For the past 15 years or so, the networking industry has been hinting at a vision with a snappy title like “identity-driven networking.” I first heard this concept in the late 1990s when Cisco came up with its own spin on this theme with an initiative called Directory Enabled Networking (DEN). The thought was that the network would query the network directories to enforce some kind of access control policy based upon user properties stored in network directories. Cisco nailed the vision and was way ahead of its time.
So what’s happened since? Things were slow and spotty for a while with a few hints of innovation. Broadband access led to VPNs. Wireless networking led to the need for 802.1X device authentication. Worm storms in 2004 led to a flurry of activity around Cisco’s Network Admission Control (NAC) and Microsoft‘s Network Access Protection (NAP) to keep “unhealthy” PCs off the network. Each of these advanced the cause, but rather than fulfill the identity-driven network vision, these were really tactical solutions.
Fast forward to 2011: the industry has moved on to 40/100Gb Ethernet, IPv6, virtualization, and cloud computing, so you don’t hear much about identity-driven networking anymore–but in point of fact, the vision is coming together. Networks can now recognize multiple types of devices, network location, and user attributes to enforce policies. Critical application traffic can be prioritized on a user-by-user basis while other applications can be blacklisted or rate limited based upon users and groups. VPNs are now automated: no more IPSec clients, user names, or passwords; you can get to the network resources you want to from wherever you are.
A few leading examples include Cisco AnyConnect VPN, Juniper‘s Pulse Client and the Funk Software RADIUS server, and Extreme Networks Identity Manager.
We are quickly moving to the service paradigm of identity management where entities like users and devices connect to network services for connectivity, application access, printing, etc. Cloud computing will only accelerate this transition. In this type of architecture, networks have to play a role in “knowing” who or what wants network access, enforcing policies based upon this information, and then optimizing good traffic and blocking bad traffic. It is nice to see that we are making real progress.
Tags: 802.1X, AnyConnect, Cisco, DEN, Extreme Networks, identity-driven networking, Juniper, Juniper Pulse, NAC. NAP, RADIUS, Security Posted in Uncategorized | No Comments »
The 2011 RSA Conference is only three weeks away, so the entire security industry is gearing up for this annual gathering of paranoid geeks. As an analyst, I’ve been getting lots of e-mail about what vendors will discuss at the event and I’ve also spent a bit of time perusing the conference website.
This activity leaves me a bit concerned. Why? There seems to be a tremendous focus on cloud security at this year’s event: all kinds of “voyage to the cloud” rhetoric, how security is the biggest hurdle, and a plethora of tools, technologies, and services aimed at addressing cloud security.
Now don’t get me wrong; cloud security is an important topic. There is a tremendous amount of brainpower and investment going into cloud computing. Yes, we will get to a cloud computing model over time and security is truly a stumbling block. This issue is being addressed by organizations like the Cloud Security Alliance (CSA) and NIST’s Federal Risk and Authorization Management Program (FedRAMP). My issue isn’t with the topic per se; it is with the prioritization of the topic. When ESG asked 611 European and North American IT professionals to define their top IT initiatives for 2011, 16% responded with “increase the use of cloud computing services.” This was the 12th most popular answer, well below such things as “increase use of server virtualization” (30%), “manage data growth” (24%), and “major application or deployment” (23%).
We certainly need to be proactive with cloud security, but let’s not get carried away with addressing future risks when we are swimming in so many currently. In the recently published ESG Research Report, Assessing Cyber Supply Chain Security Risks Within the US Critical Infrastructure, 68% of cyber security professionals working at critical infrastructure organizations believed that the threat landscape is worse today than it was two years ago. When the entire security community gets together at RSA, shouldn’t we be focused on why security professionals feel this way and what we can do to address this increasing threat landscape?
If I were running the show, here are some of the things I’d focus on:
I understand that security vendors want to make money and that PR and hype are a big part of the technology market. That said, we as a security industry must recognize that we aren’t selling PCs, gaming software, or disk drives. If we can’t secure our existing networks and databases, will any responsible organization ever move to cloud computing?
Tags: Cloud Computing, cloud security, cybercrime, identity management, information security, malware, RSA, Security, security controls, security management, security threats Posted in Uncategorized | No Comments »
Here is some interesting data that came out of the 2011 IT Spending Intentions report from ESG Research. In a global survey of 611 IT professionals from mid-market (i.e., 100-1000 employees) and enterprise (i.e., more than 1,000 employees) organizations, 46% of all firms reported they will increase investment in networking products and services in 2011 while 58% said they will increase investment in security products and services this year.
What I found especially intriguing is that both networking and security professionals claim that their organizations will make their most significant investments in network security over the next 12-18 months. In other words, networking AND security folks believe that network security is their highest priority. This emphasis on network security also came out with regard to infrastructure management. When IT professionals were asked which areas of infrastructure management their organizations would make the most significant investments in, the top two responses were security management (31%) and network management (29%).
