Windmill Networks

WIM and PCI DSS

WIM= Windmill Networks Integration Manager
PCI DSS=Payment Card Industry Data Security Standard

The PCI Security Standards Council has produced some interesting documents. The intent of the organization is to produce security guidelines for companies that handle information from credit cards and things that function like credit cards.

The guidelines they have produced are very reasonable for both the intended target and businesses in general.

• Requirement 1: Configure routers and firewalls to protect cardholder data and verify these regularly.
• Requirement 2: Do not use vendor supplied passwords and manage passwords intelligently.
• Requirement 3: Protect stored cardholder data.
• Requirement 4: Encrypt cardholder data when transmitting across public networks.
• Requirement 5: Use and regularly update anti-virus software.
• Requirement 6: Develop and maintain secure systems and applications.
• Requirement 7: Restrict access to data to those with a need to know.
• Requirement 8: Assign a unique ID to each user.
• Requirement 9: Restrict physical access to cardholder data.
• Requirement 10: Track access to network resources and cardholder data.
• Requirement 11: Regularly test security systems and processes.
• Requirement 12: Maintain a policy that addresses security for employees and contractors.

I have been unknowingly giving these same requirements to business I have been helping over the last 20 years.

Many businesses are currently working through the certification process to meet these requirements and we can help. WIM provides automation support for requirements 1, 2, 11, and 12. Our regular collection and cross verification of network device information as it is stored in the various management tools are significant steps for requirements 1 and 11. The rules our customers create provide validation for parts of 2 and 12. We are adding support for automated password checking to detect default and insecure passwords stored in the IT support applications.

The hidden meaning of the PCI DSS requirements is to look at your infrastructure as an interconnected system. Each element effects the security and stability of the systems as a whole. The only sustainable way to ensure each element is configured and functioning correctly is to process and review the elements together as a system. These guidelines are good guidelines for any business and we hope we can help people meet them.

I am please to announce that Windmill has been placed on the 10 Startups to Watch list.

Our focus is providing tools that solve Network/IT managers real day to day problems without creating a new drag on their time.

As a Network World reader for about 20 years, their appreciation of what we are doing is very rewarding. After our first discussion last spring, I have been following Denise Dubie’s tweets and articles. She seems to relate to the lives of Network/IT managers.

A clarification.

Our product, the Windmill Integration Manager is not a configuration management product. What we do is make existing config, performance, compliance, inventory, and asset management tools work together. We eliminate the need to update multiple management systems every time the network changes. Our ideal customer is a medium to large enterprise with several tools supporting a fairly complex network.

In short we allow operations staff to move from spending their time supporting tools to spending their time solving problems and adding services.

Last week my wife, another couple, and I went on a 4 day vacation to celebrate some birthdays. We stayed at a very nice hotel, the ladies did spa treatments, we ate some nice meals, and played some golf. We do this every October, it is a good time.

The hotel taught me two lessons.

Service was great. Every employee we came in contact with cared about our experience. They took ownership of what they were doing. Someone having pride in their job always makes me happy. My friend used to work for this hotel chain. He explained that every employee has the opportunity to make a career in the company. Every bell hop, maid, valet, everyone can work hard and rise through the company. He said that the people in the higher paying jobs all came from the lower ranks and this drives everyone to believe being better will pay off. The way people worked and cared, obviously they had bought into the idea. I hope Windmill employees will always show this level of caring. This re-enforces the idea of everyone knowing our success will be their success. Raises, stock options, taking ownership, these are the things that make service happen, not speeches or quality meetings.

The second lesson was one of value. The hotel was expensive, we knew this ahead of time and were prepared. Paying for something nice is understandable, but getting gouged for the little items puts a bad taste in your mouth. $24 for one omelet and coffee in the restaurant? $4.50 for a $1.50 bottle of water? Go ahead and charge me for the room, I can accept that. Getting stuck for an extra $100 of little over charges just turns the whole experience a bit sour. If the hotel wanted that extra $100, they should have put it into the room rate for the 4 nights instead of gouging it out of me chunk at a time. Windmill’s lesson from this is we put all of our charges into the purchase or subscription. No hidden fees, no “Oh you want to run on Xen instead of VMware, that will be extra” charges, none of that.

So what I learned on my vacation.....
Don’t have employees that do not have a good reason to care about the customers. If they have a reason to care, they will and the customers will be happier.
Hidden fees are not really hidden but are really annoying. Show customers more respect.

In the past few months I have been witnessing contradictory behavior from one of the largest players in the industry. Several people I know and highly respect have left this company very recently. These are people that no matter how complex the environment, how angry the customer, or how broken the product would find a way to have everything working and the customer happy by the time they finished. That is a hard skill to put a dollar value on but a very important one if you care about happy or repeat customers. I think over and over how Windmill can uses these people, they are too valuable to let drift away.

