Copyright © 2002 John Zipperer unless indicated otherwise.
(03/07/02) At Cannes, France, recently, Microsoft and Texas Instruments took enough time off from the beaches to unveil their reference package that combines the Microsoft Windows-powered Smartphone 2002 software with OMAP (open multimedia application platform) processors and GPRS technology from Texas Instruments. The reference design is intended to give manufacturers a roadmap for bringing products to market that take advantage of the smartphones' data capabilities.
"Our work with TI on a reference design for Smartphone 2002 enables new and existing manufacturers to enter the smartphone market without large investments in software, radio, or electrical engineering," says Ed Suwanjindar, product manager for Microsoft's Mobility Division. "Instead, they can leverage the expertise and economies of scale we and our partners provide while focusing on their own strengths, whether that's brand, industrial design, retail and distribution presence, or low-cost manufacturing." Taipei-based Compal is the first ODM (original design manufacturer) to announce its efforts to use the reference design to make a Smartphone 2002-based product.
For Texas Instruments, it is part of the company's aggressive approach toward the smart-phone market. In the view of Richard Kerslake, TI's marketing manager for wireless computing, the timing is a matter of a grand convergence of technology developments in the PDA and mobile phone markets that are making the technology not only viable but desirable for business users.
"In the last few years, in terms of innovation, what we have seen is about making them smaller and making them cheaper and making the talk-time longer. But the basic functionality has been unchanged," says Kerslake. Now, with 3G and 2.5G technologies, data can be used in more interesting ways. "For Texas Instruments, products like the Microsoft Stinger are starting to offer really interesting services. You can search the Web, use MP3s, even look at video clips. That's starting to offer a really interesting dynamic in the marketplace for the end user."
Those benefits for the end user of the Windows Powered Smartphone 2002 include a combination of voice and data communications, tied into familiar Windows applications to handle e-mail, calendaring, contacts, media, and messaging, says Suwanjindar.
TI intends to be a very active player in the ongoing transition to smartphones, according to Kerslake. The same time it made its Microsoft announcement, it also announced its involvement in HP's Jornada 928 Wireless Digital Assistant. TI aims to be the hardware behind the software. Noting that the Microsoft Stinger platform is, "from a hardware perspective, very much TI's baby," Kerslake says the majority of the silicon is from his company. The Microsoft and HP initiatives as well as one from Nokia -- use TI's OMAP processor for a low-power solution.
Noting that the Microsoft Smartphone platform uses a single chip rather than a dual-chip approach, Kerslake says the GSM (Global System for Mobile communications) market is technologically mature enough to do this. "3G is a very immature market," says Kerslake. "It will take a little time to shake out. In those markets, we have a stand-alone modem, and we bolt onto that a separate chip that has been architected for very high levels of multimedia performance. In the GSM market, with Smartphone 2002, it's a much more mature market. GPRS (General Packet Radio Service) is maturing rapidly this year, so the route we've chosen is to combine them on one piece of silicon. At the system level, we save as well, because we only need one external memory. It makes solutions smaller and cheaper."
Easy to Digest
The Key Words in ERP Today are Web Enablement, Modularity, and Open Standards. Together, They Spread the Technology
By John Zipperer
(03/01/02) When Carreker Corp. wanted to find out if its corporate vision could be matched with its IT resources, it set up a team to do a gap analysis about 18 months ago. Lori Faris, the company's senior vice president and a member of that team, says it found that the resources came up short, so the hunt was on for a vendor who could offer an integrated solution.
Carreker, which provides consulting and software solutions to the financial industry, wanted a solution that matched its needs and no more; no need here for manufacturing features. It went with PeopleSoft, cherry-picking modules within the finance and human-resources packages, as well as selecting analytics, CRM, employee and supplier portals. All in all, Carreker seems happy with its selection, as it rolls out the modules at its own pace. "Even though we purchased so many modules, we are actually implementing them in a modular approach," says Faris.
