Fortinet eyes MSS, cloud for regional growth

Increased demand for telcos to provide managed security services and the trend of carriers rolling out cloud services will be strategic to Fortinet's growth in the region, said a company executive.

The network security vendor's technology and business model position it well to reach out to its telco customers undergoing such transformation, said George Chang, Fortinet's regional director for Southeast Asia and Hong Kong, in an interview Wednesday.

Appointed as the regional lead in May, Chang also serves as the regional director of carrier and service provider markets in the Asia-Pacific region, a portfolio he has held since December 2009. Prior to joining Fortinet, he was head of corporate development at OpenNet, the appointed network company or NetCo for Singapore's next-generation National Broadband Network.

According to Chang, cloud computing fits nicely into Fortinet's aim to focus on the large or high-end project segment in 2010. The likes of NTT Docomo, SingTel and BT have put in place "some sort of cloud computing services", which makes it even more crucial to deploy consolidated, high-performance products to trap, manage and control different types of security threats, he pointed out.

Fortinet, he added, expects growth across the region this year, but is looking particularly at "explosive growth" in Southeast Asian markets such as Indonesia, the Philippines and Vietnam.

Q: About your point on service providers' customers looking to them for managed security services--what opportunities does Fortinet see for this growing trend in the region? How does the company intend to capitalize on them?
Chang: There are three key areas where I believe we provide an advantage as a solutions provider to the MSSPs (managed security services providers). Any provider--it can be an incumbent telco provider or a very strong datacenter service provider--can come to us and say it wants to provide security solutions to our customers and be able to manage the offering, classify the performance and abilities to enable network forensics, or login and archival of data for regulatory compliance.

Their customers don't want to manage security themselves because of the lack of manpower or [because] their focus is simply not in network security. They want to pay a monthly subscription. In order to enable that, you obviously cannot keep piling on network security appliances or boxes. Where Fortinet has an advantage is [that] we're able to virtualize a big or small box for multiple customers.

For example, we carve out a partition for customer A and we don't just virtualize the firewall for the customer, we can virtualize an entire suite of security offerings, including IPS (intrusion prevent system), antivirus and Web filtering. I can make use of virtualization to serve 10 customers in one box--each of these customers could have different types of services offered to them. The ability to map the services on a virtualized platform to provide to the end customer as server hosting--that is something we not only do really well, but with high performance.

The second point is our licensing model. The way we license is very different from our friendly competitors. A lot of them license on the basis of per user. When the provider starts off deploying the solution in [its] network, say, for 100 users, but when the business gets really big [it has] to start paying more. As a provider, it's very difficult for you to realize your ROI (return on investment) as well as grow rapidly. Fortinet licenses by the box and the customer can choose to turn on some or all of the features. The providers can do their own mix-and-match in terms of bundling services and grow accordingly. They have better visibility on their ROI--they know how much they have invested in the box and what the returns are.

We also have a direct premium gold services program where we support our MSSPs and tier-3 partners. We respond to them at a telco-grade quality of service. We have three support centers in the Asia-Pacific, in China, Japan and Malaysia. In these centers we have our own malware threat management specialists so we can respond much faster.

What challenges are businesses in the region facing today in protecting their networks and how do you expect these concerns to evolve over time?
The network perimeters of a company have extended. Previously, everyone worked in the office so you contain your security within that environment. Commuting has come into play, so the extensions of the network perimeters have changed. One of the challenges businesses face is the security that they have put in place do not have the ability to cope with these extended network perimeters.

Another key challenge is the growing amount of threats. People sometimes say security is not as crucial to SMEs (small and midsize enterprises), but security is important to any organization big or small. Botnet operators target a lot of SMEs to create a big massive network to attack other networks.

One of the things we noticed in the market is that when a company grows, its security doesn't grow with it. If a company implements a security box and then grows to twice its size, it will probably find the product doesn't match its needs anymore. Fortinet's technology is the same whether in a smaller box or a telco-grade box--the capabilities, migration and performance will grow together with the company. So if you invest today, you can top it up or group it with bigger boxes as you move along.

Another concern is around cloud computing. With data and applications being put in a third-party infrastructure, how secure are they? In all these key areas, Fortinet has a very strong proposition in helping them.

Is it easier to sell UTM (unified threat management) devices to emerging markets in the region compared with more mature markets where piling on boxes may be the norm?
As a whole, security in the Asia-Pacific market is a bit lax compared [with] the U.S. or European markets, so there is opportunity for security vendors including Fortinet to better secure this region.

The more mature markets like Singapore obviously have some sort of security platform put in place previously. They need to upgrade--we see a lot of customers upgrading to our products from our competitors'.

In growing markets like Vietnam, they may not have the products in place, so they go straight to advanced solutions right away. That's more advantageous in a way because they will adopt the newest technology. Upgrading is always more tedious compared [with] deploying a new network.

How do you convince them that UTM is the way to go, rather than just deploying best-of-breed point solutions?
Even though we offer all-in-one security appliances, individually, our solutions are very competitive. For example, the FortiGate-3950B has 120Gbps firewall throughput and more than 10Gbps IPS throughput. With only one box, we're very much comparable to standalone devices. The threats today, you can't tell where they are coming from—antivirus, IPS or firewall. They come from various areas. It comes to our box, we know where it comes from, and we know how to control it.

The advantage we have here is that there's no finger pointing. As the traffic passes through our box, we have one single point of control as to how the threat will be managed as opposed to deployment of various boxes.

So it's not about cost?
Cost plays a part. We do the job well--we do it affordably. We're not the cheapest in the market, but we're priced well enough in the market--our customers know our edge.