Most technology evaluations you read in trade magazines, or those provided by manufacturers suffer a common and basic flaw. They compare technologies with other similar, competitive products and rarely if ever tell the reader how good the product really is. The evaluations list features in light of those of competitors. In my opinion, they perpetuate mediocrity.
I think there is a better way to look at technology products. The method I’ve been developing for the last four years is as close to a scientific way of performing the evaluations as I can find. My method also has another important difference: it tells the security executive (or the manufacturer) how successful the product will be at solving the end user customer’s problems, rather than telling the customer what he or she will have to settle for.
I’ll say it more plainly. By taking a hundred, or so, criteria from end user requirements and preferences, I can score how closely any product comes to the hopes and expectations of the customer.
Here is an example of the scoring. This product (which I will not name here) was recently awarded very high marks in a (more or less) independent product comparison with other big name access control products. It is considered one of the best products you can buy in its category. However, you can see from the scores, it still has some areas of improvement if it stands a chance of meeting the customer’s actual needs.
Category & Rating
Architecture and Integration, 2.7
Reliability and Scalability, 3.5
Configuration and Flexibility, 1.9
Administration and Reporting, 1.8
Overall Rating, 2.5
With a scoring range of 1 through 5, 1 would represent poor or absent support or quality. 5 would indicate satisfying, broad, flexible qualities.
Each category has several sub-categories consisting of several criteria. Each sub-category and criterion is weighted according to its relative importance to the customer. Therefore, the amount of database administrator time required to set up the system may be weighted more or less heavily than, say, the range of third-party databases supported by the product, depending on what customers prefer. Similarly, the usefulness and intuitiveness of the graphical user interface or the online help tools will be weighted more heavily than the product’s support of a command line interface.
When my evaluation is completed, the CSO or product manager will see in the detailed report every major way the technology meets, exceeds, or fails to address dozens of important requirements or preferences of the end user customers.
So rather than crying and carrying on about which gizmo has more features than the next guy's, lets focus on solving the problem and meeting the end user security executive's needs. Let me know if you’d like more information on measuring the true value of technologies. I’m happy to chat. firstname.lastname@example.org
When I was in Israel last week I enjoyed spending time with Avishai Wool, CTO of Algorithmic Security Inc.
AlgoSec is one of those special companies that focuses on creating a straightforward
useful technology and easing a pain felt by just about anyone with a firewall. The product analyzes the configuration files of firewalls and helps to optimize the configuration and close pesky holes that inevitably occur in any dynamic workplace.
What it is:
USB stick with fingerprint
authentication, AES or Blowfish file encryption, secure partition and platform
for hosting and launching applications. Plug this little baby in and launch apps, store files, send emails, and
sign documents all without leaving a trace on the host computer. Capacity
ranges from 256K to 4 Gigs.
n-Trance Security Ltd
How it does it:
n-Tegrity Pro combines a
proprietary biometric authentication application (all properly documented and
publicly discussed in academic papers, of course), file encryption (using your
choice of AES, Blowfish or other popular encryption options), and a logical
partition for secure file storage.
The product is shipping is
currently sold through a few channels in Europe and on Amazon.
Starts at $45, up to $200.
I tested the Pro version with 1 Gig of memory selling for about $90.
I opened the box and
installed it in seconds. Within five or
six minutes I was a power user (after I figured out that I have to swipe my
finger three times to enroll instead of just one). The software running on my device is n-Pass
Pro 188.8.131.526. I inserted it in a USB
port of my old IBM ThinkPad T42 running Windows XP (updated) and was pleased at
how quickly the n-Tegrity Pro was detected. After registering two fingers using
the biometric reader, a navigation window offered me options to launch the
embedded applications like Skype or Miranda instant messaging. I selected Internet Explorer and surfed away,
hardly detecting any latency given the fact that the app and its caches were
being completely housed on the stick. At
one point, mid operation, I ripped the stick out to see what would crash. Nothing did. The n-Tegrity Pro icon in the system tray simply disappeared. When I
reinserted the device in the USB port I counted to ten and was presented with
the fingerprint authentication request, slid my left thumb across the reader
and was instantly back in action. Encrypting was just as easy. I dragged a file into the reader and right
clicked. I found the functions of this
powerful device and its elegant software to be intuitive and supremely
useful. The device has an integrated
cover and comes with a lanyard – an important protection for me because I lose
Other capabilities listed
on the website are
- n-Pass Pro – biometrically
enabled VPN and RDC connection
- n-Crypt –shell-integrated
biometrically-enabled cryptographic application for files and folders
- Encrypted Virtual Disks
- FIPS 140-2 Level 1
- Selectable cryptographic
algorithms from the list of 7 most powerful (such as RSA-2048 key pair, AES-256, etc)
I mentioned IE, Miranda and
Skype, but there are many apps you could launch from the flash disk. A list of
compliant applications is available HERE.
