From NT to 2000 by way of BindView
As a provider of system administration and security tools for Windows 2000 systems, BindView Development Corp. is in demand these days because most corporate entities are just now getting around to rolling out Microsoft Corp.'s latest platform for the enterprise.
In an interview with InfoWorld Editor in Chief Michael Vizard, BindView CEO Richard Gardner and company founder and CTO Eric Pulaski talk about the issues that companies will need to deal with as they begin to roll out Windows 2000 and why security is now an integral part of systems management.
InfoWorld: What's the history behind BindView?
Gardner: We've been in existence for about 10 years and started out originally with products in the Novell (Inc.) area. We'll probably be somewhere in the $100 million range this year, and we're profitable. We have about 650 to 700 employees, about 5,000 customers, and our predominant focus today is Microsoft-centric. Probably three-quarters or more of our revenue is expected in the Microsoft environment. Our products help people manage and administer networks, manage security, and migrate to Windows 2000 from Windows NT or other operating systems.
Pulaski: We've got a comprehensive line of products for role-based administration as well as vulnerability assessment, audits, and security management for a wide variety of platforms, services, and applications.
InfoWorld: What's different about the migration to Windows 2000 from previous incarnations of Windows?
Gardner: I think this is a process, not an event. If you think about it, this is not a desktop migration -- this is an infrastructure migration. People can't just switch everything over at once, so they've got to look at priorities. Because you've got applications that rely much more on Active Directory -- for example, Exchange 2000 -- I think anyone going to Windows 2000 needs to prepare for a full-blown implementation of Active Directory. We've got the first product to manage the security administration of Active Directory. Obviously it's going to take a little time for it to sell in volume. But I think it's inevitable.
InfoWorld: What exactly do you do in the security space?
Gardner: We sort of bridge a systems administrator and a security administrator. We allow the customer to come up with a security policy and actually enforce it. There are no other tools that really allow you to enforce and find out if your security policy is being complied with or adhered to.
InfoWorld: How secure are Windows environments?
Gardner: Windows as it was designed was not secure. Windows itself, and then Windows NT, had a bunch of holes. And now Windows 2000 will introduce new holes, but they are taking steps to improve the level of security. There are just as many security issues actually on Unix and different platforms; I think the focus that Microsoft has in the market really magnifies any security problems. It's always, 'let's talk about Outlook problems.' There are just as many problems with Send Mail on Unix, but nobody talks about those.
InfoWorld: How much of your existence as a company might be owed to Microsoft's inherent weaknesses in these areas?
Gardner: Generally speaking, the vendors of the operating systems and the databases themselves never have the maniacal focus that an ISV will have on really coming up with the tools that make those products much more productive. You might over time have five or 10 percent of the features or your products eclipsed by improvements in an operating system. But generally, the engineers at those companies are working on the fundamental engine, and the ISVs are hiring the best talent they can find and applying them to these kinds of things. It's very rare that you're going to actually compete with the native vendor.
InfoWorld: Is your company going to do anything for Linux?
Gardner: We have our core security product, our BV control product, coming out later this year for both Unix and Linux. That's our very first internal security product for Unix. We have an external security, a hacker's shield product, that basically scans all your servers for hundreds of known vulnerabilities and alerts you to seal those off.
InfoWorld: Do you think most customers have a proactive approach to security?
Gardner: I think we're still in its infancy there. A snake rears its head, and someone finds out, and then they add some security to that particular environment or that application or that function. But some companies are starting to get it. They're thinking about chief risk officers that are sort of independent, to take out the conflicts of interest that you can have in an IT situation where a manager is paid to get an application up or converted by a certain day. If a security guy works under the director in IT, they're probably going to take a security risk, bury it, and hope to get it fixed later.
InfoWorld: Why is security such a difficult task, and will it ever get simpler?
Pulaski: There're some things you really, truly need experts for. Then there're some things that software tools can help you automate to the point where, for example, the work of one expert can be leveraged by a whole team of nonexperts. It can basically help the people who are not experts figure out how secure things are and if their policies are being followed. The goal of companies like BindView is to develop software and methodologies and processes that customers can use to take the work of a very few number of experts and leverage them.
InfoWorld: Will security tools ever just become another embedded part of the network infrastructure?
Pulaski: Ideally, more and more of the security infrastructure components need to be built into the security infrastructures themselves, rather than coming from third-party applications. BindView focuses not on providing the pieces of the security infrastructure but in analyzing how the security infrastructure is configured and deployed enterprisewide, looking for vulnerabilities and problems with implementation of policy and in the configuration. The problems that people face is that the processes and people that implement and deploy these systems typically have a very difficult time managing the configuration of the infrastructure enterprisewide, especially as new users get added and users get assigned temporary rights for some reason.
InfoWorld: There's a lot of criticism of the resources that security tools consume on systems because most of them rely on processor-intensive agents to accomplish their tasks. Is this a fair criticism?
Gardner: That is a shortcoming of a lot of technologies. Not only are the agents out there at every desktop but they also gobble up a lot of the resources of those servers. One of the reasons that we should not be painted with that same brush is our technology does not require agents on all of the servers. And if you have performance issues, you can choose to balance your system and how many agents you do deploy. But the technology has to be able to scan all the environments and all the users and all the IDs in order to do security checks.
InfoWorld: Where do most attacks come from?
Pulaski: If you look at any of the statistics, you'll find that anywhere from 60 to 80 plus percent of security breaches and financial losses that are security-related come from attacks and problems caused by insiders, so that's really the biggest problem and the biggest threat. The stuff we do basically spoon-feeds security data to the IT organization. But there are certain other technologies, for example intrusion detection, where you really, truly have to have a bunch of rocket science-type guys monitoring this stuff continuously on a day-to-day basis. In many cases, a company might need to outsource that function because there's no way for a company to have the in-house staff that can deal with that data.
InfoWorld: As e-business on the Web is increasingly done in real time and becomes more dynamic in nature, will security products be able to keep up?
Pulaski: The technology to support that is there, but it's in its infancy. The key technology there is the ability for directories and metadirectories to work with each other and work in the extranet environment. The directory vendors, whether it's Novell, Microsoft, Netscape, or whoever, would like to see the directories and the metadirectories be able to fulfill that need so external partners and the internal people can work in one common directory for common access control and security. The security implications, of course, are major. You've got to make sure the systems are safe and secure when you're working in that kind of environment.
InfoWorld: If there was one thing you could change about how people approach security, what would it be?
Pulaski: [It would be] the commitment of customers at the board of director and senior management levels on down to ensuring that systems are safe and reliable, especially before they launch new e-business initiatives. I think we're seeing a paradigm shift in how customers view IT. Ten or 20 years ago, IT was a way to lower cost. Today, the information technology really is about drivers for business revenue.