The growing focus on managing information security risk is challenging

Transcription

1 InSide Gartner This Week Vol. XIX, No July 2003 Management Update: Information Security Risk Best Practices The growing focus on managing information security risk is challenging most enterprises to figure out who should manage it, what should be managed, where it should reside within the enterprise, and how much should be spent on securing enterprise assets. Gartner presents information security risk best practices. Information Security Risk Management Cornerstones Enterprises must determine how their security controls and architecture align with relevant regulations, business risk and security requirements from partners or customers. However, most regulations do not offer detailed guidance on what security controls are necessary, but they do require best practices and also require partners or providers to have appropriate security practices. Clauses are typically too vague to be adequate. (continued on page 2) CIO Update: Enterprise Firewall Magic Quadrant for 1H03 Deep packet inspection technology is driving the firewall market to an inflection point that is characterized by rapid changes in product evolution and the vendor space. Gartner s Enterprise Firewall Magic Quadrant helps enterprises evaluate firewall vendors. Firewall Market Trends Network-level firewalls have become commodity products. Enterprises must make security decisions based on deep packet inspection of application content, in addition to simple stateful protocol filtering. Gartner believes that firewalls must provide a wider range of intrusion prevention capabilities, or face extinction. Gartner has updated its criteria for firewall market In This Issue... 1 Management Update: Information Security Risk Best Practices The growing focus on managing information security risk is challenging most enterprises to determine who should manage it, what should be managed, where it should reside within the enterprise, and how much should be spent on securing enterprise assets. Gartner presents information security risk best practices. 1 CIO Update: Enterprise Firewall Magic Quadrant for 1H03 Deep packet inspection technology is driving the firewall market to an inflection point that is characterized by rapid changes in product evolution and the vendor space. Gartner s Enterprise Firewall Magic Quadrant helps enterprises evaluate vendors. 10 Management Update: When You Should Consider Smart Enterprise Suites for E-Learning Smart enterprise suites will eventually encompass e-learning functions. E- learning suites remain viable in the short term, however, because smart enterprise suites need time to mature. 12 Management Update: The Effects of the SCO Lawsuit on IBM AIX Customers SCO has targeted its intellectual property infringement case against IBM and has declared IBM s AIX license invalid and terminated. Gartner s analysis helps IBM AIX customers understand the meaning and the impact of this SCO action. (continued on page 5) 15 At Random

2 Management Update: Information Security Risk Best Practices (continued from page 1) Key Issue: What are the best practices of a successful information security program? To be effective, five cornerstones are needed for any information security risk management program: The information security organization The IT asset risk inventory Information security policies, including those based on a common policy structure such as ISO The information security architecture A business continuity program Note: ISO is a comprehensive set of guidelines offering a code of practice for security management. The objectives of ISO are to Figure 1 Information Security Certifications provide a basis for organizational security standards and to enable the establishment of mutual trust among networked sites. Many information security service providers offer services associated with ISO As many of five cornerstone components as possible should be implemented to make the most effective use of limited funding in the information security and business continuity area. Information Security Certifications Certifications for information security professionals can be divided into three categories (see Figure 1): Vendor-independent: Certifications provided by industry associations (except for TruSecure, which is a private concern), the certification is recognized as an industrywide level of achievement Vendor-specific: The certification is specific to the vendor s product(s) and demonstrates a level of mastery for implementation purposes Related knowledge: The certification is for a body of knowledge that is related to information security such as fraud, computer crime and physical security The two most frequent certifications in the industry are CISSP from ISC2, and GIAC from The SANS Institute. Note: CISSP is Certified Information Systems Security Professional; ISC2 is the International Information Vendor-Independent CESG CLAS (U.K.) CompTIA Security+ ISC2 CISSP, SSCP ISACA CISA, CISM SANS GIAC Security University TruSecure TICSA Vendor-Specific Checkpoint Novell Cisco Systems RSA Security IBM Tivoli Symantec Why It s Worth It: CISSP Compensation Benefit No.1inROI 7.9-to-1 8.6% salary increase $83,000 average salary Source: Gartner and Certification Magazine (December 2002) Related Knowledge Assoc. of Certified Fraud Examiners ASIS International High Tech Crime Network CESG CISA CISM CISSP CLAS CompTIA GIAC ICSA ISACA ISC2 ROI SANS SSCP TICSA Communications-Electronics Security Group Certified Information Systems Auditor Certified Information Systems Manager Certified Information System Security Professional CESG Listed Adviser Scheme Computing Technology Industry Association Global Information Assurance Certification International Computer Security Association Information Systems Audit and Control Association International Information Systems Security Certifications Consortium return on investment SysAdmin, Audit, Networking, Security Systems Security Certified Practitioner TruSecure ICSA Certified Security Associate 2003 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. Comments should be ed to: inside@gartner.com. 2 Inside Gartner This Week

