Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘Security’

Random Thoughts from the RSA Conference

Wednesday, February 16th, 2011

I’ve been in back-to-back meetings at the RSA Conference, which limits my time for blogging. Here is my brain dump for the day:

  1. The focus of RSA seems to be on cloud and mobile security. I get that these are hot areas with lots of marketing buzz but I have two problems here:
    1. Mobile security technology is relatively easy, but the weird triangulation between a user, an organization, and a service provider creates some interesting dynamics. Do I buy mobile security from my mobile carrier? If I do, does the corporate security group get engaged? Do I really want my company putting security software on my personal device? I’m not sure how this will be solved, but suffice it to say that this is different than my corporate PC.
    2. I understand that we have to make the cloud secure before we will really embrace this model, but let’s face it: existing IT infrastructure isn’t secure. Why aren’t we talking about securing this first?
    • RSA is mostly about security products, not security. I know, it’s a money thing, but I wish we would highlight more about use cases, reference architectures, and best practices and less about the latest security widget.
    • HP and IBM are way more focused on security than most people think. HP now considers security one of its five top business initiatives and IBM has created a virtual security group headed by Steve Robinson with its own P&L. Both companies can address what I call “big security” use cases like securing networked business processes, creating IT risk management best practices, or dealing with cybersecurity issues at critical infrastructure organizations. How many other security vendors at RSA can do this? Less than five.
    • Speaking of HP, the company is talking about a vision that merges ArcSight with HP operations software for further improvements to both IT service management and security automation. Cool stuff. If this takes off, it will be the exclusive domain of a handful of companies. BMC could play, but it needs a security portfolio. CA could play but it needs a better security portfolio. Attachmate may be a wild card here with NetIQ and Novell.
    • There are a number of threat reports available and most are pretty good. That said, Blue Coat Systems did a great job of presenting its web threat report yesterday. Very insightful and a worthwhile read.
    • Another buzz area is virtualization security, but this one is more real to me than others. Why? Virtualization security is pretty elementary today, based mostly on physical safeguards. While vendors are announcing virtual security products, they need to focus on education before they jump into technology. ESG research indicates that security professionals lack virtualization knowledge and best practice models for server virtualization security. Until they gain this knowledge, they won’t buy security tools. Time to teach the market how to fish.
    • When I think of security vendors, I almost never think of Barracuda Networks, but I have to give it credit for its manufacturing and distribution skills. Someone is buying these gateways.

    More tomorrow.

    Public Cloud Concerns

    Monday, January 31st, 2011

    Whenever IT professionals are asked about cloud computing, they say that their organization is interested but cautious. Yes, they are doing a lot of research and planning and some are using public cloud services for software development and test or publicly-facing web applications. What about mission-critical applications or private data? No way, too risky!

    ESG Research recently surveyed 611 North American and European IT professionals working at mid-market (i.e., 100-1000 employees) and enterprise (i.e., more than 1000 employees) organizations and asked them questions about their IT plans for 2011 and beyond. Of those surveyed, 42% said that public cloud computing would have little to no impact on their organizations’ IT strategies over the next 5 years. When asked why, security and privacy was their primary concern but there were others as well. Here are the top 5 reasons stated:

    • Data security/privacy concerns: 43%
    • Feel like we are giving up too much control: 32%
    • Too much invested in current IT infrastructure and staff: 32%
    • Cloud computing offerings need to mature: 29%
    • Satisfied with existing infrastructure and processes: 28%

    Times and attitudes will change and IT professionals may indeed feel threatened by cloud computing. Nevertheless, the ESG data indicates that cloud computing hesitation goes beyond security, privacy, and compliance issues alone. These attitudes will only change with time, experience, and real metrics demonstrating cloud ROI and business benefits.

    Identity and Networking

    Tuesday, January 25th, 2011

    For the past 15 years or so, the networking industry has been hinting at a vision with a snappy title like “identity-driven networking.” I first heard this concept in the late 1990s when Cisco came up with its own spin on this theme with an initiative called Directory Enabled Networking (DEN). The thought was that the network would query the network directories to enforce some kind of access control policy based upon user properties stored in network directories. Cisco nailed the vision and was way ahead of its time.

