"For the first time," says Goodrich, "it's actually dangerous not to have your systems patched. Altiris, SMS, and those guys all say they're for the SMB, but they're not. They're big, clunky, complex, cumbersome, expensive solutions. Even Microsoft, in a lot of their communications recommended that if you're under 500 seats, use this free stuff, and if you're more than 500, use SMS. Then they removed that from the site once somebody figured out they could sell SMS there, too. Our Patchkeeper is for this audience. It has almost zero learning curve and its very easy to use in this sort of semi-wizardy UI. It doesn't require a server. You just install it on the system you're administering from."

Patchkeeper allows for any number of systems on the LAN to be collected into customizable "groups." An admin might want one group to receive patches some time before the other systems to provide time for compatibility testing. After all, it wasn't that long ago that a certain OS service pack release wrought havoc with a substantial number of applications. The important thing is for patch deployment to be automated so as to alleviate the risk of human oversight and for reporting to be easy and immediate in case there are deployment problems.

These four categories—antivirus, firewall, anti-spyware, and patch management—are the core essentials of any SMB security configuration. Beyond these, though, different people have different interpretations of what is or isn't essential.

Security two years ago was about antivirus, because that was the most prominent threat to systems. Today, the situation is more multifarious. With increasingly diverse threats you need a broader application approach. But security now also means storage, and a lot of security solutions should and do intertwine with backup.

Storage falls outside the scope of this article, but proof of the relationship between security and storage might be found in the recent $13.5 billion Symantec/Veritas merger. After all, if, despite every best effort at antivirus, a virus does strike a mail server, destroys a company's customer communications archive, and there is no recent backup of that material, how good was the integrator's overall security plan?

Starting out, such security strategy elements may not be obvious. That's why you need an experienced vendor partner willing to show you the ropes as well as provide you with a profitable and dependable selection of products.

"We look for a security vendor that can offer a whole suite of solutions," says D&H's Dan Schwab. "From an integration standpoint, that's very amenable to our resellers and their end-users."

"We want vendors that have the right channel practices that focus on resellers versus a direct end-user model that would in some cases undermine the solution provider. And probably one of the most important pieces of the puzzle, the software publisher needs to provide training for their products so that solution providers tend to become experts on it. You need to understand the complexities of these products and how they compare and contrast to each other. Partners such as Computer Associates and Symantec do a very good job of providing tools to allow resellers to be successful with their products."

The Perfect Starter App

The downside to selling CA, Symantec, McAfee, and other top vendors is that you won't be alone. These companies provide very aggressive channel programs and work to help their reseller partners market as much as possible. Given that your install base is a semi-captive audience, the odds of you selling eTrust, for example, into your favorite financial services client and beating out three other resellers trying to push the exact same product is decent.

However, when you're starting out, it's handy to be able to offer some relatively unique value provided the application is simple enough to install and maintain easily. I came across Interlink Networks's LucidLink utility and thought it was the perfect example of a sure-fire money maker in the small business crowd.

You already know that wireless is really hot right now. According to Interlink, 80% of PCs being sold have wireless. Most SMBs are interested in leveraging wireless, but a mix of fears about insecurity left over from WEP and cumbersome key management still keep many would-be users at bay. The problem with pre-shared WPA keys in an office environment is admins running around with 64 hexadecimal character strings that need to be implemented on each of the LAN's nodes. Say this needs to be done for 20 devices. When one person leaves the organization, the admin needs to rekey 19 devices and suddenly you're back to a revamp of the sneakernet patch management problem.

LucidLink almost needs to be seen to be believed, and Interlink's product site (www.lucidlink.com) has an excellent Flash overview. In a nutshell, though, LucidLink is a wireless user authentication system. The product is based upon the advanced encryption and session management technologies found in 802.1x, 802.11i, WPA, WPA2, and RADIUS, which is the bedrock of enterprise wireless security. However, LucidLink keeps all of this under the hood.

When the Windows Zero Config tool pops up to show available wireless networks, the user merely clicks to access the WLAN. A controller's screen pops up in front of the admin saying that so-and-so is requesting access to the network. The admin clicks to allow or deny the session and optionally select an authorization expiration period. This sounds simple—and it looks simple—but the underlying encryption is every bit as solid as an enterprise VPN.

"Security credentials are created automatically, kind of like when you set up a garage door opener," explains Interlink CEO Mike Klein. "We set up those unique credentials wirelessly for the user. It's very much like having a password, only that password is not something you have to enter. We hide all that. Each user has unique credentials that allows us to do unique encryption for each user accessing the network."

If somebody steal the PC and tries to connect to the WLAN, two things would keep them barred from admission. First, the thief must be logged into the legitimate user's Windows account to gain access. Second, as soon as the user knows his PC is stolen, the admin can deauthorize that user from the network.

LucidLink performs another essential task which should be a huge relief to resellers: automatic access point configuration.

