1 Trends in the Japanese Information Security Industry Japanese Economy Division Summary Japan's information security market growing favorably due to rapidly expanding demand for services and stable demand for products. Security-related companies are increasingly shifting from merely selling equipment to developing business models that integrate equipment and services. The demand for security products is being developed with new products that integrate varied functions and new marketing methods. Tie-ups between domestic and overseas security vendors are accelerating. 1. Market Overview With networks having thoroughly permeated corporate activities in Japan, the information security industry is capitalizing on security concerns that have sprung up virtually everywhere in corporate Japan. Although many public institutions, major enterprises and other users have implemented security measures, damage still continues to occur due to new types of viruses and methods of illegal access. As a result, network security needs to be maintained with stringent measures that can deal with frequent and diverse security threats, which has created a favorable market for information security products and services. According to the "Comprehensive Survey of the Network Security Business" by the Fuji Kimera Research Institute, the information security market grew from 72.7 billion yen in 2000 to billion yen as of 2003, and is estimated to have quadrupled the 2000 figure in Security services quintupled from 9.8 billion yen in 2000 to 48.6 billion yen in 2003, while security products tripled from 62.9 billion yen to billion yen over the same period (Fig. 1). According to the Information-Technology Promotion Agency (IPA), there were 24,261 reports of viruses in 2001, 20,352 in 2002 and 17,425 in In addition, there were 550 reports of illegal access in 2001, 619 in 2002 and 407 in Ongoing security breaches on this scale have dramatically increased user awareness of the need for countermeasures (Fig. 2). So far, measures have mainly consisted of introducing anti-virus tools for protection against viruses and illegal access, and firewalls and other products to prevent external attacks and intrusions. In addition to public agencies and major enterprises, the implementation of measures has spread to smaller enterprises and also individuals. Most users have the necessary steps to block external attacks, so information security measures are now aimed at strengthening internal security, such as establishing authentication systems, introducing encryption products and ensuring compliance with the Personal Data Protection Law, which took effect in April Fig. 1 Changes in Information Security Market Scale (billion yen) Security products Security services (estimate) Source: Fuji Kimera Research Institute, "Comprehensive Survey of the Network Security Business"
2 One major reason for this is a number of incidents occurring between 2003 and 2004, where large amounts of personal data was leaked by major telecommunications operators, mail-order vendors, financial institutions, local governments and other organizations. In response to the shock over these leaks, companies began strengthening authentication systems and establishing internal information security measures, although such efforts were implemented by only a limited number of enterprises. The Communications Usage Trend Survey in 2003 showed that while some enterprises had taken measures such as enhancing employee awareness of the Personal Data Protection Law and related issues, about 40% of the surveyed companies responded that they had taken no particular measure, indicating that inadequate action on the part of many enterprises has been a factor in information leaks. Damage caused by the recent leaks has been far reaching. The enterprises involved have suffered lost credibility, demands for compensation totaling large sums, self-imposed curtailment of business activities and other damage. The situation has the potential to shake the foundations of corporate Japan. But managers have generally come to recognize that security negligence can lead to serious damage, and this heightened awareness has been a major factor behind the expansion of the information security market in recent years. In addition, the Personal Data Protection Law not only applies to the enterprises that Fig. 2 Reports of Viruses and Illegal Access <Reports of Viruses> 24,261 25,000 21,957 Reports 20,352 20,000 17,425 15,000 11,109 10,000 3,645 5,000 2, <Reports of Illegal Access> 700 Reports Note: 2004 figures show the total for January through June. Source: Information-technology Promotion Agency, Japan (IPA) Fig. 3 Personal Information Protection Measures by Corporations Enhance internal 社 内 教 育 education の 充 実 Restructure システムや systems and 体 organizations 制 の 再 構 築 Reduce required 必 要 な personal 個 人 情 報 information の 絞 込 み Establish 個 personal 人 情 報 保 information 護 管 理 責 任 者 protection の 設 置 ffi プライバシーのポリシー Formulate privacy policies 策 定 Obtain プライバシーマーク privacy verification 制 度 certificate の 取 得 Strengthen selection 外 注 先 の of 選 outside 定 要 件 suppliers の 強 化 Other measures その 他 No 特 measures にない 分 Don't からない know 0% 10% 20% 30% 40% 50% 60% 平 2002 成 14 year 年 末 end 平 成 15 年 末 平 2003 成 15 year 年 末 end 平 成 14 年 末 Source: Ministry of Internal Affairs and Communications, Communications Usage Trend Survey in 2003