What does this data mean? It’s easy to dismiss firewalls, IDS/IPS and SIEM software as mature legacy technologies. The ESG data indicates just the opposite–these venerable safeguards are going through a metamorphosis. Why? Perhaps data center consolidation and rich-media applications are driving new scaling needs. It may be that the threat landscape demands new types of safeguards. It is possible that existing network security and management tools have simply grown long in the tooth. I believe that all of these factors are driving network security upgrades and new requirements.
From an industry perspective, there is a lot of opportunity here. Some possible winners include:
Beyond these mainstream players, there is plenty of business for others like Blue Coat, Citrix, F5 Networks, and Riverbed.
Tags: application firewall, ArcSight, AXA, Blue Coat, Borderless Networks, Check Point Software, Cisco, Citrix, Crossbeam Systems, F5, Firewall, Gateway, HP, IDS, IPS, Juniper Networks, Log Logic, LogRhythm, MARS, McAfee, NetWitness, network security, Nitro Security, Palo Alto Networks, perimeter security, Q1 Labs, Riverbed, Security, Sidewinder, Sourcefire, TippingPoint, TrustSec Posted in Uncategorized | No Comments »
According to the ESG’s 2011 IT Spending Intentions survey, here are the five IT priorities for enterprise (i.e., more than 1,000 employees) and midmarket (100 to 999 employees) organizations over the next 12-18 months:
Note that the hyperbolic topic of cloud computing is conspicuously absent from the list. It does make an eventual appearance: 16% of the 611 global IT professionals surveyed responded that “increase use of cloud computing services,” was a 2011 priority, making this the 12th most popular response. There may be lots of interest in cloud computing, but the top five list is composed of more immediate priorities.
Tags: business applications, Cloud Computing, data backup and recovery, data management, information security, Security, server virtualization Posted in Uncategorized | No Comments »
Ask 100 security professionals to name a weak link in the cyber security chain, and a majority will point to software vulnerabilities. This is especially true in two areas: 1) Internally-developed software where developers may lack the skills or motivation to write secure code, and 2) Web applications where rapid development and functionality trump security concerns.
How vulnerable are today’s web apps? Here’s how the IBM X-Force answered this question in its 2008 Trend and Risk Report:
“Web applications in general have become the Achilles Heel of Corporate IT Security. Nearly 55% of vulnerability disclosures in 2008 affect web applications, and this number does not include custom-developed applications (only off-the-shelf packages). Seventy-four percent of all Web application vulnerabilities disclosed in 2008 had no available patch to fix them by the end of the year.”
ESG Research looked further into software security in its recently published report, “Assessing Cyber Supply Chain Security Vulnerabilities Within the U.S. Critical Infrastructure” (note: this report is available for free download at the ESG website, www.enterprisestrategygroup.com). Security professionals working at critical infrastructure organizations were asked, “To the best of your knowledge, has your organization ever experienced a security incident directly related to the compromise of internally-developed software?” Alarmingly, 30% answered “yes.”
What does all this mean? IBM X-Force data clearly demonstrates an abundance of insecure web applications out in the market. ESG’s data shows that many critical infrastructure organizations are not only writing insecure code but are also being compromised as a result of these vulnerabilities. Yikes!
Insecure software is a problem that is too often swept under the rug because it isn’t easily addressed with a tactical threat management tool Du Jour. Yes, software security requires new skills and processes but unless we make these changes we will continue to be vulnerable. If your lights go out sometime soon, insecure software may be to blame.
Tags: cyber supply chain, ESG, ESG Research, IBM, Security, Software Assurance, software security, Web Applications, X-Force Posted in Uncategorized | 1 Comment »
According to the 2011 IT Spending Survey from ESG Research, 47% of large mid-market (i.e., 500-1000 employees) and enterprise (i.e., 1000 employees or more) organizations will increase spending on networking products and services in 2011. This is about the same percentage as 2010 and up from the recession doldrums of 2009 when 37% of companies planned on increasing networking spending.
Analyzed a bit further, 50% of enterprise organizations plan on increasing networking spending as do 43% of large mid-market organizations. From an industry perspective, wholesale/retail organizations top the chart as 61% say they will increase networking spending. At the other end of the list, 41% of federal agencies plan on a network spending increase. Yes, there is a 20% gap between these extremes but 41% is still pretty good.
What type of networking technology will they spend on? Here are the top 5 priorities:
The ESG Research data indicates that 2011 should be a good year for the networking industry. With all of the data center consolidation, server virtualization, and cloud computing planning, it may get even better than we think.
Tags: ESG. ESG Research, Federal Government, IT spending, LAN, network management. network security, Networking, retail, VoIP, WAN, WAN Optimization, wholesale, WLAN Posted in Uncategorized | No Comments »
Happy New Year everyone!