3 Systems Security Certifications Consortium; GIAC is Global Information Assurance Certification; SANS is SysAdmin, Audit, Networking, Security. CISSP certification is geared to the person who manages the information security function, or who consults in the market. CISSP is the leading certification in the industry. GIAC certification is geared to the information security specialist who needs a technical level of expertise for analysis, implementation and operational purposes. The Information Systems Audit and Control Association has recently started its Certified Information Security Manager (CISM) certification. The grandfather clause means that many CISSPs will also be CISMs. Gartner conducted a survey of information security professionals that compared CISSP and CISM. Respondents were asked questions such as: Do you have your CISSP? When did you pass the CISSP exam? What percentage of your IT security staff has CISSP certification? Is a CISSP a requirement for employment? Do you have another information security certification? Following are some of the more significant survey results: 50 percent of respondents have the CISSP 0 percent of respondent organizations require CISSP 25 percent of respondent organizations provide extra compensation for CISSP 100 percent of CISSPs maintain their certification 90 percent of respondents would consider another certification Creating an Effective Security Awareness Program Imperative: A set of information security policies is the key cornerstone of an effective IT risk management program. The information security policies are the basis for all other components of this program, and without them, the enterprise risks its financial viability. An effective set of information security policies is the basis of risk assessments each enterprise should conduct. Policies must be communicated to all users of enterprise IT assets so that they understand their responsibility to protect the enterprise against information security breaches that is, they are as accountable for enterprise protection as the chief information security officer. Users must be trained in the following areas (see Figure 2): Corporate policies: They must understand policies to both limit their personal violations and allow them to recognize when others violate policies. Security issues: What is a virus? Employees need training on a variety of security issues, from physical access, to information misuse, to safety. Ongoing training should include new security issues as they arise and signs of an impending incident before it causes damage. Impact on the enterprise or employee: People tend to pay less attention to issues that don t directly affect them. Awareness and proactive actions are likely if employees understand the negative consequences on the enterprise and themselves. How to report and respond: Obviously not everyone must be trained to put out a fire, but they must know how to hit the fire alarm, call 911 and safely evacuate the building. Measuring Information Security Expenditure Effectiveness Strategic Planning Assumption: By 2005, 20 percent of the Global 2000 will have effectiveness assessment systems in place that will monitor the information security health of business transactions in real time (0.7 probability). Many enterprises struggle with how much to spend on controls to mitigate the risk of an information security threat being exploited and how effective those controls are. Many are turning to metrics to help them evaluate the effectiveness of their information security program. 2 July

4 Management Update: Information Security Risk Best Practices (continued) Figure 2 Security Awareness Program: Teach Your Employees Well Corporate Policies The Law Security Issues Personal Safety Would the employee recognize a policy breach? Goal: Methodology: Source: Gartner Gartner describes a variety of metrics, categorized using the information security total cost of ownership chart of accounts, that enterprises can implement to help them in this effort: What data should be collected in support of each metric? How often is the data collected? How often is the data reported, and how is it reported (for example, beeper notification or report)? To whom is the metric reported? What actions are taken and decisions are made based on the metric? One can turn to numerous places for the raw data, including: System and application logs Help desk software Internal and external audits Employee Role Pertinence Would they choose to report it? Influence User Behavior New Employee Orientation Information Security Exam Branding/Logo Communications Newsletter, Video Employee Termination Report/ Respond What to Do Would they know how to report it? Tools: g NetIQ g Easyi g PwC g Blue292 g RedSiren Internal risk assessments/ compliance reviews Security system/management reports Action Item: Establish critical effectiveness metrics for each information security policy. Ensure audit logs are in place for all missioncritical applications and systems. Begin moving toward a centralized reporting facility for such log entries. Information Security Metrics, Scorecards and Dashboards Metrics, scorecards and dashboards are becoming a popular approach for informing all levels of management of the overall status of the information security program. The technical and operational groups as well as the strategic, planning, and management groups should have such dashboards to manage their own view of the information security risk management program (see Figure 3). Multiple technical dashboards might be used for specific activities. The technical dashboards will feed into a strategic and management dashboard that measures the effectiveness of the information security risk management program and is used for security breach investigation purposes. The use of a traffic light report, which documents the status of each metric, is a good visual tool. The categories to be tracked must be based on the enterprise s information security policies. The rating for each category must assess the business unit s compliance level against people, processes and tools. Metrics, scorecards and dashboards are a multiyear effort. The first year (or first six months) establishes a baseline for each business unit s level of compliance with the information security risk management program. Subsequent releases enable an enterprise to track improvements and setbacks. That enables senior management to focus on risk hot spots. Action Item: Report semiannually to senior management on the information security risk management program. 4 Inside Gartner This Week

5 Figure 3 Information Security Risk Management Program: Use Scorecards and Dashboards Assessment Category Rating Low Medium High Organization R P Roles/Responsibilities PR Awareness Training T R P Security Administration T R P Intrusion Detection T R P Source: Gartner P =People;R = Process; T =Tools information security risk management program. Written by Edward Younker, Research Products Analytical source: Roberta Witty, Gartner Research This article is an excerpt of a chapter from a new Gartner report, Securing the Enterprise: The Latest Strategies and Technologies for Building a Safe Architecture. The report is an offering of the Gartner Executive Report Series, a new business venture of Gartner Press that provides buyers with comprehensive guides to today s hottest IT topics. For information about buying the report or others in the Executive Report Series, go to Recommendations Establish a risk management committee with purview over all risk issues in the enterprise. Assign ownership for the information security risk management function. Establish information security policies, architecture and IT asset risk inventory. Ensure information security covers new technology integration. Establish an information classification program to ensure the correct application of mitigating controls. Review the enterprise s use of outside service providers with regard to their compliance level with the enterprise s policies. Establish critical effectiveness metrics for each information security policy. Report semiannually to senior management the state of the For related Inside Gartner articles, see: CIO Update: IT Security Management and Gartner s Magic Quadrant, (IGG ) CEO and CIO Update: Establish a Strong Defense in Cyberspace for Information Security, (IGG ) Management Update: What You Should Know About the Antivirus Market, (IGG ) CIO Update: Enterprise Security Moves Toward Intrusion Prevention, (IGG ) Management Update: Security Strategies for Enterprises Using Web Services, (IGG ) CIO Update: Enterprise Firewall Magic Quadrant for 1H03 (continued from page 1) leadership to heavily weight ability to execute and vision in migrating to the next generation of firewalls. Firewalls long have been able to enforce security policies based on who or what gets to connect to which service or machine. However, the content of the packets allowed through has been invisible to the firewall. Firewalls typically look at only header information, so they have limited ability to block attacks based on packet content. However, new worms, malicious code and cyberattacks have targeted application weaknesses, and more applications and protocols are tunneling through the firewall by connecting over port 80 and, in some cases, encapsulating in HTTP or S-HTTP (Secure HTTP) formats. The greatest recent shakeup to the security area occurred in 2001, when Nimda, a multiheaded worm, exploited a vulnerability in the Microsoft Internet Information Server to infect hundreds of thousands of servers. This exploit was not detected 2 July

