In The Boardroom With...
Mr. Michael Oldham
Chief Executive Officer
SecuritySolutionsWatch.com: Thank you for joining us today, Michael. Before discussing PortSys Products & Solutions in greater detail, please tell us about your background and may we have a brief corporate history?
Michael Oldham: I’ve been in IT and Security for over 30 years and have had quite a variety of different experiences. I began on the technical side as a systems and network programmer back in the days of mainframe computing. It’s always interesting to see how things come full circle in the IT industry! My next step was founding my first software company which focused on operations for franchise companies. After a successful exit, I went back to the corporate world and had several executive positions running IT and Operations. But, I’ve always had the entrepreneurial bug and I was never far from building another startup. Over the years I have been back and forth between the corporate and startup worlds. Both have taught me a great deal. Most recently before starting PortSys, I was Global Program Director for a technology company where we built a successful global security business.
In 2008, I founded PortSys. From my previous experience both running IT and from building a global security business, I knew that the security industry was a great place to be. However, I also recognized that the existing security world was starting to age in some ways. While there was still a lot of innovation, most organizations were relying on technologies that were very old in comparison to the revolutionary changes that were underway.
We started building high-end security appliances for organizations, which we sold to customers around the world. But, we also saw the revolution happening with things like Mobility and Cloud changing the way we all work today. We recognized that existing technologies weren’t doing enough to manage security in a comprehensive manner. So, took the initiative to build a security solution, from the ground up, to address the security needs of today and tomorrow. Total Access Control is the culmination of years of hard work and dedication to this pursuit.
SecuritySolutionsWatch.com: One will read about PortSys that,
“PortSys is a private company, founded in 2008, headquartered in the US and with our international subsidiary based in the UK. Our focus is exclusively on information security and access control. PortSys currently has customers worldwide representing some of the world’s largest financial institutions, government ministries, defense departments, utilities, healthcare organizations and industry-leading enterprises.
With our global footprint, PortSys offers products and 365 x 24 x 7 support to customers around the world. We have been recognized for our advanced security technologies and our dedicated client-centric focus. Our fully integrated security technologies, high performing security appliances, and comprehensive support services are highly regarded in the public and private sectors.
The explosion of mobility, the Consumerization of IT (bring your own device), the growth in cloud computing and the need to access information from anywhere means that organizations are being exposed to higher levels of risk than ever before. To meet the constantly changing security needs of today’s organizations, PortSys has developed Total Access Control (or TAC).
Total Access Control provides customers with an all-inclusive solution that combines the many ways in which we access information today into one comprehensive product. TAC allows the use of any device from any location to access resources anywhere (local or cloud) securely. TAC includes technologies such as SSL/VPN, VPN, Single Sign-On, Multi-factor Authentication, Application Firewall, Cloud Access Control, Application Acceleration, Portal-based Access and Mobile Device Management in a scalable solution capable of meeting any organization’s information access needs.
TAC replaces other disparate, individual technologies that used to manage access functionality with a comprehensive, unified security product that manages all access to information regardless of where it resides. TAC helps organizations manage mobility and the need for nearly ubiquitous access in a manner that is highly secure and easy for both administrators and end-users.”
Please give us an overview of the solution PortSys delivers.
Michael Oldham: PortSys provides a comprehensive security solution for providing access to corporate resources. One of the challenges that organizations everywhere face is IT Security Sprawl. Over years we have developed individual technologies to solve the security issues of the day. Now, we are faced with the necessity to manage a number of disparate solutions, each doing their own individual functions. What’s worse is that none of them talk to each other, so it’s nearly impossible to get a comprehensive view of who is accessing what in your infrastructure. Products like Mobile Device Management and Cloud-based solutions are just recent examples of these challenges.
PortSys provides a solution to this challenge with Total Access Control, or TAC for short. TAC provides comprehensive control over access to your valuable corporate resources regardless of whether they reside in the local datacenter or in the cloud. You can access these application and data resources from any device. We support laptops, desktops, mobile devices of all sorts, tablets, internet kiosks and more. TAC provides the highest levels of security over this access but even more importantly, TAC makes access easier for your end users.
If you think about it, security has been pretty awful for end users. The brunt of the work goes to them in keeping track of all sorts of passwords and methods for getting access to all sorts of systems. In many organizations there’s no way a user can keep track of the myriad of passwords that are constantly changing. End users typically equate security with making it more difficult to do their jobs.
When we designed TAC, we didn’t just keep the highest levels of security in mind, but we also focused on the administrative and end user experiences. It is possible to have stronger, more robust security while simultaneously simplifying life for the end users. TAC provides the bridge that allows your employees to actually help maintain the organization’s security, without making their lives more difficult. It’s really a win-win for companies when they deploy TAC.
Also critically important is the fact that TAC helps organizations embrace mobility and do so securely.
