This year, we took a look in the rearview mirror and observed a lot of convergence, but despite this trend interesting companies still flourish, says Peter Stephenson, technology editor.

This year our biggest product category was access control. This seems right because as the enterprise morphs into a ubiquitous environment - with few if any borders - there needs to be a way to control who can access it and who cannot. With such challenges as cloud computing and SaaS, that is a bigger job than it may appear on the surface. In fact, it is a bigger job than last year.

This Swedish company will, I predict, set the benchmark here in the United States for how access to applications should be controlled. AppGate has helped shape the direction of network infrastructure security in Europe for some years, and now this innovator is bringing its unique thoughts to the States.

What sets these guys apart from the multifactor herd? In a word, vision. From the start, TriCipher has had the vision of evolving into a full identity management provider. That is a pretty heady ambition for a developer of multifactor authentication tools. So how does this innovator plan to make the trip from providing a piece of the puzzle to offering the whole thing, already assembled, framed and hung on the wall?

Start with the recognition that identity management is just too hard to do, cre­ate a solution for that problem and then morph it into a successful service and you have the recipe for a real innovator.

Here is another vendor that we see a lot of in our labs. Passlogix knows who it is and concentrates on doing what it does as well as it can be done. And what they do is credential management.

Bradford Networks is no stranger to these pages. An innovator from last year, Bradford has been reviewed a num­ber of times over the years, always doing well. This year we asked them how well their crystal ball last year worked as 2008 unfolded.

This category is my personal favorite because it touches on the types of tools we use in the lab. These tools cover a lot of territory - from vulnerability analysis to forensic tools. Even within a category, such as forensic tools, we see some splits that we have needed to extract as product types in themselves. For example, many, including me, view SIEM as a network forensic tool and, as such, we might put it in the forensics subcategory. Not so here, though. Here we give it its own subcategory.

Sometimes you run across a company that just deserves to be selected as an innova­tor. You look them over and won­der why you didn't pick up on them before. Mandiant is one of those companies. There is a reason, of course. Mandiant started as a services company providing forensics, litigation support and incident response. So if you were in the product purchasing mood, you would not have run across these folks.

ArcSight gets a lot of play among security experts in the security event management (SEM)/security information manager (SIM) game.

How do you differentiate a product that keeps getting mixed up with a commod­itized market, but really doesn't belong there? What differentiators do you look for that can keep you from being included in a herd where you don't belong?

I just love these folks. Take the best open source pen testing tool you can think of, put it on steroids, give it a user interface that makes it simple and fast to pen test in a production environ­ment without losing the granularity of manual testing if you need it, and you have Core Impact. Well, almost. Every year I say that I am going to find a better tool, and I actually do comb the market -- unsuccessfully.

When your price starts at $50,000 and you are unique in your marketplace, you'd better have a good product. For Mu Dynamics, that is just where the story starts. When I first met the Mu folks, they were Mu Security. A new name later, they still are the innovators they were a couple of years ago. My conversation with a Mu visionary was an eye-opener.

One might view this traditional category as slowly fading from view as the perimeter becomes fuzzier and fuzzier. In fact, there are an ample number of pundits who opine exactly that. But if we ask our innovators about the loss of the perimeter, they will tell you that there are always new perimeters. It's not that the perimeter is disappearing, they say. It's that its nature is changing.

I don't recall the first time I heard the term "extrusion prevention system." It was, I think, an effort on the part of some marketer to tie the notion of preventing data from unauthorized exit (extrusion) from the enterprise to the notion of unauthorized entry (intrusion). Very clever.

No matter how much things change, they stay the same. As I have pointed out, there have been massive changes in security drivers over the past 12 months. The changes have generated a new set of challenges, but, even though our encryption innovator has done a first-rate job of addressing them over the past year, the new issues are generating a sort of déjà vu picture of the encryption market.

The big question I had for Tumbleweed was, "What is email security?" Over the past two years, as we have passed products through SC Labs, I have noticed that the vendor public relations folks who we talk to seem to have a hard time differentiating between the many aspects of threats associated with email.

So far, we have been concerned with tools that manage security and move information around. This category addresses the data itself. Data is, after all, the reason we implement security in the first place. Protecting the infrastructure and protecting the data both are necessary to ensure that our valuable information is not compromised.

Wireless, is it? Everything is going wireless - well almost everything. That, in itself, poses a challenge for a wireless security company, such as this innovator. It also offers big opportunities and AirMagnet has identified and addressed them.

If you thought the UTM market was crowded, take a look at the intrusion prevention systems (IPS) market. We bluntly asked our innovator in this product space why they thought that they were innovators in such a commoditized market. The answer was immediate and unambiguous: "When a product category becomes mainstream, there are big opportunities, but you must innovate to take advantage of them."

Sometimes a different approach is needed. The notion of the UTM was developed from the need to consolidate point solutions. There are a lot of problems, of course. They cost more to buy and manage, they use more power and they need a sophisticated staff to manage them.

Our last category this year is the one that ties everything together: security infrastructure. Here we are talking about those things that support all of the other bits and pieces of security architecture. Just like network infrastructure, security is, essentially, the platform on which everything else rests.

And so we reach the end of this year's batch of innovators. But, as we look at this subcategory, we find that it wraps the whole shebang into a neat package, defining what needs to be done to secure the enterprise (and prove it) and why.

All of us old-timers remember LanDesk from its days as part of Intel. It always was a solid suite of products. Now that it is part of Avocent, its promise as a hybrid of network and security policy management is being realized. The notion of managing the desktop and evolving that into security policy management makes a lot of sense.

The views of the visionary I spoke with from this veteran anti-malware company took the conversation in directions I had not expected. He started out by asking, "Why, if I have done everything I can to secure my enterprise, is my data still being compromised?"