Research Login

Click here to get to the Research Community

Experton Group News

Sun's Opening Moves Likely to Close its Hardware Sales

Data Leak Prevention Products Mature; Trojans on the March

More Mixed Telecom News

Trouble Brews, Vendors Mostly Optimistic

Peering into the Cloud

HP Thermal Logic and IBM Information Management Moves

Bug in G1 Android Phone; Hackers Publish Windows Attack Code

Monthly Research Update

Best Practices for Server Virtualization

Many company managers are looking for ways to increase the efficiency of data center systems. Server sprawl over the last decade has brought companies to a point where individual servers are built for specific applications. This has led to servers with utilization rates in the low teens or less, with a concomitant rise in space needed to house these inefficient servers, as well as the increased cost of electricity to power and cool these systems. In an effort to rein in this spending, IT executives are looking towards server virtualization as a way to consolidate multiple applications onto single servers to reduce space requirements and increase systems efficiency. While solutions such as VMware Inc.'s ESX Servers, Citrix Systems Inc.'s XenServer and Microsoft Corp.'s Hyper-V have been offered as solutions, each has its own benefits, risks, and costs that need to be evaluated to determine which implementation would make the most sense for a given enterprise.

Experton Group believes server virtualization can help improve the utilization of data center space and energy resources, but the cost savings expected from having multiple applications on a single server will be offset by virtualization and security costs, as well as the costs associated with implementing high availability architectures. Server virtualization should be implemented incrementally, with lower criticality applications that run on common operating environments. IT executives should ensure detailed planning is conducted to make sure virtualized servers have adequate security and management, in order to minimize the risks associated with consolidating multiple applications onto one platform.

Click here for free reading of this research note.

To top

Vulnerability Analysis

Experton Group defines vulnerability analysis (VA) also known as vulnerability assessment, as a process that defines, identifies, and classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure. In addition, vulnerability analysis can forecast the effectiveness of proposed countermeasures and evaluate their actual effectiveness after they are put into use. In 2008, the vulnerability assessment market is in a state of flux. While the VA tools of old only tested for host and network vulnerabilities, vendors are trying to evolve to have their products address more functionality.

VA Tools – more than just the software: It is important to note that while the VA tools are mature, and for the most part quite easy to use; for the creates ROI, they must be used by a trained information security staff, as part of an information security operations paradigm.

VA Products: VA is an essential component of an effective security program. VA initially provides discovery and security baseline data, and periodic rescanning provides updated data for vulnerability management, trending and compliance reporting. VA tools provide a bottom-up security baseline for the IT environment from a database of known vulnerabilities.

The VA market is a mature segment that includes:

Two large vendors (IBM ISS and McAfee) that sell VA technology and also integrate it with related security products
One vendor (Qualys) that is focused primarily on delivering VA as a service
Over a dozen smaller point solution vendors that provide a mix of software-, appliance- and/or service-based offerings

Revenue in the VA market is spread thinly across these vendors, and all must compete with each other, as well as with Nessus and professional service offerings from consultancies. This situation introduces a viability risk for the smaller vendors in the market.

Vendor details:

Vendor	Details
ISB ISS	Good choice for companies that are already using related security products from these vendors, and for companies that favor larger, stable vendors.
McAfee	Good choice for companies that are already using related security products from these vendors, and for companies that favor larger, stable vendors.
Qualys	Good for companies that want VA as a service and those that need VA from a third party for compliance or audit requirements. Most successful provider of VA scanning and appliances as a service
Beyond Security	Good for companies that want VA as a service and those that need VA from a third party for compliance or audit requirements. Provide VA appliances as a product offering as well as a service
Critical Watch	Good for companies that want VA as a service and those that need VA from a third party for compliance or audit requirements. Provide VA appliances as a product offering as well as a service
eEye	Strong security research resources,
nCircle	Good choice for large organizations that want an appliance-based solution and the ability to baseline against configuration standards.
Tenable	Good option for organizations that have Nessus expertise but also require centralized administration and reporting
Symantec	Offered as part of the Control Compliance Suite for Internet Security, but not offered as a stand-alone product.

To top

Preparing for Cloud Computing

Many clients are looking at the hype surrounding cloud computing and trying to figure out what is real and potentially worth investing in and what should be avoided. In addition, clients are confused about the different types of services that might constitute cloud computing and how they should go about integrating them into their enterprise.

The need for reducing costs and increasing agility and flexibility in today's business environment has led many companies to consider using server virtualization as a way to save costs and increase efficiency. Cloud computing is a new concept for (largely) virtualized services that may provide the ability for IT executives to rapidly add or reduce capacity to better align with dynamic business requirements. This flexibility does not come without costs; IT executives should understand all the costs associated with integrating cloud computing services into the enterprise. These are not just capital and operational costs, but also involve the fundamental change in the relationship with computing services to all of IT's "seven Ps." Cloud computing environments are likely to increase the complexity of the enterprise, which increases the need for well-designed network infrastructure and security policies.

Cloud computing will be good for some types of applications and processes, but not all. IT executives should look at each application and process in the context of their business requirements, to determine which ones are the best candidates for cloud computing, and how these applications will integrate external services with the rest of the enterprise infrastructure.

Click here for free reading of this research note.

To top

Coping with IT Funding Dilemmas in a Down Economy

Experton Group believes cuts in project funding and desired holdbacks in discretionary funding should not be allowed to bring IT infrastructure improvements to a standstill. While the economic downturn is expected to last at least through the end of 2009, IT and LOB executives will require upgrades to cope with changing business requirements and seize new sources of revenue.

IT executives should work with Finance and LOB executives to understand how IT enablement can best deliver to evolving business requirements and work within the organization and with lenders to utilize the most appropriate funding mechanisms for essential projects. Additionally, the success of many projects will rely on the enterprise's continued upgrades and investments in data de-duplication, infrastructure consolidation, and virtualization.

Leasing, outsourcing, and sale/leaseback can enable enterprises to acquire needed goods and services in an off-balance sheet manner, and should be seriously considered. IT and Finance should also ensure that proper due diligence is performed on all current and future lending partners as expertise, portfolio strength, and service level stability are not guaranteed.

To top