BindView simplifies security

WITH THE ADVENT of Web services, vendors that specialize in security are being asked to rise to new heights in terms of capabilities and performance. One of the companies that plans to answer that challenge is BindView, which is going to focus specifically on products for Microsoft .Net environments. In an interview with InfoWorld Editor in Chief Michael Vizard and Test Center Director Steve Gillmor, BindView CEO Eric Pulaski talks about Web services security and the crying need to deliver technology that mere mortals can use to make their organizations secure.

InfoWorld: What exactly does BindView do?

InfoWorld: Web services is certainly in the news these days and security, specifically, is seen as a limiting factor to its adoption. What is BindView doing in this space?

Pulaski: [Web services] is obviously new emerging technology that has been deployed by a few but not really by the majority of the folks out there. In general, a lot of people recognize the value of the approach. In terms of Web services, our first venture into that area as far as security management has been with Microsoft .Net Web services. We’ve got a product in beta and we’re hoping to ship [it] before the end of the year. We’re looking to do administration and security management specifically for the .Net platform and specifically for .Net Web services.

InfoWorld: How does your software integrate into a Microsoft environment?

Pulaski: Our stuff plugs into Active Directory. We also will be building a service that runs on the server that runs the .Net Web services. We’ll actually take a vulnerability management approach, looking at how the .Net infrastructure and how the Web services are configured to make sure everything is configured according to policy. The other part of the approach is roles-based administration, where we actually can implement some new services in conjunction with .Net Web services that will allow customers to add the capability for roles-based administration and auditing of who accessed what Web services when — [all] from a central point of control within the organization.

InfoWorld: In the realm of Web services, the common wisdom is that you don’t need to worry about security inside the enterprise, only when you expose a Web service outside the enterprise. What’s your reaction to that?

Pulaski: I don’t believe that. I think that idea is turning out to be sort of a myth. If you look at where security breaches come from and where financial losses come from that are security-related, some of them come from outside the firewall, but a lot of them come from insiders. Security inside the firewall is just as important, if not more important, than security outside the firewall. I wouldn’t say that security issues are less important just because the system is not being deployed outside the company.

InfoWorld: There seems to be a lot of concern related to security in Microsoft environments. What’s your take on Microsoft security?

Pulaski: The information that’s out there runs the gamut of really valuable, really good security reporting to just sort of speculation on behalf of people [who] don’t really understand the issues. In general, with Microsoft products — as with other platforms right out of the box — some work needs to be done before you can make the systems secure. There [are] certainly a lot of vulnerabilities inherent in the operating system that need to be secured and locked down. I think Microsoft has been very good about quickly dealing with the vulnerabilities, delivering service patches and hot fixes. But [dealing with the vulnerabilities] is quite a bit of work without an automated tool like products from BindView to make sure systems are secured and deployed properly. I know there are some folks out there [who are] concerned about whether or not Microsoft really has the dedication and focus to really deal with everything across all their products, as far as security goes, in a timely manner. I think the proof will be in the pudding. We’ll just have to see in the coming months and years how good a job Microsoft does there.

InfoWorld: How did this current state of security affairs come about?

Pulaski: One of the ways we got there is that the pressure to deploy new technologies over the Internet and the competitive pressures to drive those technologies has outstripped the ability, in a lot of ways, of folks to be able to understand all the security issues and make sure that these systems are being implemented and deployed properly. Systems are very complicated and there are lots of people out there [who] want to try and break [into] them. There’s also always a struggle within organizations to kind of get the operational things done vs. the security review, and sometimes getting the operational stuff done takes precedence. And then some people just don’t give enough of a priority and enough of a budget to reviewing and ensuring their security compliance, and many of those companies get burned. And it’s a lot easier to ignore the problem than it is to deal with it. We are seeing a trend more recently, especially in the last couple of years, where companies are taking security seriously. People just have to change their mindset and decide that making sure their systems are safe and secure is just a cost of doing business. People need to come up with the mindset that it’s not acceptable to deploy systems and these services over the Internet unless we can ensure [their] security and safety. Hopefully, the tide is turning in that direction.

InfoWorld: What are the important security standards today?

Pulaski: From an access and control point of view and a global perspective, the meta-directory services and the standards involved there are going to be very important. It probably remains to be seen exactly how that’s going pan out, and what things are going to look like five-plus years from now. We focus a lot on the UDDI and XML and SOAP, and we certainly believe that those kinds of standards are extremely important.

InfoWorld: Why are security products so complex and what can be done about this?

Pulaski: The onus is on the security vendors to make their products easy to use by not just the security gurus. Stuff needs to be running in the background, and hopefully the gurus don’t have to be messing with it every day. When it comes to day-to-day administration, security management vendors like BindView can deliver technology that can drastically simplify a lot of the complexities and translate some of the technical mumbo into business terms that people can understand. We need to be able to explain in plain English instead of “techno-speak” and show people exactly what they need to do to fix the problem. With that kind of technology, we can enable lower-level administrators and even some business process people in the organization to be able to do a lot of the day-to-day administration and reporting and management of security without having to be one of the top three gurus in the company. For example, for password resets, we’ve got a product that allows an organization to let end-users themselves reset their passwords over the Web without even having to call the Help Desk. Companies are spending hundreds of thousands of dollars in Help Desk costs just on password resets, so this is technology that saves a huge amount of money by pushing that administrative burden down to the end-user where they can go to a Web site and it will ask them — what’s your mother’s maiden name, what’s your social security number — or whatever questions they want to ask, and they can reset their own passwords.

InfoWorld: So at the end of the day, how do you cost justify security?

Pulaski: Applying the right discipline of figuring out how much you want to budget [for] security, how much security is right for your organization, what you need to do, and how to manage risk in your organization is certainly an issue that folks need to deal with. Another one is being able to automate the process of security management. There are a lot of security solutions that dramatically increase the cost of managing IT because they really just create more work for you. For example, let’s say an intrusion detection system just spits out events, and you have to hire a team of people working 24×7 or outsource the stuff to be able to analyze the data. So being able to not only secure the environment but also to automate processes and lower costs is a challenge for organizations. That’s something that we at BindView think we’re particularly very good at. We deliver software to customers that not only can help them manage security but also do automation technology to be able to lower the cost of managing their IT and security infrastructure.