Small buyers of technology, acting early in the technology adoption life-cycle, are motivated by hope (hope == ROI, opportunity, etc). Large buyers of technology, acting late in the life-cycle, are motivated by fear (fear == risk of loss or punishment).

A good example of this can be found in the typical upgrade cycle. Early, individuals and small groups upgrade to new hardware, operating systems and applications because they hope that access to new features and capabilities will be more than worth the effort and disruption of the upgrade. Large groups don’t upgrade until much later, even if the benefits of doing so are dramatic; they often wait until the fear of loss of support from vendors forces a transition.

I remember experiencing this dichotomy in the major changes to the practice of information security as the commercial Internet grew in the mid 1990’s. Security shifted from an operational part of IT, where purchases were motivated by fear of loss rather than ROI, to a source of enabling technology for new ways of doing business. Within startups and large existing enterprise, small teams tried to figure out how to build online businesses. Along the way, they pushed the nascent Internet security product companies into building the right pieces to enable and protect the new ecommerce ventures.

Today, it seems like information security has largely returned to the operational state: anti-malware technology is a cost of doing business online, regulatory requirements drive new security spending, and fear of public outcry and regulatory enforcement prompts increased scrutiny on the handling of customer data.

It is likely that large organizations will miss much of the benefit of web 2.0 technologies as well, as they wait for incumbent software vendors to deliver later in the adoption cycle, when they will buy out of fear of being left behind by competitors. Most of the startup companies I see trying to sell innovative technologies into the enterprise today through the IT organization haven’t really figured this out.

A few companies, however, are dealing with this really well. Most are SaaS plays, and Salesforce is among the first of the good examples. Salesforce established small, dedicated groups of customers who bought the service with company credit cards rather than purchase orders, and used it without the authorization of central IT. Companies like 37 Signals, Zoho, ConceptShare, and countless others are using roughly the same model.

Going back to the idea of hope vs. fear in the acquisition of technology, I think there are a few things these startups could be doing differently to scale sales to big organizations.

Enterprise Freemium

The freemium pricing plans offered by the three startups I mentioned above are structured in a way that makes sense for small teams, but breaks for very large ones. They all offer some kind of free trial, and then price their services based on the amount of use (number of users, amount of storage, etc). Within a large company, this means that a small number of initial users can evaluate the product, and probably pay for ongoing use on a credit card, but growth becomes more difficult at that point. After the trial period, new users typically can’t be added without moving up to a pricing plan that supports them. The team footing the bill, however, is only willing and able to pay for its own use, not the much higher prices that come with larger plans.

I think there could be an enterprise twist on the freemium model, with the following characteristics:

• Free trial for each additional user within a company
• Easy options for billing/payment by user or group, rather than for the whole company
• Premium options for IT

The last of these, ‘Premium options for IT,’ is the most important. Knowing that IT won’t make early technology buys to support their users’ hopes for opportunity and improvement, the startup should support broad grassroots adoption of their products at lower levels. When the motivators that drive IT purchasing, such as fear of losing central control over data, backups, users, access control, and management complexity, kick in due to the grassroots use, the startup needs to be there to directly support IT with purchase options.

For a SaaS product, these IT premiums might be things like onsite, appliance-based offerings of:

• Directory services integration for user accounts
• Enterprise backup integration
• Data integration with reporting, dashboard, data warehouse and other systems

There are plenty of examples of enterprise IT banning the emerging technologies that come onto their radar when they don’t have a way to mitigate their fears. The best way I can think of for the startup to deal with this is not the traditional attempt to convince IT that their fears are unfounded, but rather giving IT a way to purchase that mitigation in the way they are used to and comfortable with.

This isn’t a big shift for most startups. The model still provides early revenue and a short sales process, but also offers a level of scale previously available only to those selling to a central organization. From a product perspective, this approach requires some thinking about the needs of IT and perhaps some new development; chances are that the thinking and planning will have benefits for internal SaaS operations if done early, and the development can be done at the right time to fit in with the adoption and growth of the product. If startups continue to deliver these innovative SaaS products with direct application in the enterprise, there may even be a Feedburner or Mashery model here: a company could focus on providing the IT premium layer for SaaS offerings.

As promised, here are the slides from today’s presentation. We talked so much about each point that I’m not sure how much value these have to folks who weren’t in the room… maybe we can get the organizers to do audio or video next time.

1. The emerging technology is initially ignored as a lab project or toy.
2. As the technology is first applied to solve business problems, organizations often attempt to restrict or ban any meaningful use.
3. When the production status of systems or apps built on the new tech can no longer be ignored, security is typically enforced through controls on the legacy infrastructure, which are the systems of record for existing enterprise data used by the new apps.
4. Eventually the emerging technology matures, and adoption increases, to the point that its security role and context is understood and verified to the same level as legacy systems.

