A refrain often voiced by experts over the course of 2002 about the state of infosecurity went something like this: "We're certainly better off than we were two or three years ago." But, this was frequently followed up with a qualification: "We still have a long way to go."
While the expected boon in the IT security industry after 9/11 has been slow in coming, it is on its way. Although research from Giga Information Group, Inc. shows that 2003 infosec budgets will largely mirror those of 2002, many companies are projecting mid-year rises in IT security-related spending as the business need for it grows more obvious.
Mike Rasmussen, director of research for Giga's Information Security Group, says that much momentum in infosec spending will be made in spaces such as security event management, compliance management, security configuration, password and patch management, as well as identity management. Also, while buy-up in network intrusion management stagnated somewhat in 2002, he expects a renewed interest in this area, but for hardware appliances - not software solutions. A similar desire for hardware-based solutions in the application firewall space will crop up as well, he says.
Overall, spending on IT security and business continuity solutions is expected to skyrocket to $155 billion in 2006, up from $66 billion in 2001, according to International Data Corporation (IDC). Companies will share out their money on information security, business continuity and infrastructure solutions, the research shows.
Other IDC findings indicate that among traditional security solutions, such as anti-virus, firewall software and firewall appliances, PKI and identity management tools are becoming the hot tickets in Europe. The drivers for increasing interest in infosec in North America, meanwhile, seem an amalgam of more frequent internet use, securing applications exposed in web services environments, privacy/security mandates set forth by government, and reactions to security breaches.
"Despite the economic environment, the prospects for security technologies are optimistic," Lucie Draper, program manager for enterprise technology trends research at IDC, noted in a recent news release. "Financial losses are virtually certain if there are failing security standards, so it makes sense for companies to maximize their opportunity and not wait until the market rebounds to procure these technologies."
In addition to the technologies to protect against viruses or to secure customer-facing applications and the perimeter, there are other security solutions that executives might want to be mindful of in 2003. In this year's look at Technologies to Watch, analysts, independent consultants and a venture capitalist provide their insight on what the hottest infosecurity tools will be and provide some words of advice on where planning, people and processes come into play within a corporation's overall infosecurity infrastructure.
Can't live without intrusion detection, says Bob Lanadier
It's fun to predict the future of intrusion detection given that unfortunately, today's intrusion detection system (IDS) is a technology that everyone loves to hate. Market and technology drivers are key to IDS evolution, but existing IDS imperatives will shape development over the next two years. Don't look for standalone solutions then; they will have to be integrated in order to work effectively. The question is integrated with what?
The primary market drivers for IDS products and services are threefold: increased network complexity fueled by the demand for increased connectivity among computer systems, performance requirements as bandwidth costs continue to fall, and the proliferation of 'hack in a box' technology that makes developing next generation exploits that much easier.
The technology drivers are new detection and correlation algorithms, performance improvements, and the proliferation of alternate intrusion data sources, including desktop anti-virus and personal firewalls.
IDS is already suffering from too much data and not enough information - more features are not going to help. So, simplify, simplify and simplify. Personal firewalls are effective because their controls are very simple to use. IDS needs to be designed such that any idiot can install, configure and operate it because sooner or later any idiot will install, configure and operate it.
Intrusion detection will still be needed even after effective intrusion prevention. You'll still need someone to watch the bank vault, no matter how difficult it is to break into. And don't even think about asking an IDS system to prevent an attack; it is like arming your security cameras with tear gas. Both serve a valuable role, but combining them in one product makes little sense.
Here are three future scenarios:
1. IDS becomes part of the network operating system. The network
needs to get a lot smarter before it can act as both traffic cop
and early warning system.
2. IDS gets embedded in the host operating system. The concept of
a secure perimeter vanishes as the operating system and the
application take responsibility for identifying and isolating any
threats to the system.
3. IDS joins with the device management and control. In this
scenario each network element (including security devices) has
its own detection and reporting capabilities that provide
information to a central repository that monitors not only network
health but also security.
Bob Lonadier is president of RCL & Associates
People and design matter too, says Jonathan Gossels
Sometimes I think we suffer from tool-induced myopia. Too often when we focus on tools, we lose sight of the fundamentals. Tools, although critical, are only a part of an effective security solution. Equally impo rtant are:
Developing an overall security design based on the principle of defense-in-depth that includes both prevention and detection capabilities.