3 directly manage personal data, it also makes them responsible for overseeing affiliates, contractors and other enterprises that may come into contact with the data. For this reason, many enterprises now notify suppliers and affiliates of the need for them to enhance their security measures, which have created further momentum in the information security market. 2. Industry Structure: Increasingly Service Oriented Fig. 4 Information Security Industry Structure Tool and equipment vendors Authentication products Filtering software Encryption products Anti-virus tools Log analysis tools Firewalls/VPN Security inspection tools Integrated appliance products Overseas developers Advanced security technology and know-how OEM, product supply, technical support, etc. Operational tie-ups Service cooperation and tie-ups Service vendors (Security services and vendors and eneral electronics vendors) Policy formulation services Inspection and auditing services Design and construction services Operation and management services Monitoring services Authentication services Education and training services Telecommunications carriers Enhancement of client know-how Overseas vendors Domestic vendors Product supply Product supply, technical support, etc Tie-ups Consulting firms Dealers Differentiation of products and services, solutions service support, specialized security know-how and assimilation of user needs. System integrators Tie-ups Expansion of business opportunities by approaching users proactively and carrying out educational activities that leverage the strengths of each enterprise End users: Public bodies and municipalities, and companies in manufacturing, finance, retail and services (Fig. 4) shows the information security industry structure in terms of product and service flows. The information security industry is broadly divided into the following four sectors (Fig. 4): Tool and equipment vendors, who provide the software and hardware, Service vendors, who use security equipment to provide products and services to end-users, Dealers, who focus mainly on product sales, and System integrators, who provide comprehensive security services with products and services. Tool and equipment vendors provide products for service vendors and system integrators, supply OEM products, develop solutions that make full use of product features and provide technical support. The information security industry is shifting toward services, which is reflected in companies efforts to develop service businesses in cooperation with service vendors and others. This trend is blurring the distinction between tool/equipment vendors and service vendors. Tool and equipment vendors so far have secured sales routes and concluded agreements with strong sales partners, but recently many of these companies have begun to emphasize after-sales business and approach users in much the same way as service vendors. Increased user awareness and knowledge concerning information security has also caused these vendors to discontinue former sell-and-forget methods. Customers now understand that the introduction of security products does not automatically eliminate all threats, so vendors must help their clients improve their overall security, including through
4 after-sales activities. In addition, the increased burden on users has created greater demand, another factor that has encouraged vendors to shift to services. In the service vendor sector of the market, companies no longer focus simply on the provision of services, but also on the construction of security facilities. Some companies are also transforming themselves into managed security service providers (MSSP) to offer services ranging from equipment upgrades to operations monitoring and damage assessment. Meanwhile, security services are being diversified. For example, services are being tailored to specific customers, such as those who had hesitated to use security services due to high costs. Management consulting firms are also making significant inroads into the information security market, targeting major enterprises and public agencies. While their overall business volume is low, these firms can serve as prime contractors to offer integrated services for all levels, from upstream to downstream processes. System integrators that design and construct secure environments have benefited from the recent tendency to view systems as networks. They are enhancing their provision of secure system-integration services to distinguish themselves from other vendors. The above trends illustrate the brisk efforts companies are making to develop value-added security tools and equipment, and to diversify services. In the future, however, security vendors are expected to increasingly tie up with other companies to leverage mutual strengths in order to respond to increasing security needs in the market. 3. Market Trends A. Rapid expansion Japan's information security market was estimated at billion yen in Security services produced sales of 48.6 billion yen and security products billion yen, so products accounted for more than 70% of the overall market. As the dependence on networks rises, so has the burden to ensure information security on the network user side, because it has become increasingly difficult for users to implement and manage security measures on their own. This is why managed security and related services are in greater demand than ever before. The market expanded fivefold between 2000 and 2004 and should account for an increasingly larger portion of the overall information security market in the future. Looking at specific segments of security services in 2003, security assessment, planning and education produced sales of 17.0 billion yen, illegal-access monitoring 6.8 billion yen, virus monitoring 9.2 billion yen, firewall operation and Fig. 5 Service or product Security services Security products Changes in Information Security Market Scale, by Category Security inspection, policy formulation and education services Illegal access monitoring services Virus monitoring services Firewall operation and management services Electronic authentication services Subtotal Authentication products Encryption products Firewall, VPN and integrated equipment products Security inspection, monitoring and analysis tools Anti-virus tools Filtering software Subtotal Tital (billion yen) Fiscal year (estimate) Notes 1. Security inspection, formulation and education services did not include education prior to Firewall, VPN and integrated equipment products did not include integrated equipment prior to Source: Fuji Kimera Research Institute, "Comprehensive Survey of the Network Security Business"