And the return on that investment is already becoming clear. With the rollout of the browser-based employee portal, Carreker is gaining from the do-it-yourself impulse of the employee. "We used to spend 72 hours every two weeks re-keying time sheets; that doesn't include the re-keying of expense reports," says Faris. "Now, by making them self-service, the employees key them right into the system."
Modules and browsers. Those seem to be the selling points for ERP vendors and users alike. Add open standards, and you get the full view of how ERP is being marketed today and the wiser ways that companies are using it.
Large ERP solutions providers such as Oracle or PeopleSoft say that they understand that ERP scares some people (see "Getting the Most out of ERP," February 2002, p. 18). It is by definition heavy-duty, headache-inducing stuff, tying together an organization's many data centers and making it available to employees throughout the organization.
These vendors, therefore, are touting modular versions of their suites. This approach not only makes it easier for large enterprises to take ERP projects in bite-size chunks, but it lets mid-size companies that can't afford the time or expense of a full-fledged solution take advantage of portions of the automation technology.
"The biggest misconception about mid-market is that smaller is simpler,'" says Jeffrey Read, general manager and vice president for PeopleSoft's mid-market efforts. "But mid-market doesn't have the budget, they have too-small IT departments, and they don't have a lot of time. They need to see results from a project within one quarter, instead of one or two years." Read says those companies typically have older technology infrastructure, because they repaired rather than replaced systems for Y2K; now, they may be a juicy market for new systems.
Companies of all sizes are therefore getting systems that are easier to digest andto break that analogyare easier to manage, whether it's through administrative portals, programmer-friendly languages, or easier integration with third-party software. "We realize there are legacy systems," says Rollings, suggesting that Oracle has been the victim of slow-changing perceptions of its systems. "It's just realistic."
One reality is that management sometimes requires special ERP management software, such as the products from BMC Software. It offers solutions for industry leaders Oracle, PeopleSoft, and SAP.
Yakov Dekel, vice president and general manager of ERP for BMC, uses SAP as an example of how the ERP kingpins are adapting. "Originally, SAP was not in the Internet world at all, and it was just a plain legacy system for legacy ERP systems," he says. "Today, they are moving more and more toward an open structure based on the core technology of SAP." As a result, SAP is moving deeper into Java territory, to enable its users to do much of their SAP work in that language. And like other ERP providers, SAP is embracing the Web, making modules Web-enabled.
Finding the Right System
This is happening because all of the acronyms are related. Why would you have an ERP system that doesn't connect to your SCM and CRM? Why wouldn't you have business intelligence running on every available data application? Why wouldn't your HR system be accessible through every employee's intranet portal?
PeopleSoft clearly has adopted the idea of ERP extending beyond the enterprise walls. John Webb, PeopleSoft's vice president of product management for supply-chain management, says this "differentiates what we do now from what we did in a client-server mode three or four years ago." The Web is probably the biggest change at PeopleSoft, which had been slow to recognize its transformative power, but the company has, as they say, gotten religion.
Rollings calls the Web option "a gift of the technology gods that we get this free vehicle." The work to get there isn't free, but companies can experience major savings from not having to standardize their departments and suppliers all on one technology. Instead, you can extend to them a portal view or use an exchange; use XML messaging with the exchanges to get data from them, even if they're not on the same platform. That allows companies not only to take this rolling automation effort in digestible chunks but lets them bring in additional departments or partners one at a time, bring them up to speed, and then extend it further. "That's another lesson learned: Don't try to pull in everyone at once," says Rollings.
The enterprise-automation projects will last years, not months, and being able to get parts of them up and running early in the process can be important for proving the value of the investment.
(03/01/02) Some call it the last holdout to automation. More than a few want to deepen their involvement with it to leverage their existing ERP investments. And almost everyone eyes it for potential savings. It's the corporate payment process, and to examine the way many companies do invoicing and bill presentment is to make one wonder if the technology revolution ever occurred at all.
That's finally changing, and its effects are producing some big smiles on the faces of accounting executives.
