UTM is dead! Long live UTM! (or, Who let the dogs out?)
One of the things I spend a lot of time doing these days is talking to
analysts – both market and financial – regarding the very definition of
UTM and what it means to vendors, customers, and the overall impact
that UTM has to the approach to security taken by the SMB contingent,
large enterprises and service providers.
The short of it: it means a LOT of things to a LOT of different people. That’s potentially
great if you’re a vendor selling re-branded UTM kit that used to be a
firewall/IDS/IPS because it allows for a certain amount of latitude and
agility in positioning your product, but it can also backfire when you
don’t have a sound strategy and you try to be everything to everyone.
It also sucks if you’re a customer because you have to put the hip
waders on in order to determine if UTM is something you should care
about, integrate into your strategy and potentially purchase.
I’ve written about how UTM Messaging is broken
before, that there are TIERS of product offerings that are truely
differentiated. Ultimately, UTM breaks down into two strata: Perimeter
UTM and Enterprise/Service Provider UTM.
For the sake of brevity, here’s the rundown introducing the differences:
…That’s what Enterprise-class UTM is for. The main idea here is that
while for a small company UTM (perimeter UTM) is simply a box with a set number of
applications or security functions, composed in various ways and
leveraged to provide the ability to "do things" to traffic as it passes
through the bumps in the security stack.
In large enterprises and service providers the concept of the "box"
has to extend to an *architecture* whose primary attributes are
flexibility, resilience and performance.
I think that most people don’t hear that, as the marketing of UTM
has eclipsed the engineering realities of management,
operationalization and deployment based upon what most people think of
Historically, UTM is defined as an approach to network security in
which multiple logically complimentary security applications, such as
firewall, intrusion detection and antivirus, are deployed together on a
single device. This reduces operational complexity while protecting the
network from blended threats.
For large networks where security requirements are much broader and
complex, the definition expands from the device to the architectural
level. In these networks, UTM is a “security services layer” within the
greater network architecture. This maintains the operational simplicity
of UTM, while enabling the scalable and intelligent delivery of
security services based on the requirements of the business and
network. It also enables enterprises and service providers to adapt to
new threats without having to add additional security infrastructure.
Today, Richard Stiennon (of "IDS is dead" fame) blogged
some very interesting comments ultimately asking if "..your UTM [is] a
Mutt?" It’s an interesting comment on the UTM market as a whole where
ultimately he gets around to shoring up his question/statement by
referencing Symantec’s exit from the hardware market.
I’d say that most UTM offerings are mutts because that’s
exactly what perimeter UTM delivers — a mashup of every neighborhood
stray that happened to end up humping the same piece of hardware. Ew.
That’s why unless you want to be king of the pound, sporting papers
which testifies to your pedigree and heritage is really important.
You’re not going to win best of show looking like the sappy little
poodle-chihuahua-dingo-thing featured above.
In his scribble, Richard makes the following statement which I exactly addressed in the comment above:
I have a problem with the idea of Universal Threat Management
appliances. Leaving aside the horrible terminology (Who wants to
manage threats? Don’t you want to block them and forget about them?)
the question that I always ask is: If best-of-breed is the standard for
large enterprises why would it be good practice for a smaller entity to
lump a lot of security functions such as firewall, email gateway, spam
filter, anti-virus, anti-spyware, IDS, IPS, and vulnerability
management all in one under-powered device?
Firstly, the ‘U’ in UTM stands for "Unified" not "Universal,"
however I *totally* agree with Richard that managing (T)hreats and
vulnerabilities is the WRONG approach and UTM has become this catch-all
for the petty evolution of any device that continues to lump ad hoc
security functions onto an existing platform and call it something
else. That’s perimeter UTM.
So, intead of manging threats, we should be managing risk. Call me psychic, but that’s exactly what I wrote about here when I introduced the concept of Unified Risk Management (URM.)
URM provides a way of closing the gap between
pure technology-focused information security infrastructure and
business-driven, risk-focused information survivability
architectures and does so by using sound risk management practices in conjunction with best
of breed consolidated Unified Threat Management (UTM) solutions as the
technology foundation of a consolidated risk management model.
Moving on, I’m not sure that with where we are in today’s compute
cycles that it’s fair to generalize that the companies Richard mentions
such as Astaro, Fortinet, or Watchguard are actually "under-powered,"
but one could certainly argue that extensibility, flexibility and
scalability are certaintly constrained by the practical limits of the
underlying machinery and its ability to perform and clumping lots of
these individual boxes together isn’t really a manageable solution.
That being said, I also wrote about this issue here whereby
I make the case that for the Enterprise and service provider markets,
commoditized general purpose boxes will not and cannot scale to
effectively meet the business and risk management requirements — even
with offload cards that plug into big, fat buses.
The reality is that like anything you do when you investigate
technology, concepts or strategy, you should map your business
requirements against the company’s appetite for risk and determine what
architecture (I didn’t say platform specifically) best fits the
If "good enough" security is good enough, you have lots of UTM
choices. If, however, what you need is a balanced defense-in-depth
strategy invested in best-of-breed (based upon your business
requirements) which allows you to deploy security as a service layer in
an extremely high-performance, scaleable, extensible, flexible and
highly-available way, may I suggest the following: (blatant plug, I
What they (and others, mind you) realize that unifying hardware and software in a
compelling way is hard to do if you want to really offer
differentiation and value. Sure, you can continue to deploy on commoditized hardware if what you want to do is serve an overly-crowded market with margins lower than dust, but why?
Richard further goes on to talk about how Symantec is focusing on a more lucrative market: services. This, in my opinion, is a fantastic idea:
Evidently Symantec is more interested in software and services going
forward. I think they may be on to something. If the appeal of
mixed-bread, easy to manage security appliances is so great for small
businesses maybe managed security services are set to take off.
Alan Shimel responded with a follow-on perspective to Mike Rothman’s post in which he said:
If big companies want best-of-breed, why should smaller companies
settle for less than that? It just doesn’t make sense to me. Mike Rothman
, in his big is small theory, says that customers are willing to put up
with less than best of breed by getting it all from one big vendor.
But some of the "pile them high" UTM’s are not big companies. Astaro,
Fortinet, Baracuda are not exactly Cisco, Symantec or McAfee. However,
they are all grabbing market share with UTM’s that do not offer best of
This simply comes down to economics (see "good enough" comment above) where they may want an enterprise-class UTM product, but that doesn’t mean they’ll pay for one. Doing battle in the SMB UTM space is brutal — don’t let the big, bold numbers impress you that much. When you’re dealing with ASP’s in the $500 range, even with margins in the 40-50% bracket, you’ve got to sell a BOATLOAD of boxes to make money — then there’s the cost of all those adminstrative assistants-cum-network security administrators who call your support center further burdening the bottom line.
That dove-tails right into the argument regarding managed services and security in the cloud — these really are beginning to take off, so this move by Symantec is the right thing to do. Let the folks who can deliver BoB hardware running your best-in-breed software do that, and you can have your customers pay you to manage it. In the case of Crossbeam, we don’t market/sell to the SMB, as they are our customer’s customers…namely our enterprise and service-provider UTM offerings are deployed in a completely different space than the folks you mention above.
In this case, we win either way: either a large enterprise buys our solutions directly or they sub-out to an MSSP/ISP that uses our solution to deploy their services. Meanwhile, the perimeter/SMB UTM vendors fight for scraps in the pound waiting to be put down because nobody claims them
We’ll cover the hot topic of security outsourcing here shortly.