5 management 7.2 billion yen, and electronic authentication 8.4 billion yen. Security assessment, planning and education have generated a large amount of business because an increasing number of users are outsourcing this work to service vendors, consulting firms and other such companies. In addition, more users are taking advantage of education services to raise employee awareness of security needs. What s more, increases in general workload are prompting managers to outsource security services to free up company resources to concentrate on core operations, which has helped to stimulate business throughout the security services market, including firewall and virus-monitoring services. Yet another factor behind the rise of security services is that manufacturers and vendors are addressing customers needs more carefully than before. For example, they have begun shifting from conventional sell-and-forget models to practices that facilitate the provision of not only products, but also operation and management services. Fig. 6 Security Service and Product Weightings Security services, worth 48.6 billion yen in 2003 Firewall operation and management services 15% Security products, worth billion yen in 2003 Anti-virus tools 27% Electronic authentication services 17% Virus monitoring services 19% Filtering software 6% Security inspection, monitoring and analysis tools 12% Source: Fuji Kimera Research Institute Illegal access monitoring services 14% Authentication related products 12% Security inspection, formulation and education services 35% Encryption products 4% Firewall, VPN and integrated appliance related products 39% Going forward, the provision of security assessment, planning and education services is expected to shift from an irregular to regular basis. Other factors that should help to expand the market include the diversification of operation and management services, the establishment of service menus and the reduction of prices as more businesses enter the market. B. Stable growth expected for security products Sales in the security product market in 2003 included authentication products worth 20.3 billion yen, encryption products 7.3 billion yen, firewall, VPN and integrated-equipment products 68.1 billion yen, security inspection, monitoring and analysis tools 21.1 billion yen, anti-virus tools 47.3 billion yen and filtering software 10.0 billion yen. Firewall, VPN and integrated-equipment products and anti-virus tools were introduced over an increasingly wide range of companies, from major enterprises to small firms and SOHOs, enabling them to become a driving force in the market. Both segments were expected to realize stable growth from 2004 onward, due to customer demand for new products and version upgrades. Among firewall and VPN equipment, sales of integrated products that combine anti-virus, IDS/IPS, filtering and other functions have started to become noticeable in the mid to low-end model range. These products offer a variety of security functions in a single package, helping to simplify operations and management. They are especially popular with small and midsize enterprises and other users that do not have security engineers. The division of firewall and VPN products into two distinct segments, one for higher-end models offering high-performance firewall and VPN functions and the other offering mid to low-end models with integrated functions, should continue in the foreseeable future. C. Further growth expected for internal security products Public agencies and major enterprises have for the most part augmented measures against external threats such as firewalls, anti-virus measures and prevention of illegal access, and efforts since 2003 have
6 focused on strengthening internal security measures. The market for internal security products, especially authentication and encryption products, has shown remarkable growth since 2004, in large part due to the Personal Data Protection Law that took full effect in April 2005, and also heightened awareness in the wake of the much-publicized information leaks. Among authentication products, demand is expanding for biometrics and IC cards used for applications such as entry and exit control. In addition, demand for single sign-on products used in access control to prevent information leaks is also bolstering the market. The market for encryption products is growing in fields of information leak prevention and system administration applications to manage information output, prevent information smuggling and monitor for unauthorized terminals. Filtering software was originally introduced as a tool for restricting access to harmful websites with computers at locations such as elementary and junior high schools. Enterprises also use filtering software to prevent employees from using their office computers for personal matters, as well as to improve the operational efficiency and to regulate traffic. More recently, the market has been further expanded with the introduction of leak-prevention tools to reinforce client PC management functions and block illegal applications and improper usage of networks. Needs are increasing for defenses against new security threats and strengthened internal security systems. In addition, manufacturers and vendors are actively developing both hardware that integrates various security functions and software for security tools. As a result, the introduction of security products across a wide range of user sectors, from major enterprises to small companies and SOHOs will continue to expand the security product market. 