6 CIO Update: Enterprise Firewall Magic Quadrant for 1H03 (continued from page 1) by intrusion detection systems (IDSs), nor blocked by firewalls or antivirus software. Many enterprises experienced significant downtime and financial losses because of Nimda. In 2003, the SQL Slammer worm proved that although many enterprises had done a better job of patching Windows vulnerabilities, firewalls were still not providing useful protection at the application level. Application and Web Defense Products addition of a network stateful inspection capability. Magic Quadrant Criteria In this fresh look at perimeter defenses, Gartner modified the criteria used to determine positions on the Magic Quadrant for Enterprise Firewalls, 1H03 (see Figure 4). Ability to Execute History of success in the traditional firewall market Financial strength, such as increasing revenue, the size of investment, number of employees and other factors Partnerships and channels, including partnerships with highspeed processing platforms and content inspection leaders Completeness of Vision Recognizes and blocks attacks based on protocol anomalies, signatures of attacks, content inspection, behavior (usually Most investments in security are still in response to pain that is, reactive vs. proactive planning and risk assessment. Nimda caused visceral pain that has spawned investments in dozens of new products that emerged to address application vulnerability. Gartner recommends positioning these network devices in front of critical servers, typically in the transaction zone. These devices are in-line and apply security policies to protect the assets behind them. Gartner believes that application and Web defense products are firewalls, although they are not marketed as such. Several products meet the criteria for an enterprise firewall, including central management, a good graphical user interface, logging and reporting. Others exhibit the security capabilities of a firewall, but are several generations away from becoming a network s sole defense. They lack only the Figure 4 Gartner s Magic Quadrant for Enterprise Firewalls, 1H03 Ability to Execute Source: Gartner Cisco Systems Challengers Check Point Software Technologies NetScreen Technologies Microsoft Network Associates (IntruVert) F5 Networks Blue Coat Systems Fortinet SonicWALL WatchGuard Technologies Mazu Networks Array Networks Kavado Radware Symantec Secure Computing ipolicy Networks Teros Sanctum Top Layer Networks Whale Communications Niche Players Completeness of Vision Leaders NetContinuum TippingPoint Technologies Visionaries As of June Inside Gartner This Week

7 based on history of use) and traffic volume Builds solutions that address enterprises needs Invests in specialized network processing hardware application-specific integrated circuits (ASICs) to perform deep packet inspection at wire speeds Enables central management of many remote devices Able to load balance or configure in a highly available mode Provides logging and reporting functionality Quickly rolls out new application defenses based on the ability to perform deep packet inspection Vendors that introduce new protection capabilities on an extremely short production cycle best leverage the strength of their investment in processing power for example, performing antivirus functions inline, proxying instant messaging (IM), and providing Domain Name System and sendmail defenses. The greatest challenge will be to perform full Extensible Markup Language (XML) parsing and filtering. The ability to decrypt a Secure Sockets Layer (SSL) session, perform inspection and filtering, and re-establish the SSL session is also heavily weighted. To be considered Challengers, Visionaries or Leaders, vendors must combine network-level and application-level firewall capabilities in an integrated product. Vendors that have only one or the other will be Niche Players. Leaders Gartner believes that because of the trends described above, the enterprise firewall market is immature again. The market share leaders will not necessarily dominate as they previously have done. Therefore, no Leaders are identified in the 1H03 Magic Quadrant, although Gartner expects that several products will qualify for the Leaders Quadrant by the end of Challengers Check Point Software Technologies has recognized that the market is moving from access control to application defense, and it has rolled out a SmartDefense subscription service in which customers can get pre-configured defenses against newly discovered attacks. It recently launched Application Intelligence to ease management of application defenses. Application Intelligence relies on a combination of Check Point s stateful inspection engine and services, or software proxies. Gartner believes that this approach is not adequate for 100-percent deep packet inspection at wire speeds. Check Point will need to invest in silicon to compete. It likely will leverage its market-leading Firewall- 1 product line s best-of-breed management and graphical user interface to develop the added security functions of a deep packet inspection product. Cisco Systems has changed its market-leading focus on network security and is now committed to end-point security, as evidenced by its purchase of Okena, a host protection company (see Cisco to Buy Okena, Try to Compete in Security Software ). It may have recognized the need for integration because it has pulled together these elements into a single group. Cisco will need to combine separate products in intrusion detection and firewall with content inspection capabilities that it could derive from internal or external sources. NetScreen Technologies was the first major firewall vendor to recognize the importance of deep packet inspection by purchasing one of the first intrusion prevention vendors, OneSecure. Today, the NetScreen Intrusion Detection and Protection appliance must be deployed behind the firewall to obtain full application defense. NetScreen s challenge is to deliver on its promise to produce an appliance that incorporates stateful inspection firewall and intrusion prevention functionalities by thirdquarter The vendor also must show that it has the management capabilities to make this transition while continuing to grow. Radware is a content-switching appliance vendor that has added security features to its product line. Its application switches can block hundreds of attack signatures at wire speeds. Incorporating SSL termination and application defense, as well as stateful firewall capabilities, in the same appliance would 2 July

