A CONVERSATION WITH ROBERTO MEDRANO

On the verge of the 21st century, the Internet has given us an electronic horn of plenty. Plenty of information, that is.

"The Net" and the World Wide Web have also put IT departments on the horns ofa dilemma. Worldwide access to corporate information means more access to corporate ITsystems, which has led to concerns about security. In addition, e-commerce sites areestablishing Internet infrastructures while pioneering new business models. Of course, allthat information is expected to be continuously available. Or 24x365 in the parlance of ITculture.

That's why HP created the Internet Security Operation (ISCO) as part of the InternetSoftware Business Unit (ISBU). According to Roberto Medrano, the ISCO's General Manager,"we're a hot 'start-up' [organization] within HP." The ISCO is part of LewPlatt's plan to jump start new business [opportunities] every 18 months. To that end, HPhas brought in executive talent from outside of HP's hallowed cubicles. It's a rareexception for HP, well known for grooming its executives in the HP Way.

Medrano, formerly CEO of Finjan Inc. (San Jose, Calif.) is one example. Bill Sudlow,formerly with Claris Software (Apple's one-time software spin-off, now FileMaker, Inc.,Santa Clara, Calif.) is also on-board as Vice President of R&D as well as Lior Arussyas Channels Marketing Manager, also from Finjan. Other notable outsiders have come fromComputer Associates, Trend Micro and Secure Computing, among others.

The first two products that Medrano and his team are responsible for developing andmarketing are HP's VirtualVault (announced in 1996) and Authorization Server (announced inJuly 1998). The success of both products, under the Praesidium brandname, will play animportant role in HP's plans to grow its software business, while shedding its historicmarket dependence and traditional mind share as a hardware-only company.

In an exclusive HP Professional interview, Editor-in-Chief, George Thompson spoke withMedrano and Sudlow about their plans, products and new possibilities.

HP Pro: Why the emphasis on being a start-up andtransplanting outsiders?

Medrano: [HP] had mechanisms and processes in place thatwere designed for a hardware-related business. We are developing the new software-relatedbusinesses and processes. We need to be successful as a start-up.

Sudlow: In a company like HP, with a large portfolio ofbusinesses, in the past, they maybe didn't have the same time-to-market urgency as in mostof the software start-up world. If you don't get your product out in the next week or nextmonth, it can be a 'quick death' scenario.

For example, I met with the [HP] development teams that were in place and they werethinking in terms of nine, 12, or 15 months between major product releases. You just can'tafford to wait in between major releases. The competition is changing so fast, you have torespond quickly. You have to focus on developing software in an incremental fashion.

HP Pro: Can you explain the overall capabilities ofVirtualVault and Authorization Server?

Sudlow: If you have a Web browser across the Internetconnecting to some application on the back-end, VirtualVault sits on the boundary. Thatis, it actually works in parallel, so if you have a firewall to protect different IPaddresses to allow for email, etc., the VirtualVault containment capability allows you toensure data and application integrity. Via a trusted gateway agent, you can pass onlycertain parameters from between the outside [your Web server applications] and insidecompartment [your internal database] -- say a CGI script. The only people that can get onthe inside are the people who have the security administration of that platform.

Medrano: When you need to open your internal databasesthrough a Web connection, you need a secure Web server like VirtualVault. That's whyVirtualVault has been successful with the banks doing business on the Web.

Sudlow: Authorization Server provides what we call"discriminating access" to individual business transactions or portions ofbusiness process. It's particularly important for extranets like supply chain management-- where you want to share your application with your business partner but don't want togive blank access. You can provide only one or two screens and maybe do only a restrictiveset of transactions within for say, your SAP application on the backend. So, AuthorizationSever allows customers to assign discriminating access for Web-enabled applications.

HP Pro: Can the two products work together?

Sudlow: That's the beauty of it. The two products worktogether to enable secure transactions and access to information at the Web boundaryprotection area. It can be used on intranet applications as well, but the press andanalysts seem to think the most exciting area is its use on extranets -- like supplychains. But the products work separately or work together seamlessly.

HP Pro: What's the word Praesidium got to do withanything?

Medrano: Praesidium is our umbrella. Praesidium equalssecurity at HP. Praesidium is something that I own, manage and develop as a securitybrand.

Sudlow: Much like OpenView is a brand name for a largenumber of products under that umbrella. We are establishing Praesidium as the brand namefor HP security products. That's actually an important point.

HP Pro: Speaking of which, how do the security productsintegrate with OpenView?

Sudlow: One of the key capabilities with AuthorizationServer is the auditability built into the product. And those auditability records can besent to [OpenView's] IT/Operations. You can set up business rules, for example, if someonecontinues to try over and over again to get access to a particular transaction you cansend an alarm about it to OpenView.

From a strategic point of view, we believe there is going to be a tremendous amount ofsynergy between all [the present and future] security products and OpenView. Many peopleview security management as the next logical extension of network management. And how doesit fit within their IT infrastructure.

HP Pro: The products are specific to HP-UX platforms.Correct?

Sudlow: VirtualVault is just on HP-UX. AuthorizationServer has a plug- in to the Windows NT/Netscape Enterprise Server. From an overallstandpoint, NT and HP-UX are strategic platform for us.

HP Pro: Any outstanding competitors in this space?

Medrano: There are none [now] known for VirtualVault.That's why we have taken a leadership position with 70 percent of the Internet bankingmarket.

Sudlow: For Authorization Server, there are some newcomerslike n-Commerce and Netegrity.

HP Pro: What's beyond the Internet banking segment?

Medrano: ISPs and telecommunication companies are the nexttargets. A leading ISP, PilotNetwork, which by the way is a Sun shop, became aVirtualVault customer and also a reseller. A third one is ERP-related -- anybody that hasa SAP application out there and wants to open it up to the Web.

Praesidium is our umbrella. Praesidium equals security at HP. Praesidium is something that I own, manage and develop as a security brand. -- Robert Medrano

Many people view security management as the next logical extension of network management.-- Bill Sudlow