Symantec and the Security of Inclusion

It's all about compliance, that amorphous sales driver that has been keeping public companies and regulated industries on their toes ever since the fallout from the dot-com bust hit the statute books a few years back.

The security landscape has changed and continues to change, and Symantec, the largest security company out there, saw that it needed to change to. Gone are the days when Internet worms would spring up, infect a million computers overnight, and have consumers tearing Norton Antivirus off the shelves faster than the company could print the CDs.

"What we're starting to see is not folks seeking notoriety but folks who want to sit on the corporate desktop or laptop unnoticed, log keystrokes, and when not you're not looking send that data off-site," Jeremy Burton, Symantec group president of enterprise security and data management, said at the company's recent analysts' day. "The bad guys are not just outside the organization. The business of security through exclusion, keeping bad guys out, is not sufficient because what if the threat is from insider, from an employee. You can't stop employees at the gate, stop them coming to work. We need to get more into the business of the security of inclusion."

In Symantec's most recently reported quarter, consumer security sales was up a mere 5%, a cry from the 22% growth seen just a year earlier and the 35% increases seen a few years ago. It was very likely partially a reflection of the lack of mainstream publicity that malware has been getting lately.

Buying Veritas made sense as it reduced the company's exposure to the consumer security space, but Symantec prefers to play up the tantalizing possibilities afforded by the integration of Veritas' market-leading storage management software and its own market-leading security products.

The company is planning to build on the base of its email security gateways and the Veritas Enterprise Vault archive software, the bolt-on functionality for handling other types of messaging, such as voice over IP and instant messaging, to create an 'enterprise messaging management' platform, according to recent statements by executives.

"Email at this point is a mission-critical application. There is a vast amount of data in email systems, so there are vast amounts of risk contained in the email system. If you're in a regulated industry, that risk translates to exposure," Burton told analysts. "At any point in time, 75% of a company's intellectual property may be contained in the email system. For that reason, 75% of all corporate litigation cases now involve a form of email discovery. And 75% of companies now accept email as proof of a transaction. Now, as ERP has long been considered a mission-critical application, I believe email is a mission-critical application."

It's no longer just about stopping potential threats, such as spam and worms, at the email gateway. It's now also about make sure the right emails get to the right people, and are tagged, archived and retrievable in a way that allows organizations to comply with their legal requirements. This can mean either industry-specific regulations, such as HIPAA, general regulations, like Sarbanes-Oxley, or just the general need to have records of what you have done, in case the lawyers come calling.

"Emails which, by the current definition of a malicious threat, may pass the test, may actually be deleted before they're stored to any kind of medium where they can be discovered," Burton said. "The lawsuit comes in and all hell breaks loose."

Symantec proposes a scenario where the email gateway can not only detect whether an email contains the characteristics of spam, or has a malware attachment, but can also detect whether it contains a rather less virtual threat, such as portents of a lawsuit. The same algorithms that check email text content for 'spamminess' could also be used to parse for the indications of sexual harassment or accusations of patent infringement, for example.

Such emails could then be tagged for perusal by somebody in the legal department, if that's the policy the enterprise wants to implement, or sent to a special archive where they could be more easily found in future, if a subpoena should arrive, for example.

"Email could go into some kind of quarantine," Burton said. "Why not, we put spam in a spam quarantine for users to review. Why can't we put emails like this into a legal quarantine for review. It goes to someone whose job it is to review emails that could be a threat to that organization."

This could not only help head off legal threats before they occur, but also reduce the cost of assembling subpoenaed data, should litigation kick off. Email archives can get very fat very quickly for large enterprises, and it is said that sometimes the cost of finding and aggregating data to comply with a legal requirement can outweigh the cost of swallowing a fine.

Symantec, for example, points to a recent account in which the email archive stands to grow to "biblical proportions". We're talking about terabytes, or potentially petabytes, being collected over the space of several years.

"We did some work for a big pharmaceutical company that has about 100,000 users. We calculate that in three years, if each employee receives just 40 emails a day, we'll have an archive store that indexes more objects than Google does," Burton said. "How big is one of these archive stores? Well, about as big as the Internet. The Internet is not really a big place -- about as big as the archive store for a corporate email store for one of the world's biggest companies."