4. Domestic vs. Foreign Firms in Individual Markets Japan's security services market is served mostly by domestic firms, except for certain foreign-affiliated services such as ISS's intrusion detection/defense service and VeriSign Japan's authentication service. Domestic vendors have an advantage over foreign rivals due to their greater familiarity with the business practices and network characteristics of specific industries. But the security products, tools and other items used for these services are not limited to those of domestic manufacturers, and in many cases foreign products that have set the de facto global standards are used. For example, firewall services are provided with products of globally respected brands, such as NetScreen (Juniper Networks) and FIREWALL-1 (NOKIA), which has helped these services acquire users. Service vendors are attempting to distinguish themselves by using security products with high name recognition, which has led to collaborative relationships with well-known security vendors overseas. Overseas manufacturers and vendors' products have been widely introduced throughout Japan and are thought to have accounted for roughly half of the domestic market in 2003, according to Fuji Kimera Research Institute. Overseas products accounted for high shares of the markets for one-time password and single sign-on products, firewall and VPN devices, inspection and monitoring tools, log analysis tools and so on. Many users specify products based on perceptions of trust and reliability associated with products that are globally well known name and have proven records. As a result, foreign manufacturers account for 80% or more of the Japanese marketing in the five categories noted in the table above. Fig. 7 Japanese Market Share of Selected Overseas Manufacturers (FY 2003 estimates) Product Share and sales Manufacturer / vendor One-time passwords Approx. 90% 2.5 bil. yen RSA Security, Secure Computing, etc. Single sign-on products Approx. 90% 4.0 bil. yen Entrust, IBM, HP, RSA Security, etc. Firewall and VPN equipment Approx. 88% 32.6 bil. yen Juniper Networks, NOKIA, Cisco Systems, etc. Inspection and monitoring tools Approx. 90% 10.9 bil. yen ISS, Symantec, Cisco Systems, etc. Log analysis tools Approx. 95% 2.4 bil. yen NetIQ, etc. Source: Fuji Kimera Research Institute, "Comprehensive Survey of the Network Security Business"
7 5. Corporate Tie-ups among Major Enterprises Examples of corporate tie-ups between major domestic and overseas vendors are shown below. Internet Security Systems, Inc. Internet Security Systems, Inc. (Delaware, U.S.) 100% capitalized 100% capitalized ISS Inc. (Georgia, U.S.) Product supply ISS Investment Holdings, Inc. (Georgia, U.S.) 87.7% capitalized Internet Security Systems, Inc. Professional servives Alliance partners IT4 Daiko Denshi Tsushin NEC Nokia Japan Yokogawa Denki MSS partners ip.net Itochu TechnoScience NTT Communications NEC Fielding Hitachi Electronics Services C & W IDC Japan Telecom NEC System Integration & Construction Product supply Master distributors Itochu TechnoScience NTT Communications NBS OGIS-RI Sakura Kcs SOFTBANK BB Daiko Denshi Tsushin TIS TechMatrix Toshiba Solutions NEC Hitachi Yokogawa Denki LAC Trinity Security Systems IBM Applications Japan NEC System Integration & Construction 100% capitalized TriSecurity Holdings Pte Ltd. (Singapore) 100% capitalized Product supply 100% capitalized Internet Security Systems Pte Ltd. (Singapore) Internet Security Systems BTY Limited (Queensland, Australia) Master distributors Resellers Product supply Asia-Pacific region users Resellers and partners End users
8 Trend Micro Technical alliances Check Point Software Technologies Syscon Systems Citrix Fujitsu Hitachi Internet Security Systems Microsoft HP IBM Japan NEC Oracle Sun Microsystems Lucent Technologies Turbolinux Nokia Twin Sun Global Trend Micro Client/server products InterScan VirusWall ServerProtect for NetApp edoctor service Distributors SOFTBANK BB Catena Computer Wave Networld InterScan master resellers 16 companies including: Itochu TechnoScience 10art-ni SOFTBANK BB <erverprotectfornetapp master resellers CIC Fujitsu Marubeni Solutions Premium security partners 9 companies including: SECOM Trust.net CSK Network Systems HP Japan Nippon Jimuki Volume retailers, t Business partner SI Individual users Corporate users SSP NetStar URL filtering technology and database OEM supply More than 20 companies including: NTT Communications Nifty IIJ hi-ho SLMD Otsuka Shokai SOFTBANK BB SECOM Trust.net PFU Local ISP and cable TV operators Local municipalities, etc. Fujitsu Social Science Laboratories Affiliated organizations NPO 加 Japan 盟 団 Network 体 Security Association (JNSA) NPO 日 本 ネットワークセキュリティ 協 会 ( JNSA) NPO Japan Information Security Audit Association NPO 日 本 セキュリティ (JASA) 監 査 協 会 (JASA ) Fujitsu