8 CIO Update: Enterprise Firewall Magic Quadrant for 1H03 (continued from page 1) make Radware a serious contender in this space. Visionaries Fortinet has demonstrated its investment in powerful network processing technology by filtering viruses in-line, which requires an unprecedented level of packet assembly and filtering. Fortinet has reached an impressive level of revenue in its first year of production because of its initial market penetration at the very low end of appliances. It will have to address the fact that many competitors in the Visionaries Quadrant have concentrated on SSL termination vs. traditional IPsec, or Internet Protocol Security, virtual private networks (VPNs). NetContinuum is the only deep packet inspection vendor that has architected its appliance to protect the privacy of communication going through it. Its split brain solution provides for management and policy setting on a separate CPU from the packet assembly, as well as filtering functions that reside on an ASIC with extremely high-speed processing capabilities for SSL termination, packet assembly and filtering. This may prove to be a deciding factor in purchase decisions where that separation is important. Network Associates has purchased IntruVert Networks. As an early player in the intrusion prevention space, IntruVert has gained market traction for its products, which take IDSs a critical step forward to blocking attacks in-line. Network Associates must recognize that it has re-entered the firewall space, and provide R&D and customer support, to be a Leader in next-generation firewalls. TippingPoint Technologies has most closely created a comprehensive network protection device, although it has been slow to gain customers because of its industryleading marketing message of prevention vs. detection. Designed to be placed directly behind the firewall and provide protection across the spectrum of protocols, TippingPoint s product is poised to move to the gateway position with the addition of a complete set of network firewall filtering and reporting functions. Niche Players Blue Coat Systems is the reincarnation of CacheFlow, the network proxy vendor. Similar to F5 Networks, Blue Coat has recognized that the position of its product in front of critical Web servers as well as its content switching ability are the elements needed to provide protection for Web servers. An example of the power of deep packet inspection is Blue Coat s recent quick development and introduction of an IM proxy solution that allows enterprises to apply security policies to IM traffic. Blue Coat is the product of choice for secure proxying of outbound connections. F5 Networks has recognized that load balancing, SSL termination and content switching rely on the same processing capabilities that are needed for a security appliance. The recent introduction of network attack blocking is F5 s first foray into the protection space. F5 s challenge is to pick a technology partner (or make an acquisition) with security domain expertise that can help it leverage its hardware and installed base to be a significant player in the firewall market. Microsoft, with its Internet Security Acceleration Server, offers a powerful software proxy and it is evolving into Microsoft s lead security product, with built-in application defense and access controls. Although the Internet Security Acceleration Server is good technology, it is trailing market expectations because most enterprises look for hardware gateway devices, not software running on general-purpose operating systems. Secure Computing has delivered on its promise to take the best of Gauntlet (acquired from Network Associates) and combine it with the best of Sidewinder, its own software firewall. The combined product, SidewinderG2, represents the freshest and most-advanced software proxy firewall, with central management and ease of deployment. Enterprises will continue to find positions in their networks for the specialized capabilities that are available from SidewinderG2. SonicWALL has been slow to move into the application defense space 8 Inside Gartner This Week

9 with an offering to address recent activity by Check Point and NetScreen. An investment in hardware-based network processing capabilities would give SonicWALL an opportunity to continue to translate large enterprise solutions into products that its small and midsize business customers demand. Symantec remains a Niche Player in the firewall space. The old Raptor technology in the Symantec Enterprise Firewall is being replaced more often than it is purchased a negative adoption rate. The Symantec Secure Gateway Appliance is new software running on an appliance that provides firewall, IDS, content filtering VPN and antivirus functionalities. This is a good solution for the small and midsize business market, and perhaps for remote offices. WatchGuard Technologies is profiting from its series of lowcost, easy-to-manage appliances. Its RapidStream purchase gave it the technology for more-advanced application defenses, while supporting Check Point Firewall- 1 and virtual local-area networks. Whale Communications is focusing on the SSL VPN space. Whale s technology can process any payload traffic and apply security policies to it. Array Networks, ipolicy Networks, Kavado, Magnifire, Mazu Networks, Sanctum, Teros and Top Layer Networks each combine hardware appliances with application defense capabilities to address various attacks. Not on the Magic Quadrant Some firewall vendors, such as BorderWare Technologies and CyberGuard, greatly rely on software proxies for application defense. However, they have matured considerably and added improvements, as well as management capabilities, to these proxies. Several vendors, such as DataPower Technology and Reactivity, are targeting XML firewall functionality. Parsing XML and checking for protocol anomalies at wire speeds are daunting tasks because in theory, the schema could be different for every message. Decrypting, checking digital signatures and blocking malicious code are other tasks that drive innovation in this arena. These tasks will require the most investment in hardware acceleration. Bottom Line The first major innovation in gateway security since stateful inspection is embodied in deep packet inspection firewalls. Leading vendors will offer the ability to assemble and inspect packet payloads at wire speeds. Enterprises should redirect intrusion detection system investments toward application defenses such as those offered by the thought-leading firewall vendors in the Magic Quadrant for Enterprise Firewalls, 1H03. Written by Edward Younker, Research Products Analytical source: Richard Stiennon, Gartner Research This article is an excerpt of a chapter from a new Gartner report, Securing the Enterprise: The Latest Strategies and Technologies for Building a Safe Architecture. The report is an offering of the Gartner Executive Report Series, a new business venture of Gartner Press that provides buyers with comprehensive guides to today s hottest IT topics. For information about buying the report or others in the Executive Report Series, go to For related Inside Gartner articles, see: CIO Update: IT Security Management and Gartner s Magic Quadrant, (IGG ) CEO and CIO Update: Establish a Strong Defense in Cyberspace for Information Security, (IGG ) Management Update: What You Should Know About the Antivirus Market, (IGG ) CIO Update: Enterprise Security Moves Toward Intrusion Prevention, (IGG ) Management Update: Security Strategies for Enterprises Using Web Services, (IGG ) 2 July