SecuritySolutionsWatch.com: What is your perspective, Michael, regarding the unique value proposition that PortSys delivers…in other words….why PortSys?
Michael Oldham: Total Access Control is the only product of its kind. It brings together multiple technologies like VPN, Single Sign On, Portal Access, Multifactor Authentication, Mobile Device Management, Application Firewall, Application Acceleration, Cloud Access Control and more into a single product that manages your access across the entire enterprise. This is a very unique product in the marketplace.
It sounds strange that there wouldn’t be many products like this as it makes so much sense to have all your access managed from one place. But, when you break it down you start to see the issues.
Security as an industry grew up solving individual security problems. From the earliest days of connected systems we’ve had security issues. It started with the Morris Worm many years ago. This lead to the invention of Firewall technologies. From there, we’ve built individual solutions to all of the problems that have come along. This solved the problems, but added a new layer of complexity each time.
Consider a recent wave of technological innovation, Mobile Device Management. MDM was created to help organizations manage the surge of demand for utilization of mobile devices by employees and to help manage the push for greater mobility. And MDM technologies helped to do that.
But, they are myopically focused on mobile devices. They don’t really care about your laptop or your home PC, and they don’t care about the specific resources you’re trying to access. They only care about managing your mobile device. They are effectively a niche technology to solve one problem, mobile devices.
Cloud access is shaping up to be somewhat similar.
But, companies are starting to understand that they can no longer continue to deploy more and more individual solutions, most of them from different vendors, and most products don’t talk to each other. It’s too expensive to manage and it actually leads to the organizations being LESS secure. The more products you have in your security architecture, the more chances for gaps, misconfigurations and other flaws in your defenses. And vendors are starting to understand that just having individual solutions isn’t going to keep working. So the movement has begun… trying to integrate technologies together.
We’ve already done that with Total Access Control. That’s why we’re unique in the marketplace.
SecuritySolutionsWatch.com: What about competition in the marketplace? Does PortSys compete with other players in the security space? And, why is PortSys offering a solution that is unique?
Michael Oldham: That’s a perfect lead in to continuing what I was just speaking about. Absolutely, we have lots of competition. We compete with all of those individual solutions from all sorts of security companies out there. Each of those competitors and products occupies a specific niche in the umbrella of security. However, our advantage is that we combine many technologies into a single solution. By doing this, we gain a significant advantage for customers.
So, why you might ask, don’t those other companies just build an all-inclusive security product? This is a competitive area, so why haven’t other companies done this already?
I asked myself the same questions.
There are really two types of security companies out there. The first is the large, well-established organization that has been doing security for a long time. They tend to have multiple product offerings that are quite mature and they have lots of resources. The second type of company is the small, innovative kind. They are creative and motivated but they are comparatively small and have fewer resources.
Let’s take the smaller, innovative companies first. They are nimble and have a lot of capability. But, they are typically quite resource constrained. So, to succeed, they must focus. You’ll see that most successful companies have a laser focus on solving a particular security problem. If they’re successful, they will branch out a bit, but almost always within their silo of expertise. MDM is a good example of this. Many companies came out with MDM solutions. The successful companies then branched out by creating more features like Mobile Application Management, Containers or other novel and creative expansions of the existing base technology. But, it’s still within their security silo. Eventually, if they are successful enough, they get purchased by the larger companies. Because of their need to focus to become successful, they aren’t in a position to create a very broad security product.
When we look at the large, established players, they are honestly a victim of their own success to a large degree. The problems they face are entirely different. Innovation is difficult in large companies. It’s not that they don’t have great, smart and innovative people. They do. But, what they have are some very significant limiting factors.
First, they have a bunch of cash cow products that they’ve developed. These products are the basis for their success and they can’t just chuck them out and start over again with something new. They need to keep these products going to continue their revenues and make their revenue forecasts. Without these major successful products, they have serious issues.
The second limiting factor is their own spectrum of products. When you’re developing internally, you have to work with all the other products you have out there. You have to make sure that your newer technology works with all the other technologies. It has to be managed from the tools that the company has built and it has to conform to certain internally set standards. None of this is bad, but it creates a swamp where good ideas get bogged down for long periods of time. The bigger the company and the more successful products you have… the slower innovation happens.
So these big companies tend to buy the innovation by purchasing the smaller, innovative companies. This speeds up part of the process. But, integration of new technologies can be just as difficult as development for these companies. It just takes a long time to get a product integrated with their other technologies.
So the bottom line here is that it’s very difficult for big and small companies alike to develop a broad security solution like Total Access Control. This is another way that we are quite unique.
SecuritySolutionsWatch.com: Is it fair to say, Michael, that PortSys is customized based on the specific needs of your customers?