This pattern results in a series of enterprise security risks, and perhaps more unfortunately, a series of missed opportunities to improve protection and decrease cost with each generation of technical change in IT. I would love to see IT security getting involved with emerging technologies at stage 1 in the pattern above, thinking about how the new tech can be used in ways that improve security rather than threaten it. Attempts at banning emerging technology in stage 2 usually push the use under the radar, so that departmental systems exist outside of normal production boundaries, increasing the risks over sanctioned use. The first attempts at security controls in stage 3 discount the value of data that lives in the new systems, and leads developers of the new applications to create their own security models from scratch, or largely ignore security under the assumption that it is a legacy system problem. Finally, at stage 4, a massive task has built up. As formal security models are applied to the new systems and applications, large, costly changes have to be made that would have been almost free if thought about earlier.

There is a generational change happening today in the enterprise, and I think it is not too late to change the pattern. The technologies that are driving down the cost of starting Internet companies are having an impact in the enterprise as well: open source software such as Linux and MySQL, newer languages such as Python, Ruby, Erlang and PHP, frameworks such as Ruby on Rails, and other technologies like virtualization and outsourced web service infrastructure (EC2, S3, etc) are all enabling rapid, inexpensive development of production-capable apps by very small teams.

This generation of emerging technologies brings with it some wise principles: a core focus on testing, continuous integration, convention over configuration, and loose coupling via well-defined interfaces (among others). I think the opportunity presented here is a great one. If people who care about enterprise security get involved with these technologies and the communities behind them now, then security can be built into these frameworks in a way that makes it tough to build new applications that don’t do security well.

Using Ruby on Rails as as a simple example, if good security becomes the convention, it is built into every application and tested for at every stage. Simple investments in gem-based integration of enterprise security infrastructure such as single sign-on and role-based access control systems can create an environment where developers build and verify security by default. The enterprise can do this internally, and can also encourage or require outside vendors of security components to support emerging technologies much earlier than they do today.

This kind of investment is a big shift for most enterprise security organizations. It will require spending, managing and perhaps hiring a bit differently, but I believe the result is better security at a lower cost to both the security organization directly and to the enterprise in general.

Whether building a new company from scratch, or keeping a big company competitive, emerging technologies have changed the rules. Open source software, web services, mashups, AJAX, Ruby, Rails, and RSS… only a few of a seemingly endless list of technologies that have redefined what is possible for small teams. This talk will focus on startup experiences, lessons learned about technology choices and tradeoffs, and on building, funding and running a technology startup in the new environment.

The Emerging Technologies for the Enterprise folks are also putting on a pre-conference breakfast for CxO’s and executives on the 15th. I’ll be the keynote speaker for that event, talking about Tiger Team Innovation:

Startup companies use small teams beginning with a blank slate and the latest emerging technologies to build incredible value overnight. This talk will focus on using the same techniques, with a few twists, to deliver measurable value to the enterprise in new ways.

The main conference is open to everyone and seems to be quite reasonably priced compared to most such events; registration is here. I believe the breakfast is by invitation, so if you’d like to attend leave a comment or send me email and I’ll ask the organizers to include you.

I think this is the kind of thing that CIOs and CISOs will need to be thinking about as emerging technologies reshape the organizational and physical footprint of IT and add an order of magnitude more interconnections between applications and systems.

My good friend and long time co-conspirator Stephen Cobb recently asked what I thought were the emerging threats to enterprise security. There are a few threats that I’ve been giving some thought to lately that I haven’t seen addressed effectively; I’ll tackle one of these in this post and leave the others for later.

Security of Software as a Service

There is a lot of momentum behind the software as a service model; Salesforce.com is the poster child, but a big set of products that used to be delivered from inside the corporate datacenter are now bought as services and delivered from shared vendor resources outside. Some dismiss security concerns about SaaS as cynical, but I think there is a lot more to this story. The enterprise security issues can be broken down into a few sections:

Product security

The concerns about product security are much the same for SaaS as they are for traditional enterprise software purchases. Architecture, security features, and underlying implementation are all key factors in the overall security of the product.

There a couple of distinctions between the two that come into play: the evaluation of SaaS offerings is feature driven and does not typically include implementation detail, and the lack of an in-house integration phase (a key benefit of the SaaS approach) means that vendor claims are never put to the test in the way that happens during the real-world integration of software products in the enterprise.

Among the risk elements that come from these distinctions is the lack of visibility onto and control of scope of compromise and consequences of component failure. Essentially, without visibility onto implementation detail, and real-world verification of vendor claims, it is very difficult for the enterprise to understand the security impact of the failure of any part of the system.

Multi-tenancy

A set of security issues unfamiliar to the enterprise is introduced by a key component of the SaaS model: the hosting of multiple customers on shared infrastructure. Multi-tenancy takes a variety of forms:

• application level divisions between customers

The most basic form of multi-tenancy is implemented by SaaS vendors as an application construct. This means that the divisions between customers are unique to the application, and are not subject to outside scrutiny. A bug at the application level can result in a failure of separation, meaning that other customers or even the general public may have access to enterprise data.

This option requires custom development by SaaS vendors, typically provides for the most attractive customer density and scalability profiles, and presents the most difficult security challenges for the enterprise.

• logical separation between customers

Separation implemented below the application level relies on integration mechanics to keep the divisions between customers intact. For example, individual web server instances (running on shared hardware) mapped to different hostnames might provide a front-end separation. This can be continued through routing of requests to similarly configured middleware instances and database servers. Often some components will still be fully shared, such front-end load balancing / caching and back-end storage networks.

Since this option depends on features of 3rd party components, and implements multi-tenancy through integration and component configuration rather than software development, it is both easier to validate from a security perspective and involves less up-front cost to the SaaS vendor. Customer density and scalability, as well as complexity of new customer deployment, can be impacted.

Security issues can sometimes be severe in this case as well, when the failure of an infrastructure component threatens a key assumption about logical separation. Failure of VLAN separation due to a bug in Cisco’s switching software, for example, could compromise logical separation between customers if those protections are not implemented in a layered way.

• physical or pseudo-physical separation between customers

An extreme case of the integration-level separation described above is the use of virtual OS instances or physically separate systems to provide independent instances of applications and supporting infrastructure such as database servers. This case provides the most easily validated architectural security; as OS virtualization matures and server hardware is designed for these workloads, the scalability, density, and deployment cost/complexity challenges of physical separation will likely improve.

The security impact of multi-tenancy, along with core product security, comprise the directly technical part of the challenge for the enterprise.

Operations

The operational issues stemming from the use of SaaS are not particularly technical, but can be difficult to manage and control. At the heart of the issue is the fact that critical enterprise data must exist, for an extended time, on systems controlled by a third party.

• Direct Operational Issues

The employees of the SaaS vendor manage its systems; they have access, ultimately, to the data of their enterprise customers. While not unmanageable, the potential for access by employees not subject to direct monitoring and control by the enterprise presents a significant risk.

• Organizational Issues

Custody of enterprise data by a 3rd party presents some broader challenges as well. Since the 3rd party has access, they could faced with subpoenas or other challenges that might be handled differently by the enterprise directly. Business relationships, changes of control, or even acquisition of directly competitive customers can create real or perceived misalignments of interest.

Essentially, the law recognizes certain providers of business services, such as legal counsel or accounting services, as having a special or protected relationship with their clients. It remains to be seen how the law evolves to handle these new types of service provider whose access is no less sensitive.

SaaS isn’t going anywhere, but the fact that there haven’t been any front-page losses yet isn’t a reason to put off thinking about these security issues. I think that there are probably some opportunities for technical solutions to control some of this risk, and make the process of ensuring and validating security of SaaS deployments much more manageable for the enterprise.

In the mean time, I think an exploration of these issues by the enterprise in looking at SaaS deployments will lead to more sophisticated requirements and vendor selection, and better understanding and control of risk today.

At TurnTide, we created a product that approached the spam problem in a new way, designed to cooperate with traditional message-by-message spam filters. The Anti-Spam Router used TCP traffic shaping to effectively reach back across the network to the spammers, and limit the rate at which traffic could leave their systems destined for a protected network. The result for customers was great; they had dramatically less spam entering their networks, meaning they saved on infrastructure costs from bandwidth to servers in addition to keeping spam out of the inbox.

The problem we faced was an interesting one… how do we count and report on the traffic that the product keeps out of the network altogether? Traditional spam filters don’t have this problem; they can count and report on all of the messages they receive, process, and mark as spam. We used a few different techniques to report on traffic that was no longer hitting our customers’ networks. We built baseline statistics when the product was initially installed, but before traffic shaping was enabled. We modeled the growth in baseline spam number experienced by the Internet at large. We added a custom reporting engine so that any statistic available to the system could be tracked, measured, compared, graphed and exported.

At the end of the day, these and other features were an effort to make a new kind product report as if it worked like the existing products in the market, since that was how customers had already learned to think about the problem. Since TurnTide really did work very differently from those existing products, reporting using the old metrics was never a perfect fit.

Building innovative products that go after existing markets from a new direction is a good strategy, and its the only way I’d ever want to enter a market as crowded as anti-spam was when we founded TurnTide. Existing markets, however, have established a way of thinking about problems and solutions. The existing vendors have educated the market, defining metrics for success in their own terms based on the structure of their solutions. Products that don’t operate within the expectations set by earlier offerings have some extra work to do; either directly re-educating the market, or trying to fit into the existing metrics until market traction allows for organic change in how people think about the problem. Even with its shortcomings, I’d definitely pick the later approach again.