IT Pro Connections Perspectives Part Three -- GFI Gets To Grips with Exchange, Security and Compliance

Seamus Quinn (SQ): What issues do you think are driving your customers at the moment or, rather, what would you like those issues to be?

Armand Sieben (AS): Those issues that IT professionals are facing and for which GFI has a solution. GFI has a very strong and diverse product portfolio to assist network administrators within the IT unit to solve the day-to-day issues that they might have. Plus, the availability of our email products, specifically the products that integrate with Microsoft Exchange, as well as our wider portfolio that assists more in network solutions; for example, GFI LANguard Network Security Scanner and GFI EventsManager.

I think the key areas that we focus on can be broken down into two main areas: messaging and handling email and making sure the email in an organisation is useful and of interest to that organisation. We have a message in making sure that people, and faxes, are available and adding more value to existing Microsoft systems and applications and adding more value to the Exchange server, and making sure that any email coming into an organisation is genuine, is malware-free, free from spam, and so on.

But we also have a focus on security, on network security, understanding the state of the network, the security status of the network, understanding what vulnerabilities are there and how they can be accounted for. And also making sure that should there be a breach in the network security, that somebody’s notified, making sure that there are alerts and people are made aware of vulnerabilities and exploits that have been leveraged and understanding notifications generated because of these problems. So we’re definitely adding value to existing Microsoft frameworks, such as the Microsoft Exchange Server, by adding functionality and anti-virus functionality.

SQ: IT pros have myriad anti-spam products to choose from. But it seems complex with different products using different approaches, some of which can seem overly draconian and so on. How do you make it easier for them to choose?

AS: Our approach to the spam situation and the email virus problem has been to have standalone solutions – our spam solution isn’t a plug-in for our anti-virus solution. It is truly a standalone anti-spam product. It has been engineered in this way and that’s why it’s proven to be very, very successful and very, very accurate. And we’ve taken the same approach with the anti-virus software for the Microsoft Exchange Server and mail servers where we had a standalone entity within itself that has no other underpinning requirements. And because we don’t actually write our own anti-virus engine, what we focus on is getting the right anti-virus vendors to partner with us such as McAfee, AVG and BitDefender.

We let them do what they specialise in and then we add a whole level of accessibility and functionality, be it very advanced content filtering and making sure that the content coming into an organization is not only clean -- from pornography, free from racial content -- but also making sure that it is genuine email, making sure people aren’t sending or receiving MP3 files and executables and stuff like that. And we’re trying to give control back to the administrator by adding a lot of additional functionality into an already competitive anti-virus market.

This has really been an advance with our reporting programmes and our reporting mechanisms that we’ve recently released with our ReportCenter product. The idea behind the ReportCenter is that it allows us to tie multiple GFI products together in the form of fantastic reports that make sense to managers and executives, as well as to technical people. It’s a way of bringing all our products together without making them need each other. We are adding value like that, and that’s really our approach, what we’re great at and really focus on: to give those extra tools to the administrator.

SQ: Where do you think the kind of IT pros at an event like this are up to with security? Are they ignoring it, or are they getting their heads round it, or are they only just beginning?

AS: There’s obviously a massive amount of statistics about the percentage of IT money that is put into security. I think probably about 99% organisations have some security measures in place. However, I don’t think people in the industry, people who are network administrators, are really aware of all of the security risks around. One of the big things we picked up on a couple of years ago was the threat posed by removable media devices such as iPods and CD-Roms.

I’ve talked to a lot of people about this and people are either not aware of the vulnerabilities that come with allowing these devices to be attached to your network, or they feel that they’ve hired their staff, their staff can be trusted: “I know these people”. I think there’s a kind of blinkered approach to this sort of thing and I don’t think people are as aware of it as they should. People aren’t putting it in the right perspective when you talk about some of the modern threats like pod slurping, USB hacksaw attacks, the fact that Apple shipped a massive number of iPods with viruses already on them at the end of last year; Tom-Tom did the same. Some of these things are a real eye-opener for administrators and they’re not really aware of these threats and they don’t really understand the overall impact that they can cause.

SQ: Okay, so that’s one side of it, but where do you think IT pros are up to on the legal requirements side to security?

AS: Again, I’ve been again talking to administrators about this and administrators are tasked based upon what their management says, what their accounts department says. And they say, “Okay, we need to bring this in.” I don’t feel that many administrators have taken responsibility by saying “It is my responsibility to make sure they comply” or “It is my responsibility to talk about security”. A lot of administrators are fire-fighting, trying to plan the growth of their network over the next few years and the infrastructure and things like that. I don’t think the average administrator is thinking about legal compliance requirement from different departments within the company.

SQ: So they’re not ‘owning’ compliance, it if you like?

AS: It seems to me that the feeling is that it is kind of their responsibility, but it’s not their responsibility to know if they need to be compliant and why they need to be compliant. Compliance is quite a complex thing in itself. All these compliancy laws are quite complex and understanding whether your business falls into a certain compliance category isn’t down to the network administrators and technicians; I don’t think that it’s down to them to understand that aspect of it.

SQ: What are you finding is the main thing that people come and chat to you on your stand about?

AS: I think archiving has really been a very popular thing, but, again, I still think that it is not archiving from a compliance point of view, it is archiving to extend the volume of email they can store over a longer period of time. And what we’ll focus on is archiving for compliance as well as the ability to allow a user access to their email over a longer period of time. It just seems that they’re more worried about performance and not getting complaints like “I can’t find this email”. Administrators are really looking to make their jobs easier, as opposed to taking on, going back to my point earlier, compliance – they’re not willing to take on work for that reason. They’re focusing on making their jobs easier and getting less complaints from their colleagues and their users.

SQ: What other themes are you addressing?

AS: At the moment, we’ve got a marketing strategy with regards to Payment Card Industry Data Security Standard (PCI DSS) compliance. We’ve found that a number of our products can help administrators and companies become compliant.

SQ: You mean for credit card payments and so on?

AS: Yes, PCI DSS compliance is Payment Card Industry compliance. A couple of our products, GFI EventsManager solution and GFI LANguard Network Security Scanner solution, both really help in this area so we’re marketing them together and we’ve actually taken the entire compliance documentation and filled it in for the administrator and said, “Okay, this is what GFI can do for you, this is how you can do it.” And what we’re actually doing is pre-configuring a number of aspects of the product just to help them become compliant, so they can actually roll out our GFI EventsManager solution, for instance, and actually have a whole section of security event processing rules that are preconfigured. So we’re actually making it a lot easier for a network administrator to take on that task.

SQ: How quickly can they can get up and running and become completely PCI-compliant?

AS: A couple of hours, tops. We’ve really worked on requirement guidance, particularly for GFI EventsManager, which is the first product we really spent a lot of time looking and helping the administrator understand how to deploy the product. I think you should spend at least an hour reading the deployment guide and making a plan about how you’re going to deploy it: the type of services, your network, what needs to be audited, what doesn’t need to be audited so much, what type of information, and also, obviously, the volume of the information we’re going to need to store. And we provide fantastic deployment documentation that really takes an administrator through that process.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.