Take the obvious relief evident in Pam Miller, for example. She is the accounts-payable manager for BMC West, a building-materials provider and retailer. As the company grew rapidly through acquisitions, its avalanche of paper invoices and related paperwork was building, too. Its method of handling the flood was to make copies of invoices, key them into the system, send them to the company's various branch locations for verification, and then match them up. "We were essentially in the documents-shipping business," jokes Miller. But her department did more than just ship the documentsit had to store them, too. As a result, it had 33 file cabinets and two clerks who did nothing but staple, sort, and file.
Compare that to her situation today, in which her company has added 14 more locations than it had in 1997, but she has "four fewer people doing the work," says Miller. "We only have one filing cabinet where we keep some files and M&Ms."
That dramatic turnaround came as a result of BMC's search for a way to store the paper and keep track of invoices and checks. The company went with a solution from Optika Inc. that substitutes digital imaging and transmission of invoices for paper and human transport. Now data are scanned into the Optika system, and someone opens up an image of the invoice and a form, in which the information is keyed. Those data then go into the Oracle financials system, as well as being saved in the imaging system for later retrieval.
BMC West selected Optika over its main rival because it was cheaper and it had a Web solution, which allows all of those BMC West offices to look at invoices online, rather than wait for paper versions. As a result, the company saved considerable time in data entry. "It was truly a surprise to us how efficient it is," says Miller.
Making Life Easier
"Our accounts-payable customers have always asked for things along the lines of reducing manual processes," says Caroline Crothers, accounts payable products-strategy manager at PeopleSoft. That fits in with the response the company has built into its line of PeopleSoft 8 products, weaving analytics and portals throughout to give people ready access to useful information. In the case of payments, PeopleSoft's MarketPay gives buyers and sellers their own portal views of invoices where they can check the status of invoices, calculate savings from decreasing the time of outstanding sales, and engage in dispute resolution.
The Web thus becomes the substitute for the post office, saving time and consolidating actions. "The buyer is not going to look to multiple Web sites to get invoices," says Raphael Bres, product strategy manager for PeopleSoft financials. "They would prefer to have multiple invoices consolidated in one place."
Richard Foudy, CEO of National Decision Systems, an e-business consultancy, agrees that integration is making things easier. "There are many stovepipes in business, and clients and customers want a single invoice or bill."
It's not uncommon to hear people in this industry say there really is only one serious option for payment processes: Buy, not build. Some of the people saying that have an interest in the answer, of course, because they provide products they want to have bought. But there are other reasons for the lopsided verdicts, such as the increased reach and maturity of ERP technologies from Oracle, PeopleSoft, SAP, and other players, so they may be better extensions on your system than a homegrown one. And smaller users usually can't afford to build anyway.
Another obvious reason is that organizations just wish to use their precious IT resources in other ways than this. Jonathan Gossels, president of consultancy firm SystemExperts, says, "I never hear anyone wringing their hands saying What am I going to do with payment?'" Instead, he says, they typically analyze their buy-versus-build options and then go pay attention to more-pressing parts of their businesses.
The core team of Fidesic, an electronic invoicing and payment company, came from a bill-paying venture at Microsoft. The target for their two-year-old company is paper-intensive and error-prone payment system. "It's entirely manual," says Fidesic CEO Naseem Tuffaha of much of the payment world. "You essentially have the movement of data from electronic systems to paper and back into electronic systems, several different times during the payment process."
His company's solution streamlines the process by introducing Web-based and e-mail-based invoice transmission and approval, and tying it to electronic fund transfer. Fidesic's target audience is small and mid-size organizations, but payment is an area that brings companies of those sizes into direct contact with the hearts of the big enterprises. Mid-market companies, after all, are often suppliers to large organizations. Smaller companies are also, unfortunately, often the last ones to be paid. Getting them onto automated payment systems is therefore a help to every type of company.
But all companies will benefit from not having to re-key invoices multiple times. They can get the bills to the customers earlier, start the clock on payment due dates earlier, anddepending on the completeness of their payment solutionreceive and bank the payment earlier.
Foudy gives the example of a B2B company that, before automation, had seven people touch an invoice from the point that it was generated to the point it was put in an envelope and mailed out. He estimates that each person touching it cost $100, adding $700 to the cost of each invoice. It took until the middle of the month before the bill was sent out, and payment was due 30 days later than that.