USB sticks combining secure
file storage are a dime a dozen these days. Well, maybe $500 a dozen, but you get the idea. The n-Trance solution combines applications,
secure files, password storage, and so many other uses neatly contained in a
form factor with its own secure biometric authentication and encryption engine.
Not much to gripe about at
this point. It does what it claims. The Quick Start Guide is not written as
clearly as it could be. And I look
forward to support of Linux and Mac.
How to Buy:
Europeans can go to their
local UniEuro Market in Italy, Netherlands, Hungary and Russia where you’ll likely find the
products displayed next to new computers.
Everyone else can go to
I loved the idea of the Yoggie as soon as I heard it: a
portable, hardened Linux-based appliance for laptop and PC security. The Yoggie is a killer firewall built on the
“air-gap” concept, plus antivirus, plus other protections against spam, Trojan
horses, phishing, spyware, and intrusions in general, not to mention a web and
FTP proxy. Phew! It’s a dream come true for a security geek
like me. For this evaluation, I paid $220
dollars for the device plus $7 shipping.
Product Name: Yoggie Gatekeeper Pro 1.0.3
Category: Endpoint Security – Security Appliance
Uses: Protecting laptops and small networks
What We Loved: Offloading security to a separate hardened
What We Didn’t: A bit buggy and too easy to misplace or lose
Price: Starts at $220.
Beats ZoneAlarm and Windows Firewall
I tested the Yoggie thoroughly under real world power-user
conditions and found that the security was stellar but some bugs during
deployment keep me from throwing out my resident antivirus just yet. By stellar I mean that the Yoggie deflected
every attack I could manufacture as deftly as Zone Alarm, plus it stopped
viruses and spam before they hit my computer at all – an advantage over Zone
Alarm. The installation was simple: plug
the network cable from the wall into the Yoggie, then plug the Yoggie’s USB
cable into any USB port. The Yoggie
serves as firewall, FTP proxy, antivirus gateway, and overall intrusion blocker,
and best of all, it permits the user to free up loads of memory and CPU cycles
responsible for making most PCs drag. The
Yoggie worked equally well when I was sitting at Starbucks connected to the T-Mobile
Hotspot with the Yoggie only hanging off my USB port. Network throughput was
exceptional, with no detectable slowdown in network response times. In fact, with the Yoggie handling antivirus
scanning and my heavy desktop antivirus disabled, Internet response times
But Not Without A Little Disappointment
Unfortunately, my deployment was buggy enough to throw cold
water on my enthusiasm for the time being. There were problems with the Yoggie holding onto the network connection,
and some kind of conflict loading the Yoggie while connected to a docking
station. In fact, during boot up, the
Yoggie would cause my laptop to freeze just as the BIOS were loading. Yoggie
support worked with me to isolate at least part of the problem to my computer’s
USB power management, but I suspect more of the problem had to do with
encryption services I have loading at boot time. Installing the optional client
software did not entirely eliminate errors when restoring from hibernate mode. It’s luggable, but I’ll probably misplace it,
lose it, or forget to bring it one of these days. It really ought to be a PC card or some other
form factor that stays with the PC. I’d also like to see the price for
consumers closer to $100.
I finally saw a demo of Brijot. It was on my list of things to do at the ISC
show last week…but I lost my list. Good
thing Brijot popped for a sponsorship of the bags. Everywhere I turned I saw folks carrying
around the colorful conference bags with the Brijot ad emblazoned on the side.
The special scanner is really a camera designed to find
items hidden in or under the clothing of person. It can catch folks walking out of the
building with some company hardware, or walking into the stadium packing
explosives. The system works by
measuring the differences in the naturally emitting radiation of a human body. C-4 or a Glock interrupts or blocks that
radiation and the sensor displays a blurry image of the person with a dark area
indicating the foreign object.
I liked how it worked but was surprised by the low price. Less than $90 grand. That’s downright affordable for about any
large facility. Of course the resolution
isn’t great. I was disappointed it didn’t
show what color panties the lady had one, but quite relieved that it didn’t
show what color panties the guy had on. The
blurry resolution serves a practical purpose – folks don’t have to worry about
their privacy (or their panties) being revealed. And it’s fast, too. Items may be spotted in a fraction of a
The system does not precisely identify the object. You can’t tell from the display if the guy is
carrying an iPod or a calculator, but its accurate enough to route that person
into another line for closer screening, allowing the rest of the crowd to walk
by unencumbered. So the product will
complement other security measures nicely.
That’s an important point. The Brijot solution is one piece of a people-scanning solution. It does not replace the need for X-ray
scanners or metal detectors, but it does catch things those devices miss. It can also be deployed in remote areas or
unattended exits, relaying the images to a command center. Best of all, it can
be deployed covertly, so folks don’t know they are being scanned.
