The Influence List

Check Point Software Technologies
Contrary to popular opinion, Check Point didn't manufacture the world's first commercial firewall. That honor actually goes to Digital Equipment Corp., whose DEC SEAL firewall first hit the market in 1991, a couple of years before FireWall-1.

But Check Point can be credited with popularizing firewalls for the enterprise market. Today, some 10 years after founders Gil Shwed, Marius Nacht and Shlomo Kramer first coded FW-1 in a small Israeli apartment owned by Kramer's grandmother, Check Point maintains a corner on the enterprise software firewall market, with more than 40 percent of overall market share, according to IDC.

That "Check Point" and "firewalls" are synonymous in our security vocabularies is largely due to its introduction of an easy-to-use interface for firewall administration. Just as Apple revolutionized desktop computing with the popularization of a point-and-click GUI, FW-1's interface made granular rule set administration accessible to hundreds of thousands ofcommand line-phobic sysadmins. Today, FW-1's interface is still widely emulated in dozens of security software tools.

Under the hood, FW-1 also helped popularize stateful-packet inspection technology, which increased the intelligence of the traditional packet-filtering firewall by enabling the software to make contextual traffic-filtering decisions.

Check Point also forged the market for security appliances through its long-standing partnership with Nokia. Check Point's preinstalled FW-1 on Nokia hardware eased IT administration pains while dramatically reducing total cost of ownership. Other security appliances preceded it, but few have stood the test of time as well as FW-1 on Nokia.

Beyond FW-1, Check Point also was an early innovator in VPN technologies, and was the first security vendor to market a bundled firewall and VPN on one box. The company also helped commercialize the use of network address translation (NAT), which has all but eliminated the problem of diminishing IPv4 addresses.

On the business side, Check Point's Open Platform for Security (OPSEC) program remains the standard-bearer for multivendor security partnerships. More than 325 vendors are now OPSEC partners, offering consumers a smorgasbord of interoperable best-of-breed security products.

Internet Security Systems
The story of ISS is a familiar tale: smart guy has great idea. The guy: Christopher Klaus, a 19-year-old Georgia Tech student inspired by William Gibson's Neuromancer. The idea: a technology that would actively identify and recommend corrective actions to network security problems.

Born out of the marriage between guy and idea was the security industry's first commercial vulnerability scanner, Internet Scanner. When Klaus offered the tool as freeware on the newfound Internet, the response was overwhelming. In 1992, he joined forces with Thomas Noonan--then and now the company's president and CEO--and released a commercial version of the tool.

In the 10 years since its release, Internet Scanner and its offspring--System Scanner, Database Scanner and the recently released Wireless Scanner--have helped transform vulnerability assessment from a back-office black art into an integral component of enterprise risk management.

Some would argue that freeware scanners such as COPS, Nmap, Nessus or Whisker outperform Internet Scanner in sheer technical analysis. But few would dispute the utility of the tool's output. More to the point: Internet Scanner's use of colorful pie charts and bar graphs to display the network's soft spots has persuaded thousands of executives and boards to open the checkbook.

In the decade since Klaus and Noonan launched the firm, ISS has grown into a quarter-billion dollar company with more than 10,000 corporate customers. The Atlanta firm has also rolled out a market-leading IDS (RealSecure, now in version 7, see Test Center), developed a top security research/pen-testing team (the X-Force), and acquired a managed monitoring service, Netrex.

Network Associates
Some people will question NAI's place on this list. Heck, the Santa Clara, Calif., software firm is barely in the security game at all these days, what with its recent divestitures of the CyberCop IDS, Gauntlet firewall and PGP lines.

And here's the ironic part: the slimmed-down 2002 version of Network Associates is a much healthier company than the bulked-up "security suite" behemoth of 1999. Regardless of Network Associates' current business focus (Topic: Is NAI a security vendor or not? Discuss!), it's hard to deny its influence on the security industry over the past half-decade.

Mind you, this is not to say the influence was always positive. For two years in the late 1990s, former CEO Bill Larson was the poster child for how not to run a software firm.

Larson built NAI into the world's largest security vendor through a flurry of acquisitions in the 1990s, driving annual revenues--most of it generated by the acquisitions' carry-over licenses--to nearly $1 billion. The core of the company was formed in late 1997 when Network General and McAfee joined forces, followed soon thereafter by the acquisitions of Trusted Information Systems, Secure Networks and PGP.

