An Interview with
James LaLonde of Network Associates

- Interviewed by Terrie Lloyd -

Network Associates (formerly McAfee Associates) is a leading supplier of enterprise network security and management solutions. With 1997 revenues of $727 million for 1997, the company offers a wide array of products for network security and management in the form of suites such as McAfee Total Virus Defense, PGP Total Network Security, Sniffer Total Network Visibility, and McAfee Total Service Desk. James LaLonde is director of asia-pacific sales and operations for Network Associates. Based in Tokyo, LaLonde has published several articles on PC-related topics both in English and Japanese, and recently published a book (in Japanese) on effective use of e-mail. LaLonde is well known in the Asian IT community and was a key figure in the growth of Microsoft Japan.



Can you briefly describe your network security business?

James LaLonde: The network security market is fragmented into a number of different segments. The first segment where we made it big in worldwide revenues was anti-virus software for PCs. Then came firewalls for corporate networks. In addition, there are such business areas as encryption, risk assessment, and intrusion detection. Another fairly large but niche market is authentication and user authorization.

Tell us first about your firewall software business.

LaLonde: It's a pretty exciting business. Our new Adaptive Proxy technology won "best of show" at Networld+Interop recently. First time ever for a firewall product. Basically, there are two types of firewalls. Traditionally, you've had the packet-filtering type, which operates at the network layer, a low layer. That's very fast, but its checking function is not quite thorough, so it's not completely secure. Then there is the proxy type, which works with the application layer. This tends to be more thorough, but is slower. We have something new, what we call an "adaptive proxy firewall," which is the new version of our Gauntlet Firewall. This technology gives the firewall administrator a choice as to what kinds of traffic should be inspected by proxies and what traffic should be allowed to pass through by packet filter. An adaptive proxy can also be configured to "switch" between proxy and filtering as the security requirements of a connection change. By adapting in that way, it provides ten-times the performance of the conventional Gauntlet Firewall, but with full Gauntlet-level security. Users who are concerned about security - such as the US government, financial institutions, and drug companies - have been the big users of our Gauntlet Firewall.

How do you handle Japanese marketing of the Gauntlet Firewall?

LaLonde: We have good relationships with all the key distributors. When I look at the firewall market in Japan, I don't see any single player dominating right now. Some Japanese companies are partnering with fairly small firewall companies in the US, pushing the US products to sell here. But, I think it's still in the early stage. The key for us will be to show some of the very large distributors and systems integrators the opportunity for building a significant business selling security solutions to Japanese corporations.

Another of your firewall product offerings is Global Virtual Private Networks. Just what is it?

LaLonde: This enables you to have an encrypted (private) communications channel over the public Internet. You don't have to pay for expensive leased lines, but you can still enjoy secure transactions and communications since the software encrypts the data stream.

Is the VPN business going to be bigger?

LaLonde: All studies point to VPN solutions being a very significant growth area over the next several years. Many of the companies in the firewall business are getting into the VPN business now. This is a new global market, one that takes advantage of the fact that people are now becoming more comfortable sending confidential data over the Internet and other public networks. As VPN solutions come along that remove the security and reliability concerns, the substantial cost savings over leased line solutions justify significant investments in this technology.

Are there any standards, or are all VPN products completely independent?

LaLonde: There is an evolving standard called IPSEC that covers encrypted TCP-IP communications. Network Associates Labs works closely with the IETF IPSEC Working Group to make sure that our GVPN product meets current standards. An IPSEC VPN will permit customers with heterogeneous environments to establish secure communications throughout their enterprise, or with their business partners without being locked into a proprietary, single-vendor solution.

Regarding encryption, Network Associates' PGP is the de facto standard for e-mail and file security, isn't it?

LaLonde: Yes. The reason PGP is so popular is that it is very easy to use for e-mail, which is the main application people like to encrypt. If there is someone with whom you want to exchange documents via e-mail, you just trade your public key once with this person, or tell the person to get it from a particular server. Once you've established that connection, from then on out that person can authenticate your identity. There are, of course, some enterprise encryption solutions on the market, but most of them are bulky, expensive, and very hard to manage and use.

Do you sublicense the PGP technology to other companies?