Outsourcing Division Security Service and Support Division Fujitsu Group corporations Security vendors Firewall/VPN Check Point Software Technologies Juniper Networks Clestix Nokia Cisco Systems F5 Networks Membership activities Technical tie-ups Products and services Inspection and monitoring ISS NetAgent KaVaDo KaVaDo ネットエーシ ェント DoS/DDoS measures TopLayer TopLayer Virus and spam measures Trend Trend Micro Micro Sendmail PoweredSolution Powered OpenNetwork Security Solutions Sales Division Network 営 業 本 Systems 部 ネットワークシステム 事 業 部 Division 富 Fujitsu 士 通 SSL SSL Products End users Solutions partners Authentication products RSA Security Aladdin CSE KaVaDo ネットエーシ ェント Encryption RSA Security Control TopLayer Break international Filtering Websense Canon System Solutions Fujitsu Security Solutions Fujitsu Fujitsu Group corporations Partners Macnica Networks Tokyo Electron Axent
9 Hitachi Limited Syscon Systems Cooperation Hitachi Limited System integration and system development SECOM SECOM Trust.net Security vendors Verisign Check Poinr RSA Security Symantec Trend Micro, etc. Cooperation Cooperation Comprehensive tie-up Information sharing Product procurement System integration and sales for specific industries Security Solution Promotion Division Consulting services Hitachi Group System integration Secondary shops End users Distributors and resellers Product procurement NTT Communications Security vendors Computer Associates ISS Trend Micro Baltimore Technologies Japan Yokogawa Denki Cisco Systems NTT Group SECOM Trust.net. NEC TIS Seiko Instruments Product supply and technology sharing Provision of technology and product information R&D, personnel exchange Tie-up in IC card solutions field Tie-up in electronic authentication business NTT Communications Security Operation Centers Cooperation Customer Service Centers Customer Network Service Center Cooperation Solution Business Division IP Integration Division IT Management Services Division Broadband IP Services Division Advanced IP Architecture Center Other divisions SIer End users
10 6. Current Topics Increased demand due to Personal Data Protection Law New compliance requirements under the Personal Data Protection Law have stimulated demand for information security business since the second half of fiscal 2003, when users began preparing for the law s complete implementation in April The demand for acquisition of the Privacy Mark and ISMS/BS7799 certification has increased rapidly in response to the law. Privacy Mark acquisition or ISMS/BS7799 certification is becoming an prerequisite for enterprises that handle personal data. While major enterprises have taken the lead, an increasing number of smaller firms are also aiming to acquire certification. The demand for acquisition/certification services should increase. In addition, enterprises that acquire certification should create demand for new services, such as reinforced security education. Consortium for leak-prevention solutions The increasing complexity and diversity of information security needs has made it difficult for individual companies to offer business models that can satisfy all user needs. In response, the nine companies of Hitachi Software Engineering, RSA Security, Motex, Otsuka Shokai, Quality Corporation, Sompo Japan Insurance, Citrix Systems Japan, Trend Micro and Microsoft formed a consortium to meet the demands for concrete measures offering optimum products and integrated solutions. Through the consortium, the participants will combine products and services for comprehensive solutions that meet diverse needs. International alliances such as these are expected to accelerate as security needs further diversify, offering users more flexibility and thereby creating additional new demand. Security terminology Firewall/VPN devices: Dedicated hardware equipped with firewall and VPN functions. VPN: Virtual private networks enable highly secure communication by establishing connections similar to dedicated lines, but via the Internet. Authentication: The process of confirming the access rights and identity of a computer user. Single sign-on product: A system that allows a user to access all permitted functions and servers after a single act of authentication, i.e., a password. Access control: Measures and policies for determining a user s information access rights and controlling the information and applications they access. Biometrics: Authentication system for confirming identity using fingerprints, veins, retinal and other unique biological characteristics instead of passwords, etc. IDS/IPS: Intrusion detection systems detect and announce illegal intrusions into computers or networks, while intrusion protection systems not only detect intrusions but attempt to block them. Filtering: Forwarding only that data which meets specific conditions or does not clash with restrictions, such as web filtering to prohibit access to specific websites and filtering to automatically sort, forward or block specific types of . Personal Data Protection Law: A Japanese law fully implemented in April 2005 to establish the fundamental ideas and principles of personal data protection in the public and private sectors and also to stipulate the responsibilities for preventing personal data leaks and handling data by constructing reliable information-protection systems. The law applies to private enterprises and other entities that handle retrievable personal data on 5,000 or more customers, etc. Note: This report was prepared by the Japan External Trade Organization (JETRO) based on a survey commissioned to the Fuji Kimera Research Institute.