This same large company is working on entering into the Smart Grid market. This may be the hottest market today. The combination of being green, massive investment, and the potential of very high sales counts are drawing many moths. I am a network guy, not a power guy. I took the classes in school but that is not how I have spent the last 20 years working. I am close to several people that are very knowledgeable about modern power research and hear their stories often. Many of the current players are having problems because they may understand power very well but they do not understand the nuts and bolts of moving information about power in a stable and scalable way. This requires solid, old school, network operations knowledge.

The large unnamed company is claiming that they have both the research smarts and the network ops smarts to solve all of the problems at the same time. They are implying network ops is a critical component to a successful smart grid solution. So why have they been shedding the best people at doing this? I expect the reason is that they believe that they can always find the talent they need or create the talent they need.

Anyone that feels this way has never had to find someone to solve a problem quickly. Resumes, experience, certifications are useful but never tell you if someone will match well to both a problem and an organization.  I expect that replacing each quality person lost, will require at least 3 hires that should have had the same quality but either don’t really or just take too long to meld into the organization. To me, this makes the people you already have on staff, that already fit with the group, and have proven skills so much more valuable than nameless bodies with pretty resumes.

This increased value of current staff is part of what Windmill is trying to leverage. Instead of the hit or miss and expensive nature of seeking additional staff, get more out of the people you have. Automate everywhere you can, tools are cheap in the long run compared to head count. Make them happier by removing the drudge work. I think engineers are not just widgets to be shuffled in and out as needed. Good ones are too hard to find and bad ones are very expensive.

So what is my role in Windmill Networks?

Tuesday, I was riding back from a VMware users group meeting with Dave, our head of sales. We had gone to the meeting to listen to data center and server managers talk about their main concerns. All time spent trying to understand our users is time well spent. During the ride back we were talking about what the role was for different people in the company.

Some people write code, some people do web work, some people sell, but what is my real role. My card says CEO/CTO but what does that really mean. For us, my job is to represent you, the network/IT operations manager. I have to ensure that our product, marketing efforts, and sales materials treat you with the respect you deserve.

This is a critical point to us. Too many products have been created and sold by people that did not understand or respect the work the end users were trying to do. Software people think software is the most important thing. Sales is focused on sales. Windmill Networks was co-founded by an Ops guy. I have spent 20 years either being that person, consulting with that person, or being the “expert” to help that person.

Our goal is to make tools that improve the day to day working life of the IT and Network Ops people that use our tools. We want to bring benefits on the first day and every day following. You have many demands on your time, we want to reduce the time you spend with the care and feeding of your tools. This will free you to work on the more valuable and interesting challenges that operations people never seem to run out of.

Fred

We have been fortunate that our Windmill Integration Manager (WIM) has won an award as one of the innovative new network management products of 2009 from Network Products Guide

The award winners are an interesting list of products and I encourage everyone to give te list a look.

Each time I talk to the press, an analyst, or potential investor the same question is asked, “So who is your main competition?”

It is a valid question with an odd answer. We really do not have clear competition. We are trying something new, supplying leverage to existing resources. The main players in Network Management produce the software we assist. We make the CiscoWorks, OpenView, SolarWinds, and etc all easier to own and maintain. None of our customers are going to replace any of their existing systems or reduce licenses because they are buying our software. What is happening is they are getting more benefits from the software they already own and are looking to extend the devices they are covering with the tools. We are allowing the customer to see the value of what they have by reducing the effort to maintain. When all of the systems are current and in sync, users start to see the systems effect of 1+1+1=5. In truth, the sales team of the products in place should be trying to encourage their customers to buy the Windmill Integration Manager(WIM) because their customers will complain less and buy more licenses.

In actuality, we do have a type of competition. For Fortune 500 size companies, the large IT services consulting firms are doing some custom integrations. These are slow, expensive, and difficult to maintain. It is my belief that this firms would have happier customers if they placed WIM in the customer environment to speed their work while they focus on more business level issues.

So in my biased view, everyone wins by deploying WIM.

I am becoming very cetain the author of XKCD reads my mind.

Link

Today Windmill Networks supports Ciscoworks, HP OpenView, SolarWinds, and SecureFusion. We have firm plans to add Spectrum, enhanced Citrix support, and JUNOscope in the next release. The applications we have selected have come from a combination of our own knowledge of the market and discussions with customers.

The next wave of applications is less obvious. We have suggestions for NetMRI, OpenNMS, eHealth, various compliance applications, and some security event managers. Our architecture allows us to add application support fairly easily but not instantaneously. QA and test consume as much or more time than development but solid test is a firm requirement.

The question to the readership is what applications do you suggest? Please put your suggestions in the comments.

Thanks

Fred