10 Management Update: When You Should Consider Smart Enterprise Suites for E-Learning Smart enterprise suites will eventually encompass e-learning functions. E-learning suites remain viable in the short term, however, because smart enterprise suites need time to mature. A Collision Course E-learning suites and smart enterprise suites are on a collision course. Both suite types offer capabilities in the content management and collaboration areas, which will create a dilemma for enterprises that are making product selections. Some enterprises can extend their smart enterprise suites into adequate e-learning platforms, but most will need to use e-learning suites until 2007, when smart enterprise suites will match their capabilities. The two sets of offerings overlap in content management, Web conferencing and virtual classrooms: Smart enterprise suites combine portals, content management and collaboration functions such as Web conferencing (see Management Update: Gartner s Smart Enterprise Suite Magic Quadrant for 2003, IGG ). E-learning suites consist of learning management systems, learning content management systems and authoring tools, and virtual classrooms. Content Management Numerous e-learning vendors partner to integrate their learning management systems with the content management systems of leading vendors, such as Documentum and FileNet. Those entrenched content management vendors know the broader content management market and have a wide customer base. To expand their presence within their installed bases, these vendors try to satisfy customers that want to extend their content management systems to address their e-learning needs. E-learning applications can be built on top of a robust content management infrastructure. However, the content management vendors often lack multiuser authoring tools and compliance with the Shareable Content Object Reference Model (SCORM); therefore, they have welcomed partnerships with e- learning providers. SCORM, an XML-based reference model for Web learning content, consists of: Content aggregation (how to assemble and move content) Content delivery and tracking (how to deliver a course and track what the user does) Tagging (how to create metadata for courses and objects) XML makes searching dispersed libraries of e-learning content much easier. (To learn more, please refer to the metadata information model in the SCORM specification Much of the SCORM 1.2 specification came from the IMS Global Learning Consortium. Any SCORM-compliant content is incorporated into an imsmanifest.xml file. Like a play list, this file contains the objects (HTML, flash objects and so on) and the order in which they need to play for the course to run. Content Management Outlook Over time, content management vendors will fill the gaps in authoring tools and SCORM compliance. By year-end 2008, 40 percent of content management vendors will add e-learning authoring tools to their product suites (0.7 probability). In the meantime, some enterprises will meet their e-learning needs by using their content management applications and adding third-party authoring tools. Others will buy a complete e-learning suite, with a comprehensive set of tightly integrated capabilities. Virtual Classrooms Some Web conferencing vendors offer virtual classroom capabilities, but the considerable overlap between these areas overshadow the important ways in which they differ. Web conferencing and virtual classrooms provide the same event management functions: Slide show presentations Application and document sharing Chat functions Whiteboard sharing 10 Inside Gartner This Week

11 Advanced functions, such as video, voice and polling mechanisms most products include these with varying functional depth Being designed specifically for e- learning, however, virtual classrooms feature a more-appropriate interface design: The tools for building a learning presentation or event allow more interaction by the students or audience. They provide richer experiences for students and instructors or course and conference designers. Techniques enhance instruction, improve retention and support ways of presenting that stimulate learning. They include self-contained functions or can integrate with other applications so that enterprises can manage each learning event within the context of a course or curriculum. Two Challenges Smart enterprise suites will eventually have to include a virtual classroom mode, so vendors will make acquisitions or simply develop these capabilities. By year-end 2005, Gartner expects that virtual classroom and Web conference features will have converged, and products will be equally applicable for both uses. In many cases, vendors don t provide enterprisewide Web conferencing and virtual classrooms. Those capabilities will mature because enterprises increasingly conduct meetings and teach classes virtually. The recent outbreak of SARS severe acute respiratory syndrome made enterprises more reliant on virtual meetings, and many firms are taking steps now to enhance their IT infrastructures to support Web conferencing. The main reasons for deploying Web conferencing include reduced travel costs, less exposure of employees to conflicts or health crises, and the benefits of virtual teaming. By year-end 2008, 60 percent of Fortune 2000 enterprises will have deployed Web conferencing capabilities on an enterprisewide basis (0.7 probability). Smart enterprise suites are immature, and have not yet been deployed on an enterprisewide basis. Until they are, continue to evaluate and acquire e- learning suites. By 2008, this situation will change, and smart enterprises suites will provide some elements of an e-learning environment. Bottom Line The technology elements of smart enterprise suites and e-learning suites overlap to some degree. For the short term, consider e- learning suites if you have not decided to deploy a smart enterprise suite. If you have, ensure that the content management and Web conferencing capabilities of the smart enterprise suite are compatible with your learning management system. In most cases, the time that will be required for this compatibility to develop enhances the short-term viability of e-learning suites. Written by Edward Younker, Research Products Analytical sources: James Lundy and Mark Gilbert, Gartner Research For related Inside Gartner articles, see: Management Update: Gartner s Smart Enterprise Suite Magic Quadrant for 2003, (IGG ) Management Update: Gartner s 2003 Learning Management System Magic Quadrant, (IGG ) Management Update: Gartner s 2003 E-Learning Content Magic Quadrant, (IGG ) 2 July