In my last blog of 2010, I wrote about the multitude of opportunities for skilled security professionals. According to ESG Research, cyber security jobs should continue to grow at a healthy pace in 2011. For example:
Certainly good news for cyber security professionals seeking jobs but this could also be bad news for the overall state of cyber security. Why? Ironically (given the fact that unemployment still hovers around 10%), we will likely face a shortage of skilled cyber security professionals in 2011. This may already be happening. Leading cyber security institutions like Carnegie Mellon University, Purdue University, and Norwich University already report full placement for cyber security graduates and there is a plethora of unfilled federal cyber security jobs. Organizations located in small markets and rural areas also report difficulty in recruiting.
We will need a focus on training, federal funding, and security services in 2011 or face a growing cyber security skills deficit. If this happens, everyone will suffer.
Tags: 2011, cyber security, information security, IT, IT initiatives, IT jobs, IT spending, predictions Posted in Uncategorized | 4 Comments »
If you are an out-of-work IT person looking for your next challenge, I have a suggestion: Go study information security and pursue some sort of certification like a CISSP.
According to ESG Research, 22% of mid-market (i.e., 500-1000 employees) and enterprise (i.e., 1000 employees or more) believe that they have a problematic shortage of information security skills within their IT organizations. Furthermore, of those organizations planning on hiring new IT staff positions in 2011, 35% plan to hire for information security positions.
This data doesn’t surprise me one bit. Security professionals are always in demand, even during the depths of the recent global recession. Combine today’s malicious threat landscape, multiple security vulnerabilities, and IT complexity, and we need all the security help we can get.
Tags: 2011, CISSP, cyber security, information security, ISC2, IT Posted in Uncategorized | No Comments »
There’s been a lot written about WikiLeaks over the past few weeks–some of it fair and some a bit off base. No question that there was a security breach related to classified documents ending up on WikiLeaks but it is important to dig a bit further to define what may have gone wrong.
Here are the elements of security involved and where a breakdown may have occurred:
It’s easy to point fingers at the State Department or Federal Government but any security professional can tell you that these problems are fairly pervasive. In fact, see the recent ESG Research Report, “Assessing Cyber Supply Chain Security Vulnerabilities Within the US Critical Infrastructure,” for more alarming data about how vulnerable we are (the report can be downloaded at www.enterprisestrategygroup.com).
The sooner we realize and address these cyber security vulnerabilities, the better. This won’t eliminate breaches like the embarrassing WikiLeaks events, but it will lower the risk.
Tags: acceptable use policy, access control, cyber security, data classification, insider attack, principle of least privilege, Security, State Department, US Federal Government, user behavior monitoring, WikiLeaks Posted in Uncategorized | No Comments »
Despite the unseasonably cold weather, I participated in a mobile security event yesterday at the historic Willard hotel in Washington DC. I set the stage and presented a bunch of ESG Research data on mobile device use, security, and management. Other organizations presenting included the Defense Information Systems Agency (DISA), the (NRC), the US Patent and Trademark Office, and Juniper Networks.
It turns out that DISA is doing some very interesting things around mobile computing. For example, members of the US military can access an information portal called Defense Knowledge Online from their mobile phones. DISA also talked about a program called Go Mobile meant to provide numerous communications, training, and collaboration applications to mobile soldiers.
Since we are talking about the US Department of Defense, mobile device security is a critical requirement for this program so Go Mobile includes user authentication, secure data storage and transfer, secure device management, etc.
Initially Go Mobile was built for Blackberry devices but DISA is now adding support for Apple iPhones and Android phones because of high demand from users. Unfortunately, adding iPhone and Android support is more difficult than DISA anticipated. Why? Because both Apple and Google refuse to give DISA access to their security APIs so DISA had to do a series of workarounds to meet its security requirements. For example, DISA had to add an external Bluetooth device to provide secure personal networking capabilities because Apple wouldn’t provide API access to its iPhone security stack.
Hold the phone here! Apple and Google aren’t willing to provide additional technical support to the United States Department of Defense? Nope. One person I spoke with from DOD said that Apple flat out refused to play ball, telling DOD to “talk to our integrators and carriers.”
I understand that Apple and Google want to control their technology. If Citi or GE asked for API access, perhaps it would make technical sense to refuse but we are talking about the Department of Defense here.
Apple and Google have a market advantage and they know it — Androids and iPhones are so popular that Apple and Google can thumb their noses at DOD. In most cases, DOD would exercise cyber supply chain security best practice and refuse to purchase insecure Androids or iPhones at all. The fact that DOD is going the extra mile and developing workarounds demonstrates that it is willing to do the right thing for American troops in spite of this lack of industry cooperation.
It seems to me that Apple and Google are making self-centered bad decisions here that won’t play well with the American public. Clearly, Apple and Google should re-think these myopic and selfish policies. Providing API access to DOD is the patriotic and moral thing to do, especially since DOD is opening the door to lots of sales opportunities for both companies.
Tags: Apple, Bluetooth, cyber security, cyber supply chain security, Department of defense, DISA, DOD, Go Mobile, Google, iPhone, Juniper Networks, mobile computing, mobile devices, Security. Android Posted in Uncategorized | No Comments »
Your email:
