NEW YORK -- EMC Corp. is embarking on a more thorough plan to incorporate security in all its products, the company announced at its analyst day in New York Thursday. This will include developing new products internally, partnerships and potential acquisitions, a necessary move, analysts' said, as user concerns over data security are on the rise.
EMC's entrance into this area comes almost nine months after Symantec Corp. acquired Veritas Software Inc. and within a month of rival Network Appliance Inc.'s (NetApp) acquisition of encryption appliance startup, Decru Inc. These acquisitions and a rash of high-profile tape loss disasters by companies including Bank of America, Time Warner, Ameritrade and City National have forced EMC to step up its efforts in the security field.
"They were absolutely right," said Mark Lewis, executive vice president and chief development officer at EMC, on the reason for the Symantec and NetApp deals. "Information and security go together; the message is right."
"People have been putting individual functional elements in place like antivirus software, firewalls, threat detection, encryption here and there, spyware, patching … but there is no single management." He said EMC's security strategy will not be "just fingers in the dike," but "pervasive in all the products we sell."
He noted several areas where EMC is already providing security functionality, including secure sign-on capabilities within its arrays to avoid any back doors into the products, SAN zoning to prevent rogue servers and storage devices gaining access via the network, trusted content services and digital watermarking within Documentum and backup encryption for small businesses within the Dantz Retrospect product line.
In addition, EMC recently announced partnerships with Decru, NeoScale Networks Inc., Kasten Chase Applied Research Ltd. and CipherOptics Inc. for hardware-based encryption. However, reselling Decru, now in the hands of NetApp, is not the most palatable situation for EMC, but as long as Decru adheres to open standards, EMC said it will continue to partner with the company. Joe Tucci, CEO at EMC noted, "We had assurances from the top of the house down" that it would support open standards. Ultimately, EMC expects encryption to reside everywhere -- in software, on ASICs, in disk arrays. "There is a reason to run it in multiple places," Lewis said.
While EMC's current offerings are a start, most analysts said they barely scratch the surface of where the company needs to be.
"So you have lots of piecemeal things for providing security -- are you building a framework for this?" asked one analyst during a question-and-answer session at the New York event. Lewis said the company is not building a framework and reiterated that security needs to be embedded in all the company's products.
"Clearly, they need to make some acquisitions, but they are right from a customer perspective, buying a box, like a Decru, isn't enough … security needs to be built into storage and servers and across the wire in network devices to be effective," said Steve Berg, analyst with Punk Ziegel & Co.
The first tangible security product EMC plans to announce will be a security module that will enable single log in and authentication across all the company's products. Expected in the first quarter of 2006, it will build access controls into the management products providing lists for storage administrators of who has access to backup, who does provisioning and so on. This is being developed internally and will support LDAP and Microsoft Active Directory.
On a more conceptual level, Lewis described EMC's intention to develop something akin to digital rights management, but for corporate information. "Today, digital rights management is all about protecting music copyright, but information rights management will be about protecting financial statements and medical records, and all other kinds of documents," he said.
Other analysts pondered whether EMC's approach might introduce more complexity into environments. "They are adding another layer of management, how complex is that?" said Randy Kerns, an independent storage analyst.
Dynamic resource managementLeaving aside security, EMC said users should expect a continuous data protection (CDP) product coming soon and announced the first fruits of its $260 million acquisition of Smarts, picked up in December 2004. Smarts provides a patented modeling language that locates and identifies devices and systems in a distributed network, gathers information about them, and correlates the data to determine status and make predictions. EMC has applied Smarts' event correlation to its ControlCenter storage management software.
The new module, dubbed Storage Insight, will be available within the next nine months and will eventually be rolled into ControlCenter. "We've taken the resource management [SRM] out of Smarts and our workflow engine out of Documentum, and repurposed them to go after the resource management market," Tucci said.
EMC plans to continue developing Smarts network resource management capabilities also. "Yes, we will continue to do things beyond storage, in the software realm, grids, server, network, [because] customers need central management points," Tucci said.