Creating a coherent framework for the people side of the equation - specifically, business-appropriate policies, procedures, programs, and controls Understanding the big picture. Security problems often occur along organizational boundaries. It is vital to look across organizational fault lines and assess the security of an application or environment end-to-end Nothing is more fundamental than good design. In security, good design rests on the premise that things can and do go wrong. Consequently, a defense-in-depth approach is required. Each layer, from the network through the application, plays a part and cannot be ignored. It is important to maintain a healthy skepticism; a false sense of strong security is often worse than acknowledging weak security and dealing with it.
People and processes play just as critical a role. Your tools are only as effective as the people who support them and the processes those people follow. Without strict processes in place to control, record and test changes in your environment configurations, your tools may not be protecting your assets as you expect.
Similarly, the best security tools and technologies provide no value if they are not properly deployed and operated correctly.
People, processes and tools come together when you develop new applications. Application developers should not only be encouraged to use secure authentication, authorization and encryption technology to protect your applications, they should be given guidance in how to use these technologies consistently. Too many times we've seen one application undermine the security of another because the devel oper did not know what security mechanism should be used.
As you plan your security initiatives for 2003, which will certainly involve tools and technologies, tackle these projects skeptically, with a defense-in-depth mindset and with a full appre ciation for the policies, procedures, programs and controls you will need to ensure that the tools deliver the sec urity you need.
Jonathan Gossels is president of SystemExperts Corporation
Security event correlation is critical, says Jason Wright
In 2001 I forecast healthy growth in the IP VPN market. This market has continued to expand, with quantifiable ROIs over other remote access alternatives. Midway through 2002, vendors and end-users alike began to realize the vulnerabilities associated with insecure remote access points (roaming laptops for example) accessing the corporate network via IP VPNs.
Vendors have emerged with partnerships and centralized management servers that enforce policy before and during a session establishment. With major product developments early in 2002, we can expect to see healthy growth in this market to secure remote access VPN throughout 2003.
The PC firewall is one of the few technologies that addresses both business and consumer markets. In 2003, expect increased reseller agreements with ISPs to offer PC firewall technology to consumers and small businesses.
Another technology to be on the lookout for this year solves the biggest problem of large-enterprise, scaled, multi-vendor, multi-device environments: correlation. While the management consoles that are usually sold with devices significantly reduce the amount of information that administrators must read through, they provide no insight as to how the events of one piece of equipment relate to the events from another.
Security event correlation managers are able to receive traffic feeds from multiple types and brands of equipment, normalize the traffic, then analyze the events to understand how they relate to one another. The result is a significantly simplified and insightful view of security events.
The vendors of this equipment have also integrated management capabilities into the event correlation consoles, allowing administrators to make central rule changes and policy configurations. The trick is to develop the ability to read from and send commands to many types of equipment. Toward the end of 2003 this technology will begin to command significant attention.
Jason Wright is an industry analyst for Frost & Sullivan
What comes next for IT security: an investor's view
Unable to show an exciting ROI, security struggles to make it to the top of the priority list, writes Magdalena Yesil. But, the security industry is about to enter a new phase, driven by factors such as the need to secure the enterprise from within and increased line speeds in corporate networks.
Over the last five years, the security industry has been highly successful in protecting the perimeter of the corporation. Yet it is a well-known fact that over 60 percent of security breaches originate within the corporation. Accordingly, the internal security breach, posing the largest threat, should be the top-of-mind issue for CIOs. The question remains, "What security solutions have the most promise in terms of return on investment potential?"
The biggest challenge facing CIOs and chief security officers in supervising application security is that, by definition, application security is application specific and difficult to implement on a corporate-wide basis. In today's world of web services, XML and SOAP, it is difficult to determine where the application resides and where the security checkpoints should be posted. As a result, web services is an area with plenty of opportunities.
It's not all software
Today, with increased line speeds, hardware security is being resurrected. Specialized microprocessors, known as security appliances, will replace software-only solutions in the next decade. Security is no longer a standalone topic for the CIO, but rather integral in a complete enterprise networking solution.
Processing has become a major bottleneck for software-only security solutions. Table lookups, which are typically database driven, are no longer efficient solutions to security issues. Why are general-purpose microprocessors, such as the Power PC and MIPS processors, incapable of efficiently processing security issues? It all relates to line speed. General-purpose processors tend to be burdened by too much overhead and cannot maintain swift performance when dealt the additional task of security processing. Therefore, we expect to see a proliferation of processor companies dedicated to bringing security-oriented chips to market.
Magdalena Yesil is general partner with U.S. Venture Partners (www.usvp.com)