12 Management Update: The Effects of the SCO Lawsuit on IBM AIX Customers SCO has targeted its intellectual property infringement case against IBM and has declared IBM s AIX license invalid and terminated. Gartner s analysis helps IBM AIX customers understand the meaning and impact of this SCO action. Background When The SCO Group sued IBM in March 2003, most of the action was aimed at extracting monetary damages from IBM for what SCO alleged was the destruction of its Unix market by Linux. Embedded in that initial claim was a 100-day termination notice of AIX, IBM s Unix license, if IBM did not come to terms with SCO. IBM resisted and proclaimed total compliance with the terms and conditions of its Unix license. With the expiration of the 100-day notice, SCO has declared that it has revoked IBM s AIX license. Gartner has received a number of client inquiries about the latest filing and how it may affect current support and future procurements of Unix systems. Gartner answers some of the more pressing questions, encapsulating clients issues with our responses. By terminating the licensing arrangement, SCO now can claim that AIX is an unauthorized derivative of Unix System V. An injunction requests that IBM cease all use and distribution of AIX. How will this injunction affect us? Gartner s interpretation is that no immediate court injunction was sought, but that the original lawsuit claiming breach of contract was amended to include the AIX license termination and additional damages. Therefore, this judgment will be rendered at the time the case goes to trial, which could be months, if not years away (unless a settlement occurs before then). Therefore, SCO is threatening IBM and its customers with a claim that has no immediate validity in a court injunction. We have a substantial investment in midrange servers running AIX. How does this battle between SCO and IBM affect customers that are using AIX? SCO s latest claim appears to have no direct and immediate impact, as long as IBM continues to maintain, warrant and service the license agreement with its customers. A conclusion regarding the validity of the license is between IBM, SCO and the courts. On 14 May 2003, SCO sent letters to approximately 1,500 large enterprises, cautioning them that their Linux code contains SCO proprietary code. Should we expect a similar notice from SCO regarding unlicensed use of proprietary code in AIX? This possibility certainly exists, since SCO appears to be intent on continuing to increase the pressure on IBM as well as large customers of the Linux OS. SCO may target a letter campaign to the AIX community, hoping to put additional pressure on IBM even though it may have more difficulty profiling the AIX installed base than the Linux one. However, Gartner believes the license by IBM to AIX customers means that a customer s involvement is directly with IBM. Therefore, an AIX customer should refer potential claims by SCO about its AIX license to IBM, since the lawsuit is aimed at the alleged breach of contract between IBM and SCO. Gartner believes SCO could pursue its claims with customers by demanding to audit AIX accounts, but without a separate injunction (which could take months for a decision), enterprises need not respond or comply. Should we elevate this issue to our corporate legal department? What guidance are you providing to AIX customers? Gartner recommends that CIOs and other senior executives get their asset management and procurement groups to work with their legal departments to examine the AIX license agreement, and evaluate the indemnity and warranty that is provided to AIX license customers. It is advisable to get IBM to provide, in writing, a guarantee of indemnity from legal infringements if a judgment is made against IBM in the SCO lawsuit. If IBM refuses, the customer s leverage rests primarily with future procurement contracts and the amount of business at stake. Thus, IBM may choose to address this issue on a case-by-case basis. What is Microsoft s role in the skirmish between SCO and 12 Inside Gartner This Week

13 IBM? Was Microsoft s recent licensing agreement with SCO a thinly disguised ploy to provide SCO with funding to pursue this matter in the courts? Some in the industry are inclined to believe this, although Gartner believes that the law firm representing SCO may be working on a contingency fee basis, such that SCO bears little financial burden as long as the case is in preparation. Should it win damages, the law firm would be subject to a percentage of the judgment. In that case, Microsoft s contribution, although still substantial, would be less of a factor. However, Gartner also believes that Microsoft gains positive press from the case because of the uncertainty hanging over Linux customers of the potential for legal liability. In addition, while this lawsuit remains unresolved, Microsoft is armed with market fear, uncertainty and doubt (FUD), challenging the principles of open-source ownership, governance and code evolution. What is your educated guess as to the ultimate resolution and potential outcomes? This case is extremely hard to judge as are any cases dealing with software infringement. To understand the merits of the case, one must thoroughly understand the contractual terms and conditions, the code in question, the origin and history of this code, the issues of code duplication, theft and use of creative content, and what constitutes derivative works. If a case for infringement and theft is found, the court, in a jury trial, must determine whether the infringement caused damage to SCO s markets and future business viability. SCO s claims of several billions of dollars in damages relates to its difficulty to conduct its Unix business because of the competitive alternative offered by Linux which SCO alleges uses and benefits from Unix System V s intellectual property and code. SCO alleges that IBM changed the industry s competitive dynamics by giving source code to the Linux community without SCO s consent and in breach of IBM s contract with SCO. The violation is alleged to include the trade secrets involved in symmetric multiprocessing (SMP) and nonuniform memory access (NUMA) design as a result of IBM s Sequent Computer acquisition (a System V licensee) and the knowledge transferred during Project Monterey. (Project Monterey was an alliance of IBM, SCO and Sequent to build a scalable Unixbased system from SCO s UnixWare, IBM s AIX and Sequent s Dynix/ptx that would support Intel 32- and 64-bit architectures.) IBM could, if it determines that the case strongly favors SCO (which Gartner doubts will happen), move to settle the case for some specified damages or it could seek to buy out SCO and the Unix license ownership and copyright. An IBM settlement with SCO might not address all of SCO grievances, because SCO holds many original equipment manufacturer (OEM) license agreements and could pursue additional claims. What immediate actions should we take? On 16 June 2003, SCO increased the damage claim of the original filing while citing termination of IBM s AIX license. It now appears that any effort to reach a compromise settlement may be more remote, since IBM is continuing to remain steadfast in its conclusion that its license compliance and use of AIX is via a perpetual and irrevocable license agreement with SCO. Thus, the current impasse could result in a final judgment that takes years as it took in the government s case against Microsoft. If that is the outcome, AIX customers would likely not be directly affected until the conclusion of the trial. If SCO seeks damages directly from customers, enterprises need to have legal counsel involved to ensure that IBM defends its customers against legal liability. Gartner believes that contract managers could appropriately exercise their legal rights by requesting in writing IBM s assurance of indemnity from legal liability in all future AIX-based procurements and coverage for current installations. In a press release, IBM stated: IBM will continue to ship, support and develop AIX, which represents years of IBM innovation, hundreds of millions of dollars of investment 2 July