Michael Oldham: Well, I would state it a bit differently. TAC can be tailored by the customer to meet their specific needs. We designed TAC to be very flexible and to meet the very varied needs of our customers. No two customers will have the same set up. They will have different applications, different hosting locations for their applications (local or cloud) and will have very different policies on requirements for access to specific resources. TAC is designed to allow customers to create their own, unique implementation that works the way they want to conduct their business.
One company may feel it’s fine to let people access their email from their personal mobile devices, providing they meet antivirus policies. Another company might want to block access to mobile devices that have been rooted or jailbroken. Still another company might allow their employees partial access to applications from phones not meeting their requirements, like access to the employee portal and email, but not allow them to upload or download files or email attachments.
The point is, TAC is very flexible and is designed to allow the organization to meet their specific needs.
SecuritySolutionsWatch.com: What about the PortSys Support that your end-users can expect to receive?
Michael Oldham: We take support very seriously, but ultimately it’s very simple. If you don’t properly support your customers, they leave. And, with a product like Total Access Control that is a key element of their security infrastructure, support has to be there when the customer needs it. So, we provide 24 x 7 support to all of our customers as a standard part of the way we do business. Most organizations charge extra for this, but my feeling is that if you’re trusting our technology to manage access for your entire organization, we better be there to make sure it’s working at all times.
For customers who purchase our TAC security appliances, we also provide onsite hardware support for our customers in as little as 4 hours. This extends to thousands of cities and most countries around the world.
We always strive to provide exceptional support for all of our customers. We know that this is an opportunity to strengthen our relationships with them. When things go wrong, we are there to make them right again.
We also provide regular guidance about our security appliances, both physical and virtual, to let the customer know that their device is as secure as possible. This includes regular patch notifications and software updates as needed. This is a crucial part of our support for our customers and is included as a standard part of our support.
Too many vendors in the world send out their products and then the customers just continue to run them without ever updating them. With the kinds of threats we’re seeing today, that’s just crazy. Technology and threats move much faster today, so we must be there and stay ahead of these issues. That’s why we spend a lot of time going over our appliances continuously to ensure that our customer’s environments are very secure and will continue to be for as long as they own them.
SecuritySolutionsWatch.com: Can we discuss the current customer environment for a moment? BYOD results in many threats…and not only from bad guys always looking for the weakest link into the network…Unintentional Insider Threats (UITs) is an equally serious challenge where employees/users might innocently click on phishing messages, visit to nefarious websites, run risky/outdated software, or fall into any number of other traps. What are your thoughts Michael regarding “best practices” that should be followed in this environment?
Michael Oldham: Phishing attacks and targeted Spearphishing attacks are becoming greater threats these days. They seem to be one of the more popular avenues of attack and they can have some very high success rates. But, the potential threats are going to continue to evolve at a very rapid pace. The truth is, there’s always a risk no matter what you end up doing. There are a lot of very smart criminals in the world, and they are better financed than most IT departments.
The first defense against these types of attacks is education. People need to be educated about security issues so that they can be aware of these issues. They have to know how to question whether something is real or not. The first step is to let them know that they can question it, and what to do if they think something is suspicious.
I’ll give you an example, a company I spoke with had a situation recently. The CEO of the company sent an email to the CFO directing him to wire a substantial amount of money to a particular account. The CFO, having been similarly directed before, wired the money.
The problem was the CEO never sent that note. Hackers were inside the company and had been reading correspondences from the CEO, and analyzing the way he wrote his emails, particularly ones directing the CFO to wire funds. They made this email look very convincing. But, upon closer inspection (after the fact), they noticed the email origin was not from the company’s URL, but from the same URL with the last letter of .COM cut off to be .CO. Upon normal examination, it looks legitimate. But, the company didn’t have in place a process by which the CFO would double-check with the CEO outside of email to verify the wire of this substantial amount of money. The result, they lost the money completely. No chance to recover it.
Education and verification is very important. It’s crucial that people know not to click links inside emails they receive as well. There are many examples of good practices that people should adopt. They are easy to find.
A good security solution can help as well. There is no perfect security product that exists, so combining good practices with good security technology can make a huge difference.
As an example, Total Access Control provides the capability to have multiple ways of validating end users, all without making it any more difficult for them to do their jobs.
One problem that exists is people phishing for credentials. The person gets a note from the HR department or the IT manager saying, “As part of our audit, each employee must confirm their username and password. Please click here to do so by the end of the day today.” It looks official and I can almost guarantee that you will get a number of people who will follow the directions.
The problem is this goes to an external website that is harvesting the credentials for that company.
Normally, those credentials would give the hacker free reign to go in and get whatever that user’s credentials would allow. And, it would give access to their email so they can send other messages to other people within the company.
With TAC, you can have multiple layers of authentication, in fact, three or more factors. The first would be the credentials, which in this example, the hacker has just stolen. Now we can add a multi-factor authentication to this. This is a good additional hurdle, and TAC offers a multifactor authentication technology as part of the product. But, that still might not be enough. We can also add in the physical hardware device as another factor of authentication, essentially binding the user’s credentials and the hardware device together.