But now, there are only two people touching it, and the electronically distributed bill gets sent out on the afternoon of the first of the month; the client also therefore receives it on the first of the month, and the payment clock starts ticking earlier. "The CFO looked at this as having a tremendous financial impact, because the cost of money was much better," says Foudy.
The Future of Money
Foudy says the future might include much more outsourcing. Don't like the whole invoicing, bill-presentment, and collection business? Let your bank do it for you. Citibank and Deutsche Bank have gone after this market as a way to leverage their cross-border payment expertise, and Foudy thinks it's a growth market. Let the bank take your data, generate an electronic bill on your "letterhead," send it out, receive and deposit the payment, and report back to you. It may develop into just one more non-core function that organizations choose to outsource.
Payments may have been late in getting the automation treatment, but there are a lot of opportunities for users and vendors in this market.
A Global Target
Setting its Sights on IBM's Services Market Share, HP Services Raises its Voice and Demands to be Heard
By John Zipperer
(03/01/02) Not every technology company wants to get into the global services arena. Sun Microsystems' President and COO Ed Zander calls it "a lousy business." Simon Walls, vice president of strategy, PeopleSoft Consulting, says that, like Sun, his company's consulting services are product-specific and avoid "doing things outside of the realm of what we have credibility in."
But there are those who want to play. IBM, of course, is the clear leader in the global professional services field, but HP is letting people know that it has already been in the global services business for a decade .
Zander's full comments to a group of technology journalists in January left no room for doubt about his view of the challenge HP is taking on: "I know HP wants to do global services, but we don't. It's a lousy business. It's low-margin; it's a lot of work."
That challenge doesn't stop HP from banking on its HP Services business and pushing it to the forefront of its public image. Jürgen Rottler, vice president and general manager of HP Services' North America business, recently told Internet World, "We thought it was interesting that Sun acknowledged that they just couldn't figure out how to do the business." He doesn't mean that as a jab at Sun; rather, he agrees that it's difficult to be successful in the services business. "If you look at the pure-bred consulting services right now, a lot of them are hurting. When you are a people-based business, it is not easy to scale up and down according to demand."
He acknowledges that "We have IBM in our bull's-eye," but that's to be expected. You'd have to be going after IBM's business if you're playing in the market Big Blue made famous. But HP Services thinks it has a solid lead over other challengers to IBM. "A lot of technology companies are looking at services as a foundation for growth, and HP is no exception to that," he says. "However, it's not like we're starting cold."
Begun 10 years ago, HP Services now has a global staff of 30,000, about a third of HP's worldwide total. Though he admits its 2001 revenue of $7.6 billion were only about 17 percent of HP's $45 billion total, Rottler says that it is one of the fastest-growing businesses within HP.
The value of services comes about because of a shift in companies away from just buying products to a pattern of looking for solutions to handle increasingly complex business challenges. According to Rottler, they're being driven by four forces: the effort to build and maintain partner networks; the importance of customer loyalty; the need for increased speed and responsiveness; and profit pressure.
"CIOs have a difficult job today, and they've had it for several years," says Rottler. "The difference is that you've got to get your IT organization engaged in the business. You need to be plugged into the business strategy. Some of those driverslike speedyou can't accomplish without including the IT factor."
He's bullish because he thinks HP Services has a good grasp of its customers' needs. He says enterprises today are trying to make their systems cost-efficient and predictable, while reacting to ongoing change. CIOs face issues like, "If I can just tame my technology investments and get them focused around the business and get them stabilized, then that's a success.' A lot of custo-mers are focused on that, as are a lot of services companies," Rottler says. "We see the need for a balance between a stable, always-on infrastructure and a business's agility. We see a big part of the battleground around making your IT infrastructure a lot more agile."
(02/28/02) Offering a hardened OS, a popular console, and a range of products for data protection and intrusion prevention, Sun Microsystems announced its iForce Integrated Security Solution bundle in cooperation with four security vendors. Aimed at enterprises and service providers, the offering is an attempt to prevent those customers from building their security systems using point solutions.