14 Management Update: The Effects of the SCO Lawsuit on IBM AIX Customers (continued) and many patents. As always, IBM will stand behind our products and our customers. It also issued an internal memo to employees of its intent to continue shipping systems with AIX. How likely is SCO to extend its lawsuit to vendors of other Unix systems, such as Sun Solaris, HP-UX and SGI Irix? SCO has informally declared that it believes most other major platform vendors have generally respected the terms and conditions of the license, although it has been unwilling to declare that all vendors are in compliance. Moreover, Sun Microsystems has declared that its buyout of the license makes it the safest Unix choice, although Gartner believes certain contract conditions may still apply. Sun has begun a marketing program to encourage AIX customers to migrate to Solaris, but Gartner recommends that AIX customers avoid making hasty decisions that could be costly and needless, and, instead, monitor the situation. Gartner is somewhat surprised that virtually all Unix vendors have come out in support of Linux, yet they have remained relatively silent about the lawsuit. Nor has Linus Torvalds and the open-source community treated the case with the seriousness it deserves. Gartner recommends that all vendors begin an open-source qualification and due diligence process to reassure their customers that future incidents of intellectual property threats are minimized, and offer them additional protection or indemnity. Gartner believes that SCO hopes that IBM and other OEMs will buy out their Unix licenses at costs ranging from tens of millions to hundreds of millions of dollars, depending on usage and the size of their installed bases, due to the highly restrictive terms and conditions of the contracts that were originally signed with AT&T. Bottom Line Gartner believes no short-term threat exists to the continued operation and deployment of AIX-based systems. A short-term settlement would relieve customers, while a long-term legal battle could take years to resolve. Nevertheless, customers should not relax. Contract managers should request in writing IBM s assurance and indemnity from legal liability in all future AIX-based procurements as well as coverage for current installations. All IS organizations using open-source software need to set up an internal architectural standards and review process that requires all new software be examined for due diligence, license terms and conditions, support organization health and documentation, accusations of copyright violations and other potentially detrimental conditions. Written by Edward Younker, Research Products Analytical source: George Weiss, Gartner Research For related Inside Gartner articles, see: At Random, SCO s Threat to Sue Linux Users Serious but Remote, (IGG ) CIO Update: Gartner s Midrange Server Magic Quadrant Shows Linux Upswing, (IGG ) 14 Inside Gartner This Week

15 At Random Microsoft Must Transform, Not Threaten, the Antivirus Market. On 10 June 2003, Microsoft said that it will acquire GeCAD Software, a Romania-based antivirus provider. Microsoft intends to use GeCAD s technology to help secure its own operating systems, applications and services, and to extend antivirus support to third-party antivirus providers. Microsoft s acquisition of GeCAD and Pelican Security, which provides Windows-based behavioral protection software, confirms a recent Gartner prediction: Microsoft will build an antivirus engine into Windows and provide open application programming interfaces or Web services interfaces for signature updates. This approach, supported by GeCAD s and Pelican s technologies, could radically improve how viruses are prevented, controlled or stopped. Such innovation from Microsoft could also transform the antivirus market by offering vendors a powerful incentive to detect viruses and develop signature updates. However, if Microsoft decides to become simply another antivirus vendor, no vendor of antivirus software will be able to compete in the desktop market. As a result, enterprises would face inferior technology, high prices and greater long-term risk from malicious code. Microsoft is a long way from turning GeCAD s technology into a viable antivirus product. Providing a high-quality set of enterprise-level products and services will prove particularly difficult. Enterprise antivirus products must support a heterogeneous set of platforms, including non-windows platforms and a large number of users, which requires robust management and reporting capabilities. Gartner believes that Microsoft should focus its newly acquired antivirus expertise on building malicious-code protection into all its products and services, and on developing standard, open interfaces that encourage thirdparty innovation. Enterprises should plan to use third-party antivirus products through the end of 2006 but should use Microsoft s announcement to pressure antivirus vendors to deliver more proactive products, with lower cost of ownership, by 2H04. Analytical sources: John Pescatore, Arabella Hallawell and Richard Stiennon, Gartner Research AT&T Must Still Prove Customers Come First. On 3 June 2003, AT&T announced a set of initiatives to improve customer service. They include a simplified Master Services Agreement, Wi-Fi access to AT&T business services, self-provisioning of virtual private networks to reduce installation time, and Web-based tools for ordering and managing network services. Customers should view this effort skeptically. AT&T has identified changes that could benefit customers, and it will invest $500 million in 2003 on this initiative. Nevertheless, Gartner believes benefiting customers isn t AT&T s primary motive. Gartner clients complain about AT&T s ordering, provisioning and billing services more than those of any other U.S. network service provider. Clients report a high number of errors that require a long time to resolve. Some of AT&T s systems are very old, and integrating all the different systems and applications poses a huge challenge. In addition, AT&T must improve its procedures around the billing system itself. As for the other announced changes, self-service can reduce installation time, but it also reduces carrier costs. In the future, AT&T may view self-service as a source of revenue and charge for it as value-added service. Wi-Fi has become a hot area, hence AT&T s interest. Until AT&T starts to deliver concrete improvements, view its announcement as marketing. Other carriers have begun similar efforts without as much fanfare. When you evaluate network service providers, check references as the surest way to determine the quality of the customer experience. Continue complaining when customer service does not meet your requirements. That pressure has some effect. Analytical source: David Neil, Gartner Research 2 July

