Kafkarkou, senior vice president, worldwide channel operations for Computer Associates, "you're going to have a much higher comfort factor with me if I solve some of your major security problems, such as antivirus and anti-spyware. If I can eliminate those problems for you, you will trust me as your advisor for business. So the value proposition for the CA SMB reseller is that our security solutions are a lever to bond the relationship further so that there is greater longevity in that relationship."

Fortunately, you are not on your own. The security relationship happens both above and below you. You may be struggling to get a grip on security products and services, but there are some very reputable and eager vendors out there anxious to help guide you through the process.

Easy Targets in
Security Threat Software

If you're a relative newbie in security, you can't build Rome overnight, not even with a vendor's Extreme Makeover crew behind you. But that doesn't mean you can't start selling. You just need to start small and aim for some of the easy security targets. As you gain proficiency in these categories, you'll be able to branch out into more complex products and start offering services around them.

Antivirus

An increasing number of pundits are saying that antivirus is nearly a non-issue in terms of sales. The technology is now so mature, competitive, and pervasive that it is virtually free. In fact, it seems like all but the lowest-end motherboards now come with last year's Norton or Trend Micro antivirus in the box as a giveaway. Ambitious end-users can simply run free online virus scanners, then Google for instructions on how to manually remove the pathogens. This is partly why you rarely see antivirus offered as a stand-alone application anymore. The suite approach seeks to preserve some value in the product.

However, what is true in the consumer space definitely does not apply in the business world. The last thing an employer wants his people doing is diddling around with scanner sites and trying to perform virus fixes in their registries. Moreover, centralized management is the name of the game, even in companies with less than 10 users. Does an owner want his resident guru knocking workers away from their desks in order to run security scans? Not at all. Good corporate security software can be run by an admin from any point on the network or even via an encrypted connection from across the Internet.

Perhaps the best-known name in antivirus is Symantec. The small business title of choice from Symantec is Client Security 2.0, which comes available in 5-, 10-, and 25-user SKUs. Client Security covers antivirus, anti-spyware, desktop firewall, intrusion detection, and includes a server-based console for LAN-based installation and client management. A Groupware version of the product adds support for Microsoft Exchange and Lotus Domino servers, adding mail virus scanning and spam filtering.

For a less conventional spin on corporate antivirus, consider McAfee's VirusScan ASaP. The ASaP line is McAfee's family of remotely managed applications. In the case of VirusScan ASaP, the company's VirusScan product still resides on and monitors the client, but the management and updating of the software is all remotely handled from across the Internet by McAfee.

"The small business has a choice on whether they and their VAR want to manage the security environment or outsource and use a managed service," says McAfee's Bill Kerrigan. "Both solution sets exist within McAfee and go through multiple channels. In the case of the managed service, it's an automatically updated antivirus protection, and there is virtually no involvement from the end-user in managing that. The VAR also has multiple levels of reporting. The VAR can go into the network and look at all their customers and their PCs and make sure that all of those machines have implemented the latest antivirus signature files."

McAfee asserts that going with an ASaP managed service can save an end-user 80% of the lifetime cost of antivirus protection. Whether 80% is accurate or optimistic, taking management out of the customer's hands saves him the cost of handling the task on a payroll basis and provides a reliable monthly or annual revenue stream for the reseller.

Given our hardware discussion last month, it's probably worth pausing here to mention the option of implementing an antivirus appliance at the gateway. Blue Coat Systems, IronPort, Panda, Greencomputer, Symantec, and others make these devices. But do they offer superior security to a purely software-based implementation?

"You can have just as good of a security solution with software alone," says CA's George Kafkarkou. "The reason why appliances are growing in popularity is because appliances make for easier adminstration. It's a physical device, I only have to install it once, and I just plug into it. That's why you're seeing growth in appliances, particularly at the SMB level. But just because it's easier to administer does not mean it's more secure. Frankly, it's the software within the appliance that makes it secure—and, by the same token, insecure. Now, if you want to talk about perimeter networking, yes, a firewall appliance outside the perimeter is more secure. But it's not the same with antivirus."