The announcement was made at the RSA Conference 2002 in San Jose, where a lot of companies had gathered to try to gain security mindshare. Though the point solutions have been out there for companies for some time, there is a strong perception that now is the time to bundle where possible and to go after the security investment dollar while the attention paid to information security remains focused. Another company offering a bundle of security products (albeit all from the same company) is Computer Associates. Bruce Keyes, vice president of marketing for Computer Associates, says the big spend from companies in security is still yet to come. What we've seen so far, Keyes says, is that companies have been analyzing their security vulnerabilities and needs and the available solutions; hence, the push to get mindshare now. Those sentiments are shared by Sun, which says it's been hearing from service providers that the point solutions they have been using don't take care of management issues.
The iForce security solution brings together contributions from five companies. Sun, which is the overall project leader, contributes entry-level servers combined with the Solaris 8 OE and the Solaris Security Toolkit, which lets users harden and secure their Solaris systems. Check Point Software Technologies provides VPN-1 and Firewall-1 for securing networks againstaccess by unwanted users. Recourse Technologies makes ManHunt for detecting, analyzing, and responding to attacks and ManTrap for giving users advance identification of threats. Trend Micro includes its InterScan VirusWall for scanning data traffic (Web, files, and e-mail) at the Internet gateway. And Tripwire's Tripwire for Servers and its Tripwire for Routers and Switches focus on data integrity, which it achieves by taking a "snapshot" of configuration data and monitoring it for changes. Sanjay Sharma, Sun's market development manager for security, says these companies worked well together. "Their solutions are very complementary, especially when you add that to Sun Professional Services," says Sharma.
One company that is rolling out the security bundle is the Green Bay Packers. The NFL team, though based in the league's smallest city (which, for the exaggerated sake of full disclosure, should be noted as this writer's hometown), has a global fan base from its long history and recent renewal of success. As a result, the Packers' Web site serves up a lot of e-commerce and it has the heaviest traffic of the NFL, according to Bruce Baikie, Sun's iDC group business manager. The team site is hosted down in Chicago, and its owners were looking at point solutions to protect the site, but they also had to find a way to manage and control the security system remotely. Wayne Wichlacz, a representative of the Packers, says the iForce Integrated Security Solution meets its needs for "the strictest levels of prevention, detection, and response to security threats."
(02/28/02) To many people around the world living as subsistence farmers or nomads, the United States' tech-driven economy may as well be on another planet; it's not comprehensible to them. Luckily, to us, it (more or less) makes sense; however, that doesn't mean that there aren't some players in this economy who aren't operating in something of a fantasy world. The difference is between pragmatic futurists and aficionados. The former can be essential to keeping you on the cutting edge of using security solutions and foreseeing threats. The latter can cost your company a lot of money.
Step back a moment and listen to some thoughts from the recent RSA conference in San Jose. Michio Kaku, the Henry Semat professor of theoretical physics at the City University of New York, gave one of his typically enjoyable speeches in which he previewed where he sees information security heading in the next 20 years. Specifically, he was looking at 2020, when Moore's Law promising the doubling of computer power every 18 months finally hits the brick wall of physical limits and silicon ends its reign as the basis for computing power. What takes over? According to Kaku, it will be things such as quantum computers and biology-mimicking systems. Though that is a far-enough time away that you don't need to consider it for your next departmental round of budgeting, it does offer some useful guidance for the here-and-now.
If you take an objective look at the information-security challenge companies face, you see that it is all self-induced. If you didn't set up client-server systems in your company, your employees couldn't introduce viruses into the system. If you didn't connect your database and other systems to your Web site, you wouldn't have to worry much about your Web security. If you didn't connect to your partners and suppliers, you wouldn't have to be tearing your hair out over all of the outsiders who have access to portions of your network at all hours of the day.