"One thing we found," says Klein, "is that a lot of users setting up access points have a lot of challenges. If you just pull an AP out of the box, security is set wide open. About 70% of users out there have completely unsecured networks. It's not hard, but to do it you have to get in and talk with the customer about SSID and WEP and WPA, pre-shared keys, RADIUS, 802.1x, and such, and you're likely to lose a general audience doing that. So our AP configuration manager asks you to select your AP model. It goes out, finds the access point, asks you to enter in an address, a password to manage the AP, a network name, and then you select whether you want maximum security or maximum compatibility. That's it. We automatically configure everything from there. You just go through this for each access point on the network."

According to Klein, his resellers are having great success with not only installing LucidLink in small businesses but then selling the home office edition to business owners, such as doctors, dentists, and lawyers, who want the same level of protection and convenience on their home networks. The three-user version costs only $99. (From there, the 10-user version is $449 up to the 250-user version at $3,995.) From there, you might snag installation fees and perhaps hardware sales for compatible access points. The beauty of LucidLink is that it installs in under 15 minutes and is simple enough for even the reseller salesman to install.

The Real Money: Services

We all know that service revenue is the key to making security sales profitable. Once you've buddied up with a couple of friendly vendors and become comfortable selling your initial arsenal of security products, the next steps are installation and training. These are great billable hours with relatively little knowledge overhead. Most everything you need to know should be provided by the software vendor either through Web-based training or hands-on tech seminars. The cost to get one or two employees up to speed for these services will be minimal.

Next up is becoming a security outsource resource for your clients. Now, services such as penetration tests, compliance reviews, and activity monitoring will likely come later as your security proficiency and sales increase. Early on, try targeting things like establishing a uniform security platform across the organization.

"Most SMB customers don't even have the same antivirus running on all their desktops," says TIG's Steve Groom. "If an SMB's one network engineer is supporting 10 different products, his time is not going to be spent effectively. With one solution, you can manage centrally and automatically. So the reseller can say, ‘If you're going to do this, you need an enterprise approach, and here's how we can help you do that.'"

Detailed security policies are critical for even small businesses. Policies cover everything from restrictions on what Web sites users can visit to what users can and can't do with the network. For example, an employee might get it into his head that he wants to plug an access point into the wall so he can use his Wi-Fi Net radio. If you read last month's security story, you know that this is a horrendous security breach, but if there is no policy in place for such things, how would the employee know any better?

And it's not enough to help clients create policies. Part of being a solution provider involves giving him the tools to make sure those policies get enforced. That could be anything from administering a content filtering application across clients or at the Web server to setting the sysadmin up with a copy of NetStumbler and teaching him how to do area scans for rogue access points.

If you need some help with policy administration, another one of those value-rich, semi-unique applications is Senforce's Enterprise Mobile Security Manager (www.senforce.com). This is more of a medium business play since it enforces policies on a user-by-user basis as they move across various computers and access points throughout the organization. One of the main advantages of this is that it leaves a detailed "paper trail" of how network resources are being accessed and used. As a rather extreme example of large-scale implementation, the Department of Justice uses EMSM in their systems, although the same compliance needs extend down even into small businesses.

"It is of paramount importance for Justice components to have central control over policy and to be able to obtain compliance reports for audits," says Dennis Heretick, director of Information Technology and Security for the DOJ's Justice Management Division. "If asked how we know we're in compliance, we want to have definitive proof. Not only does Senforce provide central control over the networked devices including laptops, it provides a comprehensive view of the environment. This increases our situational awareness and proactive security posture, as well as our ability to react to threats. For example, we can shut down ports to control spread of a virus, take remediation measures, and then open ports for regular use when it is safe to do so."

Security solutions are not unlike building a whitebox PC. You're putting the best-of-breed components together into a solution, then putting services with it. ESI's Darrell Hix notes that installation, training, assessments, and audits are his company's four key security service areas, and of those the last two are the fastest growing revenue generators.

"Small businesses are a good place to start with these services because they're not as savvy," says Hix. "They're going to depend on an integrator more than a larger business that has a sizable IT staff. Smaller resellers can partner up with vendors like Symantec, Cisco, or Checkpoint, go out and talk to clients, and do joint engagements to educate people about the costs of these security risks. That's where services come in. You go out and help these people analyze their environments and put in a benchmark to help assess how much junk mail they're getting, what level they're patch management is at, and how exposed they are overall."

While assessment is an excellent pre-sales tool, many businesses will accept this analysis as a billable service. You might even construct a contract specifying an assessment review every six months. As your expertise grows during this time, you may discover products your customer should be using you weren't aware of previously.

"The low-hanging fruit is installation and training," says D&H's Schwab. "The more complex one that becomes the great annuity opportunity is the monitoring—logging in, checking systems to make sure their firewall is up to date, all patches are in place, that there's no spyware. Basically, you want to make sure that nothing has happened since you set up this technology. All of the puzzle pieces need to still be intact."

"We see resellers going to a small business customer," adds McAfee's Bill Kerrigan and saying, ‘I will manage your security across all of your desktops. I'm going to use and deploy a managed service called McAfee ASaP. And I'm going to provide the management reporting, check your network on this basis (daily, weekly, whatever), pull the reports, and pass them back to you to demonstrate that all of your PCs are updated with the latest virus protection.' Then they combine this with their other offerings."