So, in this case, the fact that the user made a mistake in sending out their username and password to a hacker, does not cost the company any pain because without the multifactor authentication AND without the actual approved hardware device, the hacker can never get access.
SecuritySolutionsWatch.com: We read your recent news with great interest, “PortSys approved as supplier for G-Cloud 7 Digital Marketplace framework for Public Sector organisations”. Quite impressive, indeed! Care to elaborate, Michael?
Michael Oldham: We are very happy to have received notification from the British Government that we were an approved supplier for the Government Cloud in the UK. This means that government customers in the UK can purchase TAC from us directly at a pre-negotiated price without the requirement to go out to the normal tendering and bidding process.
This is a reflection of the fact that we have put a great deal of effort into providing a solid, highly secure and reasonably priced solution in place for our customers.
SecuritySolutionsWatch.com: That’s quite impressive. How about other places? Can we drill down a bit into any success stories or “wins” you would like to discuss? And, we understand totally if you choose NOT to mention the specific government agency or financial institution you are working for!
Michael Oldham: Our technologies protect many institutions around the world.
I’ll give you some examples. We protect access for one of the major defense departments in Europe. Every item that’s purchased in that country, or around the world, is procured through systems we protect. Whether you are buying a pencil or a battleship, PortSys protects the access to those systems.
We also have several critical infrastructure customers who supply power to their regions of the world. These customers are in the United States and in Europe, but that’s about as specific as I can get as these organizations understandably maintain a high level of secrecy about their infrastructure and security.
We all know how critical the electrical infrastructure is and how it has continued to be in the news as a potential source of vulnerability. PortSys provides security and access control technologies for these organizations so they can continue to provide electricity to their constituents. There are tens of millions of people who depend on these organizations for everyday life. These are absolutely crucial services and are among some of the most targeted institutions in the world. We are proud to be part of their defense.
Another industry that we help protect is healthcare. We have numerous healthcare institutions who look to PortSys to help them provide secure access to their critical systems. As an example, we help protect numerous NHS (National Health Services) trusts throughout the United Kingdom. These organizations rely on PortSys technology to safeguard their systems and provide flexible access to the people who are supposed to have access, and block those who do not. We have thousands of healthcare workers who use our products every day in the normal course of their jobs.
We have an engineering company with about 80,000 people working for them around the world. They need to get secure access to information wherever they happen to be. This organization has both employees and thousands of contractors accessing information every day. PortSys has provided a global architecture using our GeoAvail technology that provides fault tolerant access along with global high availability to multiple datacenters around the world. These datacenters are located in 7 geographic regions and the entire access system works as one single entity. We automatically detect the geographic origin of the end user and route them to the appropriate location based on security policy and/or shortest distance or fewest hops. If a local datacenter isn’t available for some reason, connection automatically fails over to the nearest location at another datacenter. But, for the end user, it is all seamless. Their access works as it always does, no interruption or change in process because they couldn’t get access to their local datacenter. For organizations like this with thousands of people working around the clock, they have to have a highly reliable system for providing access to critical infrastructure. PortSys provides that for them.
But we also have smaller organizations too. They have the same needs for security and protection that the big organizations have, but they usually have smaller budgets and much smaller staff. The argument can be made that these smaller organizations need our products even more than the big companies who have full IT Security staffs doing nothing else but managing security.
Big or small, we have many organizations that use our technologies today to protect themselves, enable mobility and enhance their productivity.
SecuritySolutionsWatch.com: We understand that Microsoft and HP are strategic partners. Can you tell us more? Any other key relationships you care to mention?
Michael Oldham: We have a number of strategic partners. We are a global OEM for Microsoft and for HP. And, as with many large organizations we have multiple ways of working with them. As an example, our hardware appliances are delivered on Tier 1 HP servers. One of the great advantages of working with HP is that fact that they have parts available for their hardware around the world! This helps us to deliver prompt fixes to hardware issues should they occur. But, HP also sells our technology to some of their strategic customers. It’s a great relationship and works well for everyone.
We have many relationships with organizations like Vodafone, BT, CapGemini, Fujitsu, Arrow and many others. These relationships are crucial because these organizations are trusted advisors to their customers. They help their customers to find the right solutions to manage their security. We are very pleased that PortSys and our technologies continue to be implemented and managed by these strategic partners.
In addition, we have a number of smaller, but no less important, security partners. These tend to be specialist security companies who are highly focused on security and providing the best possible solutions to their customers.
We are very fortunate to have both of these types of partners working with us around the world.
SecuritySolutionsWatch.com: Thanks again for joining us today, Michael.
Michael Oldham: It’s been my pleasure Martin. Thank you very much for having me on today.