Symantec's messaging compliance strategy is to aim to reduce the cost of extracting useful data from these monster data stores, by tagging and partitioning email by context. As Burton put it, "It's easier to find a needle in a bail of hay than it is to find a needle in a haystack." These needles could include assembling lists of employees with the biggest tendencies to inappropriate language or to leak intellectual property, he indicated, putting forth a vision of messaging systems being just as 'mineable' as ERP systems are today -- email as the unstructured knowledge equivalent of sales figures.

The weak spot for Symantec here is search. The company has no in-house search or business intelligence function. Its Enterprise Vault archive software has an AltaVista engine search engine built-in, which is not the most up-to-date technology around. AltaVista was discontinued as an ongoing concern by Fast Search & Transfer exactly three years ago, after Fast acquired AltaVista's enterprise search business from keyword advertising firm Overture (itself now part of Yahoo). Even prior to that consolidation wave, AltaVista was an under-supported technology supported by a troubled company.

Symantec says it has no plans to enter the search space itself, preferring to rely instead on partners such as Fast and Autonomy, the search market leaders. Contextual search software for unstructured data from these providers, mainly Autonomy, adds the ability to find all examples of emails that resemble a sample dataset. You could input an email concerning a patent, and discover other contextually similar email, for example. Symantec also partners with business intelligence software partners such as Business Objects and Hyperion for interrogating structured archived data.

"I don't believe for a minute that Symantec will be a hotbed of search development," Burton said at Symantec's analyst day. "There are going to be plenty of companies that will do a better job of search. We will provide basic capabilities, but we have architected the product [Enterprise Vault] in a way that we can plug in the search engine du jour."

Sorting and searching data will become more important as time goes by. While a 100,000-user company may have an email archive bigger than Google's index, Symantec does not intend to stop just at email. The company is planning to integrate other types of messaging, including blogs, SharePoint data, voice and IM, in future product upgrades.

According to Symantec chief executive John Thompson, speaking during a recent conference call, the first stage of this roadmap is to integrate the policy management frameworks that oversee both email and instant messaging products, so administrators can apply the same policy to an IM conversation containing key words as it does to email containing those words.

John Thomspon, Symantec's chairman and CEO
Pictrue Copyright: Computer Business Review (CBR)

"We intend to expand beyond email to messaging, and beyond security to overall message management. The result will be a comprehensive enterprise message management platform, that ensures the health of organizations' mission-critical messaging infrastructure," Thompson said.

This January, Symantec acquired another company, IMLogic, to handle instant messaging security. After that management console integration is done, the company will turn its attention to integrating the policy management software with the archiving software.

"If you've got someone managing instant messaging systems and you've got someone managing email systems, from a security perspective you shouldn't have to go to two consoles," Burton said. "You'll see us unify the management, from a policy perspective, of email and IM security."

He said that some large companies now have a 'vice president of messaging', a senior employee whose key responsibility is to oversee employees' email and IM usage, and who is a peer of the VP of applications or the VP of security.

But Symantec does not anticipate stopping at text. Burton indicated that regulatory pressures, coupled with the almost inevitable ubiquity of voice over IP, will see Symantec's customers start asking for the ability to archive voice. This will add to the size of the archive -- and put pressure on Symantec's ability to scale -- as well as creating a more pressing need to secure this highly sensitive data.

"Voice is a digital stream of information. What makes you think regulators won't want you to journal voice conversations in the same way they're asking people to journal email and IM today. It's just as easy to take a stream of ones and zeros that represents a voice conversation as it is to take a stream of ones and zeros that represents an email conversation," Burton said.

While this may send a chill up the spines of any employees who know their Orwell, it's not currently unusual to have such monitoring in customer service scenarios, such as call centres, and perhaps it's not beyond the bounds of possibility that it could be extended to employees more generally in future. That will depend in a large part on governments' actions. It's hard to see an urgent desire by companies to deepen the already burdensome cost of regulatory compliance by voluntarily retaining petabytes of voice data, on the off chance it becomes useful. But if it does happen, expect Symantec to have the software to deal with it.

CBR Opinion
While the acquisition of Veritas by Symantec was a little bewildering at first, the company does seem to have a firm and believable synergy story, and it's sticking to it. In much the same way that Symantec powered through the dot-com bust years on the back of an explosion of security threats, the company could find itself riding the post-bust regulatory regime to growth. America's enthusiasm for corporate litigation does not appear to be letting up, so there will always be the opportunity to sell a value proposition based on reducing the cost of fighting court battles. Whether legislation will have a similar effect on dramatically increasing companies' need to store and retain messaging information is less certain, but the existing regulatory environment is likely enough to give growth legs in at least the medium term.