SMB customers often fall into the Jiffy Lube mentality. They don't care how it works. They don't want to do the hands-on work themselves or examine the diagnostic reports. They just want it taken care of and working. After all, security is probably not one of the company's core compentencies. So you, the reseller, now have a reason to go back and talk to that customer on a monthly basis. Your bank sends you a statement every month. You can do the same with executive-level security reports.

Opportunities Galore

We have only scratched the tip of the security iceberg so far. With a bit more security experience, you'll be able to move into selling and deploying access management.

"Many of our SMB clients have needs beyond threat management," says CA's George Kafkarkou. "I'll use the example of a health care company. There is ample evidence that says when an employee joins a company, they typically have access to 16 or 17 systems. When that employee leaves, his access is removed from 12 or 13 systems, meaning that if the employee wanted to, he could go back into the company and still have access to three or four systems. In health care, that's very serious. With a robust access management solution, such as our Access Control, that employee would no longer have any access at all."

Then we come to stored data encryption, which is practically another feature story unto itself. Windows versions based on NT, including Windows XP, all feature resident encryption, although relatively few people know it. (In My Computer, right-click on a file or folder and select Properties, Advanced.) However, since this encryption is linked to the user's Windows login, security is weak overall. A better approach for the SMB space would be via a vendor such as PGP (www.pgp.com), seller of the eponymous product that kicked off the encryption debates of the mid ‘90s.

I remain a big fan of Digital Persona's U.are.U fingerprint technology (www.digitalpersona.com). While this is a hardware-based solution, it leverages strong encryption and links it to the user's fingerprints via a very user-friendly software applet. One fingertip acts as the key to lock and unlock files, folders, and substitute as a password across a variety of applications. Biometrics take us into authentication, a whole different branch of security than threat management, but it's an area resellers would do well to consider integrating into their solutions.

Not least of all, once you become fluent in your partners' product lines and get some security certification(s) under your belt, you may want to consider getting into vulnerability testing, which is looking for weaknesses in a network's infrastructure. Sometimes, this can be good old fashioned hacking. For a more automated approach, you might consider a product such as Symantec's Vulnerability Assessment, although the cost of this may be high due to it being primarily an enterprise application.

But the knowledge required to delve into these levels of service can be considerable. If you're at the opposite end of the spectrum, you might be asking the obvious question: When will I have enough knowledge to start selling security?

In the consumer world, the answer is fairly little. Applications do most the heavy lifting in configuration, there is no management to speak of, and there's honestly little incentive to learn more because none of the major vendors offer any kind of residual revenue stream based on consumer product subscription renewals. You offer consumer security with PCs because it's the right thing to do, not because you'll get rich from it. Besides, your competitors are selling it.

Moving into small business, the answer is still fairly little provided you have the right partners.

"A whitebox reseller could sign up with a McAfee or any organization in their channel program, train one person into a business plan, and get some level of discount," says Rick Lewellyn, senior vice president of sales & services for security VAR Software Medium. "The next day, you can start reselling products. Any software publisher is looking for your install base so that they can reduce their cost of sales and get their products into places they haven't sold yet. So the barrier to get into security is not very high, and vendors are always trying to add more partners."

"If you get a good, established partner with a focus on SMB accounts and security, they're going to help you gain that knowledge," says ESI's Darrell Hix. "Within a year of establishing that partnership, you should have a sufficient amount of resident knowledge to ramp up and make sales with that partner's assistance. In another six months to a year, you'll probably have taken the lead at bringing in clients and designing services. The partner becomes a second line of defense for rare issues. To put it bluntly, there are a lot of cookie cutter solutions. You run into four or five different scenarios that tend to repeat over and over."

Software Medium's Lewellyn advocates specializing on one or two security application types—say, anti-spam in firewalls—and using that as a foot in the door with clients. Similarly, you might scan your customer base for vertical market possibilities and mine them for security applications, such as single-sign on capabilities for hospitals, where there may be multiple security issues but a nurse or doctor wants a simple way to sign on. Attending security conferences is another good way to see what businesses are looking for from security providers.

You're also likely to face the choice of taking the time and costs to make part of your staff proficient in security or in effect buying your talent either though employment, acquisition, or partnership. Most new security resellers elect to subcontract while still getting their security sea legs, and this might not be as expensive as you'd think. There are plenty of talented security engineers out there long on knowledge and experience but short on an infrastructure that allows them to build sales while tied down on jobs. These contractors and the major security vendors tend to seek out one another, so tap your partners for contractor suggestions.

I said it last month, but it's worth repeating: There is no better solution category to pursue today than security. Reseller experts are needed like never before, and the opportunities in security only continue to mushroom. In some ways, security is becoming an even more essential knowledge set than networking because an insecure network can pose a far greater liability to a company than a down network. In a sea of technology topics, nothing is more critical than this.

"Security is clearly a macroeconomic trend we're in the middle of," says D&H's Dan Schwab. "Many people have already begun to take advantage of it, but we're nowhere near the end.

This technology is going to continue to improve and create new solution models. Any solution provider that doesn't look for this to be part of their offered portfolio would not only be missing a business opportunity but also leaving themselves open to competitive threats, because end-users are ultimately going to need some expert advice on this technology."