LaLonde: We have OEM arrangements with several companies for the consumer version of PGP. In addition, PGP is on its way to becoming a real, full-blown Internet standard. Recently, OpenPGP, the open-standards version of its PGP encryption technology, has been promoted to "Proposed Standard" status by the official standards body of the Internet, the Internet Engineering Task Force (IETF). By turning OpenPGP over to the IETF, now anyone in the world can create PGP-enabled products independent of Network Associates. We have even released change control of the protocol to the IETF, which completes PGP's transformation from a product to a protocol.

What is your strategy for educating the Japanese market about security, and getting Japanese corporations to take the network security issue seriously?

LaLonde: The Japanese market tends to follow the same cycles as the US market, often just delayed by a few years. Security is no different. In the US, anti-virus solutions as a product category has surpassed the one billion-dollar market size, firewalls are just about at one billion, with VPNs and encryption coming on fast. The emerging markets now are intrusion detection, risk assessment, etc. I think all Japanese large corporations - though not the small or midsize companies - realize they need anti-virus software and firewalls, or perhaps some sort of network protection, when they are connected to the Internet. For example, we recently held a seminar with Softbank and Microsoft on network security; it attracted more than 500 people. But when it comes to whether companies have actual solutions in place, I would say there's still a long way to go. Vendors have found that anti-virus software and firewalls are fairly easy to sell as reactive, point solutions, but they have not been able to define a successful model for selling total network security solutions. This leads me to believe that the software makers need to take the lead in defining the solutions. Network Associates intends to be the first such vendor for total network security solutions.

I've heard that some 40% of all networks in Japan connected to the Internet are insecure, with maybe just a simple proxy server. Do the Japanese really understand the necessity of network security?

LaLonde: We've visited several customers, who say, "We haven't had any network break-ins because we have good people, and also our systems are in good shape." But when we demonstrate our network security products to them, they are surprised to know that there are many more things happening in their network than they are aware. I think the main thing with network security is that most people don't know just how susceptible they are to attack until they have already been attacked, if even then. This is why the number of prosecutions for network break-ins is so low. To know a break-in has happened, you have to have some kind of evidence, a log or whatever. And when companies finally find evidence of a break-in in their network, it is usually way after the incident, and they can't trace the culprit. Right now the hackers have all the knowledge and the tools, and therefore the upper hand.

Do you offer products to monitor network conditions?

LaLonde: Yes. We offer a complete burglar alarm system for network intrusion detection and risk assessment, a family of products called CyberCop. One of the components, CyberCop Server, monitors application on the network - like a Web server, FTP server, or database server - to provide real-time monitoring of site attacks. Then there's CyberCop Scanner, which allows regular audits of a network to discover security weaknesses and provide advice on how to fix them. What we are doing with our products is having them interact proactively. This is what we call "Active Security" - not just having one product take a log, but keeping a database of the security state of your entire network. The anti-virus software talks to the firewalls that talk to the intrusion detection software so that defensive actions can be taken on the fly for much more comprehensive network security.

Who are you actually selling security systems to here in Japan: IT managers, or some other business managers?

LaLonde: That's a good question. In the US, major companies have a chief security officer (CSO) or somebody in charge of creating and implementing security policies. But here in Japan, most companies donŐt have that kind of position yet; they only have network managers. This will change over the next year or two, though.

Where does the greatest security threat come from?

LaLonde: In most cases, network attacks occur from inside people with inside knowledge and inside access. I think those are the types of security breaches that happen most often, especially in Japan. For example, recently when Sakura Bank got attacked and had the data files of many thousands of depositors compromised, that was done by one of the bank's on-site systems subcontractors - a kind of insider. In terms of viruses, there are some local Japanese viruses, but they are very few in relation to the number of PCs and the size of the user community here. It's a cultural thing; I don't think that you will find very large groups of people hacking or creating viruses here. I'm not saying that there aren't people like that here, but you'll find a lot more of that happening in countries like China or Korea.

Speaking of the internal threat, fraud is pretty prevalent here in Japan. We may not read about it in the newspapers, but there are rumors around in the market every week. Is there a high incidence of security-related computer fraud in Japan?

LaLonde: Unlike the US, customer data tends to be handled with a lot less care here; it tends to get shared, and passed around more informally. I think personal relationships come into play; if someone is asked for some information by someone they know well, many times they will cooperate based on the strength of the personal relationship as long as they feel it's not likely to jeopardize their job or the company's future.