What followed, in 1998, was a misguided attempt to bundle all these disparate technologies into a one-for-all security suite. The market didn't buy it, and NAI revenues began drying up.

In June 1999, the company got caught with millions of dollars of product backed up in the channel, as enterprise IT shops froze security spending to focus their resources on Y2K remediation. Spending loosened up in early 2000, but the company still floundered. At a time when the shares of many IT companies shot into the triple digits, NAI lost millions and struggled to break $10 a share.

Still, Larson made the kinds of bets other vendors were too scared to. The failure of "security suites" to catch on was a bellwether for many security firms to follow. Larson was a visionary--a failed visionary, yes--but a visionary nonetheless.

Today, the slimmed-down NAI still offers a handful of security products--that is, products with security features. Its McAfee antivirus line continues to perform well, firmly entrenched as the industry's number two seller behind Symantec's NAV.

Meanwhile, NAI's on-again, off-again love affair with McAfee--first a part of NAI, then an independent spin-off, now reunited--has reached a resolution, at least for the time being. And new CEO George Samenuk is enjoying a return to corporate health on the shoulders of the company's always-popular SnifferPro line of network management tools. The company is also forging new territory with a content management product, ePolicy Orchestrator, that lets you administer different brands of AV software from a central console.

Computer Associates
Love 'em or hate 'em, you have to admire CA's staying power. Despite countless SEC inquiries and at least one attempted takeover bid by a rogue shareholder, the Islandia, N.Y., software giant is like the Energizer Bunny: it keeps going...and going.

There's an old joke about how all CA products have an infinite end-of-life cycle cost. They get so firmly embedded into your infrastructure that it's impossible to get them out. When CA acquired Cheyenne Software and its InocuLAN AV solution in 1996--marking the beginning of its push into the security space--it was already entrenched in many large enterprises via its ACF2 and Unicenter management systems. Under CEO Sanjay Kumar, CA has steadily built up its security portfolio in hopes of gaining similar infrastructure penetration.

CA's security suite, called eTrust, got its official launch in 1999 when CA snapped up Platinum Technologies, which at the time was itself a conglomeration of acquired security firms, including AbirNet and Memco. Cisco-like, CA quickly rounded out its portfolio with the acquisitions of Cybec (AV), Snare Networks (VPN) and Security-7 (content scanning).

eTrust's packaging has changed several times over the years, its most recent incarnation appearing this past April. In response to the growing demand for holistic enterprise security management systems, CA launched three eTrust management modules focused on different enterprise security challenges: identity management, access management and threat management.

This fall, it introduced the eTrust Security Command Center, which one company spokesman likened to "a Unicenter for the security environment." Command Center collects, correlates and controls logs, events and alerts from disparate networking and security devices, including CA's own gear and that of partners Check Point and Cisco. Command Center is also an effort to capitalize on the perceived demand for combined physical/digital security management systems. The suite includes eTrust 20/20, a combination physical and logical access control/tracking system.

It's rare that any one of the point products in the eTrust suite leads its category in either market share or stripped-down technical robustness. But all eTrust products have a solid technical foundation, and CA's constant repackaging of the suite into useful management pods makes it hard to ignore--particularly by the companies in CA's enormous legacy customer base.

Microsoft
Hardened infosec veterans may scream at the inclusion of Microsoft on this list. After all, Windows is the root of all evil, right?

But like it or not, the software giant has had an undeniable impact on IT security, and its influence--for better or for worse--will continue over the next half-decade and beyond.

That Microsoft has a history of sacrificing security at the alter of functionality only reinforces its impact on the security industry. The very livelihood of hundreds of niche infosecurity vendors depends on two things: Microsoft's ubiquity in business computing, and the never-ending discovery of security vulnerabilities in its software. Without both, the annual demand for $15 billion worth of security gateways, scanners, monitoring devices, threat management tools and security add-ons would be greatly diminished.

Microsoft supporters argue that Windows gets an inordinate amount of hacker attention because of its market dominance, that any software with its install base would suffer the same trashing by the security cognoscenti. Philosophical debates aside, much of the recent innovation in IT security--including that by Microsoft itself--is in direct response to weaknesses (perceived or real) in Microsoft-developed products and protocols.