Now, knowing that doesn't really get you very far. After all, you are going to put all of your employees before a PC or Apple desktop, and you have to do e-commerce over the Internet, and the competitive advantages of linking up your supply chain (and the costs of not doing so) are massive. But an ongoing sense of caution is not out of place. Don't let the pressure force you to test an unproven security technology on a mission-critical system. As crazy as that sounds in a time of contemplation, it is nonetheless done with regularity. As another RSA conference keynoter, Nortel Network's Oscar Rodriguez, pointed out, it's becoming more and more important for companies to make sure the security is solid and in-place before going online with future implementations.
But what does Dr. Kaku and bio-systems have to do with this? He provides some hope. Kaku suggests looking at the Internet as a living organism. "How do you secure your body against viruses?" he asks. "The answer is antibodies circulating in the blood. In the future, the Internet will be like blood, withantibodies identifying bugs and attacking."
More and more, we'll see the Internet itself becoming a "living" protector against some threats. That's going to be important, because a pragmatic futurist someone who anticipates and works to build the future is someone who takes into account that people themselves are unlikely to change. And that means that even in five, 10, 20 years, companies will still be rushing to take advantage of the latest business concept telepathic meetings, for all we know before the process is perfected and ending up with results like in the "Scanners" movies. Just as smart companies today are putting into place all kinds of dumb and invisible-to-the-user security technology, tomorrow we'll be using systems that can protect us more and more from our own eagerness.
(02/27/02) When Sun Microsystems kicked off its 2002 Worldwide Analyst Conference in San Francisco earlier this month, the company's leaders were dogmatically on-message: We're the complete IT solution for the enterprise, so why go anywhere else for storage plus, our storage solutions will also work in mid-size firms. With its built-in customer base and the potential for expanded mid-market usage, it is no wonder that Sun's eager to get some of the multi-billion-dollar storage market. As a result, it announced a package of new storage software, systems, services, and partner programs that are best-suited for leveraging the Sun platform but that are able to play in environments that use multiple vendors.
When Sun Microsystems employees speak before a room full of journalists or analysts these days, they invariably bring up a graphic representation of its end-to-end architecture idea--a diagram that takes you from SANs and NAS through the storage network to all of the databases and applications and connections through the OS and the Internet to all of the end users. It makes more sense than that quick description, but one has to assume that it has taken a central place in Sun proselytizing both internally and externally, with staff members forced to wear the diagram on T-shirts and drink from end-to-end architecture mugs.
That's because Sun understands the need to harp on the integration benefits of using its technology through-and-through, and it leads them into new areas, such as storage, to keep customers "in the family." So it focuses on the total cost of ownership and interoperability of using its storage solutions with the rest of its family of products, which is the customer need that its executives say they're hearing. "It's why we said a couple years ago that we thought stand-alone storage companies would have a very hard time," says Ed Zander, president and COO of Sun.
Sun's announcement of four new storage software suites is the culmination of a lot of internal effort mixed with some acquisitions. In 2001, Sun announced such products as the Sun StorEdge 9900 series and Sun ONE software. Now, it is filling in some of the gaps to move into the mid-market area. Its new offerings include its StorEdge Availability Suite (which includes point-in-time copying, and remote mirroring), StorEdge Resource Management Suite (to help manage storage and policy), StorEdge Performance Suite, and StorEdge Utilization Suite.
Throughout all of its offerings (the above suites, plus the Storage ONE architecture and a number of new systems and services), Sun is stressing the role of management. Bill Groth, Sun's director of product marketing for network storage, says virtualization is a key element of the company's storage solutions, giving users efficient use of resources and single-view administration.
Sun is not the only technology company seeking to leverage its extensive systems for newer markets. As Zander sums it up, Sun clearly (and not surprisingly) sees that as a strength, not a problem, when going after the increasingly critical storage market. "You need operating system expertise," he says. "This is not about point products."
(02/14/02) The threat your company faces from online aggressors is rising and is correlated to your size, visibility, and industry. That's the message of the new Internet Security Threat Report from Riptech, an Alexandria-Va.-based security-services company. It provides some interesting data that could come in handy for when you need to make the case for either more security spending or for new security procedures in your organization.