The chief argument for antivirus appliances is that they absorb the processing load of scanning traffic for pathogens so that server and client resources remain unaffected. As Panda puts it in the company's FAQ, "this in turn ensures that even during virus epidemics, corporate network resources can continue to function normally." What Panda doesn't outline is just how much virus traffic would be required to significantly impact, say, a 2.0 GHz-based mail server running software-based antivirus, especially if that server was running fully patched on a load balanced LAN.

Firewall

Some companies pin all of their firewall security on a gateway appliance, but smart resellers may want to push for a more comprehensive approach.. Electronic Systems Incorporated is a solution provider with seven offices spread around Virginia, Washington, D.C., and North Carolina. Seventy percent of ESI's business is in infosystems, and 20% to 30% of this is in security. The company started out in security 10 years ago selling firewalls. With clients ranging up to the U.S. military, you might expect ESA to favor appliances over software every time, but this isn't the case. "It's a juggling act of risk versus cost," says ESI professional services manager Darrell Hix. "How much would it cost your client to have a hacker bring down his network? There's only so much you can do at the gateway, and it makes sense to have protection at both ends."

There are plenty of software firewalls on the market, including respected names such as Black Ice from Zone Labs/Check Point. However, you don't want a product that is an island. The pieces in your SMB client's security puzzle should all fit cohesively—one product family controlled through a single admin interface.

This is why the resellers I spoke with favored this likes of McAfee's Desktop Firewall ASaP and Symantec's Client Security suite. Effective and affordable, these highly integrated apps are especially appealing to new security resellers because they're so relatively easy to install and configure.

"Interestingly enough, only a fairly minimal amount of expertise is required to set up the basic security environment, because everything is covered within the documentation," says Symantec's Liam Yu, senior product manager for the product delivery and response group. "Configuration is pretty straightforward, and there are a couple of preconfigured setups that come with the standard install, but a lot of times we find that customers just don't want to go through those steps.

Anti-Spyware

Viruses have been with us for long enough that they have permeated our culture. Even the untechnical elderly understand that a computer virus can damage your information. Spyware, on the other hand, is still a relatively new phenomenon. Most of the people I interviewed here agreed that the majority of SMB decision makers do not have an adequate grasp of the range of spyware agents, how they are transmitted, and what they can do to a computer system or network. The preconception is that spyware, whatever it is, is a consumer problem. Naturally, this is erroneous. Unprotected corporate PCs pick up spyware off the Internet almost as easily as consumer systems. The difference is that many companies monitor the applications on their systems, so something like a peer-to-peer program would bring about a swift reprimand.

The good news is that this ignorance on the part of SMB clients is a perfect open door for resellers to step through and offer education and site analysis. The education part will likely be free, but few managers, when faced with the full scale and risk of spyware, could be averse to paying a moderate fee for a responsible site scan.

As mentioned earlier, different anti-spyware programs will yield differing results. The resellers I spoke with gravitated toward CA's PestPatrol as being the best title in the industry. Some resellers and many end-users may want to opt for a cheaper spyware solution, but the lack of comprehensiveness in many titles could spell disaster for the client and liability for the reseller.

"Computer Associates is a very big company," says CA's George Kafkarkou. "We have invested very heavily and built upon the research teams worldwide to look out for spyware and come up with antidotes, if you like. In one update alone, we provide solutions to more than 1,000 instances of spyware, and we provide updates weekly. A company that offers free product cannot afford to have the resources to do this. That is dramatically consequential. There's a type of spyware called a keylogger. Imagine if one of these free products missed a keylogger. The damage could be significant. You need resources and 24 x 7 research to catch problems and distribute solutions."

In addition to its accuracy and breadth, PestPatrol Anti-Spyware Corporate is also one of the few robust anti-spyware apps with centralized management features targeted for SMB accounts. This includes centralized notification and reporting capabilities, something that most major anti-spyware apps thus far overlook but which lends itself to another outsourcing revenue opportunity for solution providers.

...more