Over the next five years, Microsoft is poised to have an even greater influence on security--good, bad or both. In a few months, we'll begin to see if Bill Gates's "Trustworthy Computing" pledge bears fruit or is merely marketing hype. Now that Microsoft programmers have finished security boot camp, you can expect future Windows NOSes and apps to be more secure, much as Windows 2000 improved on the security of NT 4.0. Even the cynics must admit that Win2K's security is a giant leap over NT 4.0's.

Today, we're only beginning to realize the impact of Microsoft's .NET platform. Like no other current technology or initiative, .NET is meeting the industry's enormous need for distributed authentication head-on. Over the next five years, the security scrutiny on .NET will far overshadow that on Windows 2000. Similarly, Microsoft's Palladium initiative will help lock down Windows PCs, making it much harder to run unlicensed software.

Will Windows ever be likened to a "trusted OS?" Unlikely. But Microsoft is paying more attention to security, and over the next five years that will have an unmistakable effect on how we secure our enterprise systems.

Cisco Systems
Some people will argue that Cisco is a better fit on the 1997-2002 Influence List, and they might be right: Cisco was "doing" security long before many of today's security vendors even existed.

Although most users didn't consider it a security function at the time, Cisco started implementing packet filtering in their routers in the late 1980s. In the mid-1990s, the firm began rolling out VPN routers; and in early 2000, it acquired Altiga, whose technology is now the centerpiece of the popular Cisco VPN 2000-series remote access VPN server. And, of course, there's the core IOS itself, which has steadily improved in security functionality over the last decade.

In the 1990s, Cisco made two major security acquisitions: Network Translation in 1995 and the WheelGroup in 1998. At the time, Cisco was snapping up more than a dozen companies a year--often five or six a month--so no one could have predicted the impact these two purchases would have on the security industry.

Today, Network Translation's NAT firewall--originally called Private Internet Exchange, later shortened to simply PIX--has been re-engineered into industry-leading firewall hardware, earning a permanent spot (along with FireWall-1) on every prospective buyer's short list.

Similarly, the former NetRanger IDS, now simply called the Cisco IDS, battles head to head with ISS's RealSecure for market dominance. Both PIX and Cisco IDS are emblematic of Cisco's knack for building acquired technologies into long-term market successes.

Going forward, Cisco insiders claim that IT security is one of CEO John Chambers's four major focuses. This is perhaps most evident in Cisco's SAFE Blueprint, an overarching strategy for security based on the company's Architecture for Voice, Video and Integrated Data (AVVID). Introduced two years ago, the SAFE Blueprint specifies security deployment and management processes for different-sized enterprises, from very large multinational firms to SOHOs. The SAFE strategy takes a modular approach to security, identifying security threats, responses, and performance and management issues in various "blocks" of the network architecture.

While SAFE modules are designed specifically for Cisco (and Cisco partner) products, the SAFE strategy as a whole symbolizes a larger market shift away from a point-product philosophy and toward an evolutionary process model. Though Cisco is a market-leading vendor of many security point products, the SAFE Blueprint institutionalizes the idea that the "security whole" is much greater than the sum of its parts. And while Cisco may not be the only vendor to recognize this paradigm shift, it's perhaps best positioned to see it through.

IBM/Tivoli
There's an old adage about Big Blue: it's got the capital, market presence and customer ties to compete in any IT-related market it darn well pleases. IBM's Tivoli unit set its sights on the enterprise access management space about three years ago, and in many people's minds it is best positioned to own the burgeoning identity management market going forward.

Never heard of identity management? You soon will. The core of Web services--which everybody's heard about--is essentially distributed identity management, the ability to automate user access rights to applications and resources according to a predefined policy. Most people think of IT security in terms of threat management, but the fastest-growing security market may be security management, including AAA and identity management.

IBM forged an early lead in this space when it acquired Dascom's IntraVerse access control suite in 1999. IntraVerse was rolled into the Tivoli Policy Director access management suite, a reverse proxy-based tool that provides single sign-on for Web-based applications.

Big Blue's acquisition of Access360 and its enRole software this past spring rounds out the firm's portfolio of identity management solutions. With new CEO Sam Palmisano at the helm, the company now has competitive offerings in life cycle management, AAA, privacy management and more. As enterprises of all sizes grapple with the increased complexity and resource drain of user access provisioning, IBM/Tivoli is ideally positioned to grab a significant chunk of a market expected to grow in excess of 30 percent per year over the next five years.