That's a good argument for software companies to promote the idea that data should trusted only if it comes with a certificate or seal, or some type of tracking method. Do you have a technology that can authenticate where the data came from?

LaLonde: Well, PGP is very easy to set up in such a way that you can identify the person actually sending the message and verify that the message has not been changed by a third party. Also, we sell a policy server with the corporate version that enables you to control who is allowed to send and receive encrypted messages inside and outside of your company.

Who do you register the certifications with?

LaLonde: The customer can manage their own certificates without having to register them with an outside authority. A lot of companies want to do that internally, because they don't want to register their certifications with a third party. Also, in January 1999, we will be introducing a product that will be compatible with both Entrust and Verisign certificate authorities. This gives customers maximum flexibility and choice.

Is there some kind of security authority in Japan, an agent who represents the government, with whom you as a certification issuer have to register?

LaLonde: Not yet. There are talks about it in a number of computer-related groups and government study groups. One reason third-party certificate authorities haven't been so successful outside the US is that foreign governments - Japan included - are very fearful of a US company's subsidiary becoming the broker for transactions. Because of this national security aspect, there's a very strong tendency for the government to try to take control. And they usually end up retarding the process. Also, using an electronic signature that has been verified by a third party would require quite a bit of infrastructure and widespread market acceptance. Flexible and open solutions which can be adopted widely before governments can gain control and potentially stifle progress will likely dominate in this area. PGP is a perfect example of this.

Who is the anti-virus market leader in Japan right now?

LaLonde: Right now we are shipping the most units by a long shot. This year about 7 million PCs will ship in Japan with our product pre-installed. We recently released VirusScan 4.0 in Japanese and the initial reports are that it is selling as well or better than Trend Micro's VirusBuster. If that wasn't enough, VirusScan is a core component of Microsoft Plus. That alone outsells Trend Micro's VirusBuster by about two or three to one. When you install Microsoft Plus, our VirusScan actually goes through a virus check first; so, it's not like an option. Our goal is to be on every desktop PC. All along, the corporate market has been our bread and butter. And it is in that segment where we are seeing a lot of new competitive activity. Our success in OEM and retail has pushed Trend Micro and Symantec into the corporate market. With the economy the way it is, we are all in there fighting for every deal. It is quite competitive, which is good for the customer.

How hard is it to get bundled on Japanese manufacturers' computers?

LaLonde: The Japanese PC manufacturers look at how well a product is doing in the US; that's one criterion. A second criterion is whether you have the capability to support the product in Japan. Japanese OEMs tend to be very demanding on the quality side, and look at a vendor's ability for comprehensive local support, such as the ability to fix bugs or do patches in Japan. To be honest, in the end, we tended to be more expensive than other software makers are, as many of them were giving away their products to OEMs for free. We always asked for money, and were the expensive choice. The reason we often got the deal in the end is because, when they asked us to do something with the product, we were always able to do it, and quickly. I think that made the difference. And as long as we continue to do that, we'll keep those customers.

So you use a local country-type strategy?

LaLonde: We decided early on that we would have our own development team here - that we would keep our source code here, and make on-the-fly changes and updates. That has been a successful strategy for us. In Japan, I think the corporate and OEM businesses have been incredibly successful for us. It's going to be hard for companies like Trend Micro and Symantec, who rely on the retail market for their business. We rely very little or not at all on the retail business for our success here. Our revenue basis is the corporate and OEM side. We have these two competitors who are very strong in retail, and are now trying to attack the corporate market. But if you look at the sales numbers for any of their products, the number of units they're able to sell on retail is going down, because all the new PCs have VirusScan on them. Microsoft Plus has an attachment rate of about 40%, for example, so if VirusScan is not already on the PC, people will buy Microsoft Plus and then VirusScan is going to be there.

I don't see much advertising of your products on the Web. Is that conscious decision?

LaLonde: Well, if you go to the popular download sites, VirusScan is always in the top five. I would say that it's a worldwide thing; we leverage our own site, and don't spend money on other sites at this point. We're going to this portal strategy, which we have recently announced, where, for example, for a small subscription fee you can check in as often as you want and get virus checks, product upgrades, product information - not just for Network Associates products but for many makers' products. Once that starts up we will be doing heavy cross-promotion with high traffic sites like Yahoo and GeoCities. So, while in the past we haven't advertised much on the Web outside of our site, I would say that would change soon.





Back to the table of contents