16 At Random (continued) Private Equity Groups to Buy Baan, Merge It With SSA. On 3 June 2003, Invensys announced an agreement to sell Baan to an investment group consisting of Cerberus Capital Management and General Atlantic Partners, an equity investment firm, for $135 million in cash. General Atlantic has been an investor in Baan and employs former Baan CEO Tom Tinsley. Immediately on closing the deal, the investors plan to merge Baan with SSA Global Technologies, which they also control. Under SSA, Baan will be driven to provide consistent financial results. Unlike Invensys, General Atlantic has no advanced vision for manufacturing but is simply an investor seeking a return. Consequently, although this acquisition will stabilize Baan s short-term viability, it casts doubt on Baan s ability to continue to invest and evolve its products because Baan needs more restructuring to regain growth and profitability. To date, SSA has acted as a business application consolidator and has some plans to rationalize its numerous applications (including BPCS, Infinium, interbiz and MAX). Although SSA plans to make Baan s Gemini the migration destination for more than Baan users, this vision will likely not be realized, except for ManManX. Over time, Baan plans to offer extended applications customer relationship management, supply chain management and product life-cycle management to SSA customers, but integration challenges will limit large-scale adoption through Baan faces two challenges: Its viability has long looked uncertain apart from the early months within Invensys and most Baan IV customers have not moved to Baan V. These two issues work together to inhibit Baan s success in the market since, without larger migrations by installed Baan customers, Baan will have difficulty projecting a viable platform for new sales. Without new sales, customers will be reluctant to invest further in Baan products. Baan IV or Triton customers not on version IVc4 should migrate to that version by year-end 2003 if they wish to execute a hold strategy for Baan applications. Baan IVc4 customers should maintain the status quo while waiting for evidence of execution and delivery on the Gemini vision. Baan IV customers in process industries should look for alternatives as Baan has focused on discrete manufacturing industries. Baan V customers should develop contingency plans in case the new group settles for maintaining the Baan IV installed base and cuts development investments. Analytical source: Brian Zrimsek, Gartner Research Acquisition of Kintana Will Boost Mercury s Application Development Market Position. On 10 June 2003, Mercury Interactive announced it had purchased Kintana, a privately held IT process and project management company, for $125 million in cash and $100 million in stock. Although Mercury has paid a premium for Kintana of five times its estimated annual revenue, the acquisition has given it a complementary technology that improves its change management and IT governance processes. The deal also enhances the value of Mercury s test solutions. Mercury can now capitalize on the trend toward better synchronization between application development (AD) and IT operations, which Gartner has previously forecast. By 2007, 60 percent of mature IS organizations will shatter the typical boundaries found between AD and IT operations by establishing a new AD-operations liaison position that is responsible for joint planning, strategy and information sharing (0.7 probability). Kintana s capabilities mainly appeal to the AD buyer. Mercury believes this appeal can also be leveraged into a change management workflow engine for the IT operations market. However, Gartner believes that addressing these 16 Inside Gartner This Week

17 two different buyers will present a difficult engineering and marketing challenge. This acquisition will provide muchneeded financial and organizational heft to Kintana while enabling Mercury to compete more effectively against IBM s Rational and Tivoli brands. This move will also challenge the major enterprise management vendors BMC Software, Computer Associates International and Hewlett-Packard, with its OpenView division. If you are considering Kintana s products for the first time or are looking to extend current maintenance contracts with Kintana, you should proceed because the company has obtained more-stable financial backing. However, negotiate to lock in terms before any potential price increases. Mercury continues to make aggressive acquisitions. If you use its products, monitor Mercury partnerships since they could potentially become obsolete rapidly. Analytical sources: Theresa Lanowitz, Cameron Haight and Debra Curtis, Gartner Research Merger Will Rescue Handspring, Let Palm Enter New Markets. On 4 June 2003, Palm announced it will acquire handheld computer vendor Handspring for about $190 million in stock. Palm Solutions Group and Handspring would merge. Todd Bradley, CEO of Palm Solutions Group, will lead the yet-to-be-named company. Palm s cofounders, Jeff Hawkins, Donna Dubinsky and Ed Colligan, who later started Handspring, will return to Palm as chief technology officer, board member and head of the smartphone division, respectively. The combined company expects to save at least $25 million per year by cutting redundant staff (125 positions), equipment and facilities. Palm expects to close the deal later in This deal will likely benefit both companies although Handspring will benefit more because of its desperate financial condition. Handspring liquidated its remaining stocks of PDAs in March 2003 to focus on the smartphone business, and it has built large inventories of Treo 270 (GSM/GPRS) models at T-Mobile and Cingular and of Treo 300 (CDMA/1X) at Sprint. However, Gartner believes these wireless carriers were nervous about Handspring s viability. Credit Dubinsky and Hawkins for getting the deal done before Handspring s next quarterly financial results, which promised to be disappointing. Palm s Tungsten W and Tungsten C target wireless data users rather than the smartphone market, so the two companies product lines overlap little if at all. The acquisition gives Palm a quick entry into the CDMA market and enables it to become a credible player in the smartphone market. Palm probably would have taken at least two years to hire and build a team comparable to that of Handspring, and by then Symbian and Microsoft licensees would likely dominate the smartphone market, which Gartner believes will surpass PDA shipments by late Handspring has been withdrawing from international operations, but Palm has the brand name and resources necessary to build a more robust line of Treo models that will attract carriers outside the United States. Handspring offers some intellectual capital in the wireless area and knowledge of how to work with wireless carriers that Palm never seemed to grasp. Palm s efforts in wireless PDAs (Palm VIIx, i705, Tungsten W) have been weak and never threatened wireless device market leader Research in Motion (RIM). The merged company will become more competitive than either would have been individually, but Palm likely won t return to a dominant position in the PDA market or become a leader in the smartphone market anytime soon. Enterprises should continue to consider Palm PDAs as well as evaluate Palm/Handspring smartphones that result from the merger. Analytical sources: Ken Dulaney, Todd Kort and Phil Redman, Gartner Research 2 July

18 The Industry s #1 Destination for Expert CRM Guidance Gartner s CRM Summit Fall 2003 Register TODAY! Space is limited. Why Attend CRM Summit Fall 2003? More than 30 top analysts will share their CRM expertise and experience. Special speakers Don Peppers and Professor N. Venkatraman will provide keynote presentations. Don Peppers will share his latest insights on how CRM can be a part of a fully integrated value chain and create a great customer experience. Professor N. Venkatraman, one of the world s most sought after experts on strategy and technology, will discuss the emerging networked era, which promises to transform customer, citizen and partner relationships. CRM Excellence Awards will be showcased to recognize organizations with outstanding CRM initiatives that generate exceptional results. CRM case studies will be presented that illuminate the power of transformative customer relationships. Sponsor Case Study Panels, in which leading product representatives will present a detailed client case history and describe the solutions that were used and what results were obtained. Premier and Platinum Sponsors include: Amdocs Aprimo Callidus Software E.piphany Genesys Telecommunications Labs Nortel Networks Oracle PeopleSoft Salesforce.com SAP SAS Siebel Systems Synygy Teradata Don t Miss It! September 8-10, 2003 Westin Century Plaza Hotel & Spa Los Angeles To register and for full conference details visit: or Inside Gartner This Week