Intel and McAfee

Intel announced on 19 Aug 2010 that it will buy McAfee for around $8bn. This has caused some surprise. Intel does not sell directly to the end-user, and it does not develop application software. It is not obvious what it achieves by acquiring a software vendor. Here’s my guess as to why Intel is doing it.

There is a complex pattern of change going on in the architecture of the server computer. As parts get cheaper and more powerful, they can be reconfigured in many ways. The basic model of one box and one chip per business function (e.g. the mail server, the domain controller) no longer exists.

Virtualisation and Cloud computing are just marketing words, but underneath is a continuous evolution and adaptation of components. The BIOS (very small bit of control code) becomes the EFI (much larger) and then the Hypervisor (even larger bit of control code). Virtualisation is not a new concept. It just signifies that the hardware has temporarily outstripped the operating system in the ability to run diverse tasks. The hardware is sitting there saying "give me more", but the OS can’t isolate them enough, so we put a thin layer in between to share the hardware. Next step is the "OS" shrinks to be task based, like Windows Server Core. Likewise cloud computing is not a new technology. It signifies that fibre optic networks are cheap enough to move servers off site, where they can share resources like cooling and power supply more easily.

One aspect of this continuous evolution and adaptation is that the security risks are changing. It used to be accepted that "inside" was inherently safer than "outside". Outside you need two factor authentication and strong encryption. Inside you can get away with the odd admin password passed over the network in the clear. Now you can’t assume this. For example on shared hardware you need to process security keys (used for disk encryption) outside of shared memory where they might be discovered by different virtual machines on the same physical host.

As a result there is a lot of work going on to improve the manageability and security of computers below the operating system layer.

  • faster and stronger encryption
  • better protection of encryption keys and passwords
  • more isolation of different virtual machines
  • detection of unexpected state changes.

For Intel this includes initiatives such as: Active Management Technology (AMT); Virtualization Technology (VT); and Trusted Execution Technology (TXT). These have also been evolving over the past five years and more. Here is a really good insight into what AMT does: AMT

So I think Intel must have acquired McAfee in order to adapt their antivirus technology for implementation in hardware. This would enable the physical host to scan virtual guests and preserve the integrity of the system. The host would be able to detect if the guest had been altered. It would also be able to detect if shared drivers for graphics and audio had been tampered with. It might even be easier to stop the AV process running away with the CPU, which happens frequently in software.

Why McAfee? I don’t know. I am not aware of any technical superiority between different AV vendors. Perhaps because they have a reasonably good name, client base and income stream. Why not invent from scratch? Only because it would take too long. These are just guesses mind you.

Outsourcing IT is not the answer

Most large businesses I have come across at some point come to wonder how better to manage their IT operations. IT consumes a lot of money, but often does not seem to be doing what you want, almost wilfully. You ask for something to be done, and three weeks later nothing at all seems to have happened. Surely they are all just incompetent. Outsourcing has been around a long time as a solution to this problem of feeling a lack of control.

Outsourcing sounds like it should make sense. ICHA (or whoever) do lots of IT and must know how to do it better than we do. They are specialists where we are amateurs. They must have lots of highly skilled experts who can be called on to deal with the tricky technical stuff only when required. It all sounds so efficient. And now they even have technical experts and support centres in India and China, where costs are so much lower. How could it fail to be both more effective and less costly than our current operations?

And yet. When you start talking costs, they always seem remarkably close to your current costs. And service levels always sound more as though they are trying to avoid things rather than commit to them. TUPE means of course that you simply can’t release your staff (who were so incompetent, remember?) and use ICHA’s. And the shared data centres you were going to use instead of paying for your own, well, it would cost millions to make the move and actually the services are going to be run from your own data centre after all. In the end it seems as though your own people and facilities are going to be sold back to you at a premium, but managed by someone else. So the pitch comes down to this: "Don’t worry your pretty little head about this IT stuff. Just tell us what you want and we will manage it for you". Core business is the key word. By the time you have got this far down the track, it would be really embarrassing to go back to the Board and say, "It doesn’t add up, I must have misunderstood what IT is about", so it goes ahead anyway.

Here’s why Outsourcing in this way doesn’t work.

Most of IT Operations is simply deploying vendors’ kit. It may be in large quantities, it may be very expensive, but it is still just kit. Most kit from most vendors is at the upper bounds of complexity and capability. As a random example, RSA SecurID can provide strong authentication for five plumbers, or for 100,000 staff spread around international offices. It works the same way. To implement this stuff effectively you need to be fairly expert. But then day to day it requires little more than following the book for how you add users, change settings or whatever. Mostly it just works. And when it doesn’t you really need the expert to fix it.

Now the problem is that it does not make sense for IT Operations to hire experts. You only set it up once, and change it rarely. But you administer it every day. So you tend to hire the administrators, and then try to get by on that. Systems are put together by people who are not experts, and so they don’t get done or they fail. I don’t mean to say that the people in IT Operations are not very capable. You may have a small group of people who are indeed expert in some things. Its just that they can’t possibly have the variety and depth of experience of people who do this all the time. Is it enough? Well, perhaps, but probably not.

And then when you go to the market for outside help, the transaction costs are high. It takes time to brief people and for them to understand what you are trying to do, and that time one way or another must be covered in their costs. It also looks like real money. £50,000 to do a project is a lot of cash to justify, with business cases and cost benefits analysis. Fred not achieving anything very much in a year is much harder to see.

Outsourcing does not solve this.

The outsourcer is going to sell you back your own staff and kit. Yes, there may be some changes in the way some things are done, and you may have a few redundancies. But fundamentally you have the same faulty systems being run by the same people. When you would think you would have access to experts to solve problems or make things work better, they don’t seem to be available. Why is that? Well, an expert in something like Active Directory can be charged out at high rates to client implementation projects. He is not going to be assigned to your problem just because you’d like it. If he is assigned to a chargeable project to help you, he won’t know any more about you than any other new supplier.