One of the key customer value propositions of unified threat management (UTM) is the ability to obtain management leverage by combining multiple functions into a common interface. But what does that really mean? And do the current vendor offerings live up to the promise? The last thing you want to do is sell customers a bill of goods relative to how much easier the new equipment is to manage -- if it's not.
First, let's discuss why integrated management is compelling and should remain a key selling point when discussing UTM with customers. The issue of DMZ sprawl is real for companies both large and small. As different attack vectors have been identified over the past few years, it seems a new set of security appliance vendors have introduced products to narrowly focus on stopping specific attacks. A few years later, and the typical DMZ is home to 10-to-15 different devices (with decent redundancy) and require management via four-to-five different consoles. So first and foremost, the promise of UTM is to simplify the security administrator's daily workflow.
Next, correlation is a key part of doing security. It's resource intensive for customers to wade through separate alerts on firewall, IPS and gateway antivirus devices for the same event. The ability of a UTM device to consolidate all of the alerts and only notify the administrator once is a big time saver and a huge value-add.
Finally, another advantage to managing UTM gear is just plain old simplicity. Having to navigate different interfaces for different functions is problematic. The ability to manage all the security functions within a combined interface eases the security administrator's job.
That's all good and well, but do UTM devices really achieve the promise of integrated management? That depends on your definition of "integrated." That's an answer only a politician could love, but it's a fact. The amount of value that a customer will receive from UTM management is directly related to their expectations. Sounds simple, but many VARs oversell the benefits and then are forced to clean up the mess when the product doesn't work as advertised.
On the positive side, UTM definitely provides a consistent interface for a variety of security functions. Even though the level and depth of configuration options vary between different devices (firewall, VPN, IPS, antispam, etc.), presenting them all in a combined interface with common navigation helps tremendously to reduce complexity. Given that many SMB and mid-sized company administrators tend to be less sophisticated, the UTM interface and built-in configuration wizards provide a much improved user experience.
But we all deal with the subset of "more sophisticated" users. These folks tend to be command-line junkies and aren't big fans of graphical configuration tools. UTM will go over like a lead balloon for these folks, unless they can configure it using the Cisco command line interface. But as in selling every security device, you need to map the solution to the sophistication and workflow of the customer.
That brings us to a laundry list of what to look for in a UTM device management interface. First is the dashboard, which shows the true power of an integrated solution. Health checks and key status indicators for all of the security functions should be readily available and very prominent. You want to be able to set up flexible alerts to notify the administrator if and when they have to deal with an issue.
You should also ensure there's enough flexibility to allow for sufficient customization. UTM devices were designed to simplify the environment, which can come at the expense of granularity. That's not necessarily a bad thing given the capabilities of the administrator, but the customer needs to be aware of what they can and can't tune on the device. That issue creates more mismatched expectations than anything else.
Finally, another consideration is support for the separation of duties for compliance purposes. You need to ensure that if the customer works in a regulated environment they can adequately lock down access to certain configuration activities and audit logs. If the administrator turns out to be a bad apple, it's critical that they can't alter the audit logs to cover their tracks.
In general, unified threat management fits the bill for customers looking to simplify perimeter defenses and improve daily administrative workflow. As long as you take care to set appropriate expectations and help the customer balance the goal of simplicity with the need for customization, they will be tickled pink with their new toy.
About the author
Mike Rothman is President and Principal Analyst of Security Incite, an independent information security research firm. Having spent over 15 years as an end-user advocate for global enterprises and mid-sized businesses, Mike's role is to educate and stimulate thought-provoking discussion on how information security contributes to core business imperatives. Prior to founding Security Incite, Mike was the first network security analyst at META Group and held executive level positions with CipherTrust, TruSecure, and was a founder of SHYM Technology. Mike is a frequent contributor for TechTarget and a highly regarded speaker on information security topics.