Riptech looked at data on 128,678 cyber attacks from the last six months of 2001, culled from its clients' experiences, which included 5.5 billion firewall logs and IDS alerts. Among its findings: the average number of attacks per company increased 79 percent between July and December; less than 1 percent of those attacks were what Riptech calls "a severe and immediate threat" to the companies involved, but the increasing total means that that becomes 1 percent of a larger number; Nimda and Code Red accounted for a whopping 63 percent of all attacks; and more than 43 percent of the companies suffered at least one attack that "would have resulted in a successful breach had intervention not occurred."
Certain findings in the survey were in contrast to popular perception, at least among those companies participating in the survey. When asked about security, many people might assume that e-commerce businesses are most at risk, thanks to all of the negative publicity they receive when they have an attack. But of the 11 categories in the report, e-commerce is third from last. In first place for suffering the most attacks is the high-technology industry, followed closely by financial services, power and energy, and media/entertainment.
In addition, the larger the company, the more likely it is a target. That shouldn't come as a surprise. Riptech says the companies with more than 500 employees were hit with at least 50 percent more attacks per company than those with fewer than 500 employees. It found a slight increase as well for companies with more than 1,000 employees compared to those with fewer than 1,000. And public companies were twice as likely to suffer attacks than private and nonprofit companies.
So what, you say? What good does it do you to know that you're a target because of the industry you're in? After all, you can't very well say that a highly vulnerable company can protect itself by simply switching industries, firing most of its employees to downsize, and buying back all of its stock. Life isn't that easy.
"It's important for the IT professional or the security officer that his industry is, say, two times more likely to suffer attacks than others," says Tim Belcher, CTO of Riptech. "That speaks to their investment in security policy," giving that executive some statistical evidence to back up any plans he makes for greater spending.
Belcher also suggests to Security Matters that reports like this can be used to assess a company's actual experience against some fairly specific industry benchmarks. (The report can be requested from Riptech's Web site at http://www.riptech.com/.) It is still a sample only of Riptech's customers, but many enterprises will see themselves represented in the report's samplings. The report is therefore a welcome contribution to the field.
(02/14/02) It's not as catchy as "something
borrowed, something blue," but the phrase about depending on
"something you have, and something you know" is catchy enough
when discussing two-factor security. And it is the line that Oakland,
Calif.-based security technology company Authenex is using to describe
an authentication and encryption solution it likens to the move to
using ATM cards for basic personal banking.
The key is a USB token two inches long, about half an inch wide, and maybe a quarter inch thick. Inside the chip is the encryption; a server-side application does the decryption. "We're the only token people who can defend against a man-in-the-middle attack without using PKI," says Henry Hon, vice president of business development at Authenex. "We don't try to badmouth PKI; we work with Verisign, which uses our token for one of its products," Hon says. "But if you don't want PKI, we offer an alternative."
Hon suggests that at low-volume, the keys can be produced at a price of $2.50 each, and that Authenex's target at high volumes is about a dollar each. That type of pricing leads him to suggest that online sites such as B2B or membership sites could affordably send the keys to every one of their customers. One problem membership sites face is that passwords and login codes are shared; you might have one account for Hoover's Online, but 10 people in your office might use it to access the service. If such a site were to use Authenex's token key, that abuse would be diminished. (Human realities are still a limiting factor, so it wouldn't be eliminated; you can still get Luke's key from him and use the password he tells you; however, that is not something that can be done when Luke's on vacation or working from home. So the membership site doesn't need to stamp out all of the abuse and it can still reap major benefits. That office might buy an additional two or three memberships in addition to Luke's; a total of 10 people might still take advantage of it, and though the site didn't sell 10 memberships, it might still triple or quadruple the number it had before.)
Authenex' is making its solution available on February 18. Hon says the mid-market is where the traction is, because those companies know they need to get past user-name and password, but secure ID is too expensive and two-factor has been too expensive, until now, in his company's view. Pricing for the server software begins at $1,791 for 25 users (up to $157,619 for 25,000 users), plus the price of the token keys and maintenance.