My DreamerGear team of analysts and I are pleased to announce our first product reviews. Click on DreamerGear on the menu bar, above.
We completed a detailed analysis of six software products in the category of physical security information management (PSIM). The products are:
Intergraph security framework
The key to the success of the DreamerGear approach is our "no money changes hands" philosophy. We use objective criteria to select participating vendors, then use rigourous evaluation criteria with the end user in mind.
And they don’t just record video, they analyze the recording. I dunno. I like it. When you get right down to it, 3VR sells an extra smart DVR. But those extra smarts make a big difference. Consider the most common application where 3VR appliances are deployed, in banks. The cameras capture customers approaching the tellers. If the customer passes a bad check, Verint’s or March’s DVR will record that transaction tagged along with the transaction data. So once you figure out that it was a bad check, you can find the camera images of the bad guy – and alert your other branches to keep an eye out for the perp. Verint and March systems can also produce a nice report for you showing you all the fraudulent transaction you are interested in, and the video clips associated with them.
3VR goes one step further and identifies all the fraudulent transactions performed by the same low-life scuzbag. The product has some facial recognition and analytics built in, which, combined with an advanced search feature, produces some handy forensic evidence.
Running facial recognition on a database of recorded images produces a higher accuracy rate than real-time mug matching. But concievably you could tune your 3VR system to identify a scuzbag’s face as soon as he walks up to a teller, and alert the teller that the check may be fraudulent.
It ain’t rocket science (most technologies in this industry aren’t). But it might be the extra little bit of science you need to run a more effective security operation.
I don’t really mean to pick on HID. (OK, I do. but just a little. It is such an easy target) :-)
At the RSA show I saw the newly announced HID solution called Crescendo. The HID website describes Cescendo as
a series of highly secure, off-the-shelf smart cards designed to provide out-of-the-box, standards-compliant support for thousands of logical access applications.
I describe it as invisible duct tape.
It was hard for me to see what Crescendo does for its users that any standard access card hanging on the lanyard with a smart card couldn’t do. Sure, having a single card is more elegant than carrying two cards around. But the net result is the same – and at potentially much higher cost (card, infrastructure, maintenance)
You use the Crescendo card in the normal way to access the building, then you may insert the card in a smart card reader attached to a Windows PC for network login.
I liked the seamless integration with Microsoft Windows Vista. (Crescendo uses the Microsoft CardSpace GINA for smart card log in natively). I also liked how this smart card may be deployed easily in any site entirely a mix of iCLASS, Indala and mag stripe access technologies.
Craig Mundie and Bill Gates were promoting that capability in their join keynote at RSA. Robert Lemos had this to say on SecurityFocus.com: "The two Microsoft executives hardly mentioned last week’s launch of Vista, the software giant’s latest operating system for the desktop. While the company’s focus on identity is not new, the Vista operating system brings better tools, including a visual application–CardSpace–that allows users to manage their identities."
I didn’t like the fact that this is just another smart card that can be used for simple network login "duct taped" to an iCLASS card. It’s just not new or exciting.
Yes, with Crescendo I can log into the network, launch a 3rd party single sign on product, or use it to support 3rd party digital signatures. But that can be said for any card by Entrust or Gemalto. I would much rather have seen complementary applications, like Passlogix SSO or SafeBoot disk encryption offered as a value add. I also wish HID and Microsoft didn’t tout Crescendo as the next best thing to sliced bread when it is really just your average "dumb" smart card.
OK, Comments on my last megapixel post show that there are strong proponents of the value of megapixel cameras, even for distributed deplyments. The fact that I don’t understand yet, notwithstanding.
CoVi, Avigilon and presumably others –though CoVi seems to be the dominant presence — have efficient ways of storing hi definition video and preserving quality for viewing recorded images across a shared network. So please help a slow learner like me get the whole picture (pardon the pun).
I understand that a single megapixel camera can take the place of multiple smaller-resolution cameras, espeically if you are only interested in very limited captured areas, like license plates. I also understand that real time viewing may only need low-resolution presented to the monitors, but investigations or forensic analysis needs access to a few hi-resoultion images, which in one way or another we can pull from the recording device as needed.
So I have one megapixel at the front of the store, or the entrance to the parking lot, or in the counting room at the Fed, and everything else is a "regular" camera.
That sounds pretty good. But I sense from the marketing dollars spent by the megapixel producers that there must be more… Unfortunately, those marketing dollars haven’t sent the message of the measurable value of megapixel solutions to me. And assuming I am not quite the stupidest guy in the security business, let alone where I place among all possible camera "consumers," then I imagine that other people are not entirely persuded yet, either.
Time for the techies and marketing folks to step it up a notch, I’d say.