    So what’s happened since? Things were slow and spotty for a while with a few hints of innovation. Broadband access led to VPNs. Wireless networking led to the need for 802.1X device authentication. Worm storms in 2004 led to a flurry of activity around Cisco’s Network Admission Control (NAC) and Microsoft‘s Network Access Protection (NAP) to keep “unhealthy” PCs off the network. Each of these advanced the cause, but rather than fulfill the identity-driven network vision, these were really tactical solutions.

    Fast forward to 2011: the industry has moved on to 40/100Gb Ethernet, IPv6, virtualization, and cloud computing, so you don’t hear much about identity-driven networking anymore–but in point of fact, the vision is coming together. Networks can now recognize multiple types of devices, network location, and user attributes to enforce policies. Critical application traffic can be prioritized on a user-by-user basis while other applications can be blacklisted or rate limited based upon users and groups. VPNs are now automated: no more IPSec clients, user names, or passwords; you can get to the network resources you want to from wherever you are.

    A few leading examples include Cisco AnyConnect VPN, Juniper‘s Pulse Client and the Funk Software RADIUS server, and Extreme Networks Identity Manager.

    We are quickly moving to the service paradigm of identity management where entities like users and devices connect to network services for connectivity, application access, printing, etc. Cloud computing will only accelerate this transition. In this type of architecture, networks have to play a role in “knowing” who or what wants network access, enforcing policies based upon this information, and then optimizing good traffic and blocking bad traffic. It is nice to see that we are making real progress.

    Attention RSA Conference: Let’s Not Dwell on Cloud Security!

    Monday, January 24th, 2011

    The 2011 RSA Conference is only three weeks away, so the entire security industry is gearing up for this annual gathering of paranoid geeks. As an analyst, I’ve been getting lots of e-mail about what vendors will discuss at the event and I’ve also spent a bit of time perusing the conference website.

    This activity leaves me a bit concerned. Why? There seems to be a tremendous focus on cloud security at this year’s event: all kinds of “voyage to the cloud” rhetoric, how security is the biggest hurdle, and a plethora of tools, technologies, and services aimed at addressing cloud security.

    Now don’t get me wrong; cloud security is an important topic. There is a tremendous amount of brainpower and investment going into cloud computing. Yes, we will get to a cloud computing model over time and security is truly a stumbling block. This issue is being addressed by organizations like the Cloud Security Alliance (CSA) and NIST’s Federal Risk and Authorization Management Program (FedRAMP). My issue isn’t with the topic per se; it is with the prioritization of the topic. When ESG asked 611 European and North American IT professionals to define their top IT initiatives for 2011, 16% responded with “increase the use of cloud computing services.” This was the 12th most popular answer, well below such things as “increase use of server virtualization” (30%), “manage data growth” (24%), and “major application or deployment” (23%).

    We certainly need to be proactive with cloud security, but let’s not get carried away with addressing future risks when we are swimming in so many currently. In the recently published ESG Research Report, Assessing Cyber Supply Chain Security Risks Within the US Critical Infrastructure, 68% of cyber security professionals working at critical infrastructure organizations believed that the threat landscape is worse today than it was two years ago. When the entire security community gets together at RSA, shouldn’t we be focused on why security professionals feel this way and what we can do to address this increasing threat landscape?

    If I were running the show, here are some of the things I’d focus on:

    1. Sophisticated and evolving threats. We all need a better understanding of our adversaries–who they are, what they do, and how they think. A new piece of malware is created every 1.5 seconds. Shouldn’t we dedicate security brainpower to this real problem?
    2. Creating, monitoring, and enforcing security controls. The security industry is too hung up on products. We need more discussion on sound policies, processes, and controls–not just the latest threat management widget du jour.
    3. Security management. Closely related to number two, we need better ways of collecting, analyzing, and reacting to an avalanche of IT data.
    4. Identity. This issue gets more dicey each year. We need to talk more about the people and devices that interact in cyberspace and how to better control these relationships.

    I understand that security vendors want to make money and that PR and hype are a big part of the technology market. That said, we as a security industry must recognize that we aren’t selling PCs, gaming software, or disk drives. If we can’t secure our existing networks and databases, will any responsible organization ever move to cloud computing?

    Big Network Security Investments –And Market Opportunities — Ahead

    Thursday, January 20th, 2011

    Here is some interesting data that came out of the 2011 IT Spending Intentions report from ESG Research. In a global survey of 611 IT professionals from mid-market (i.e.,  100-1000 employees) and enterprise (i.e., more than 1,000 employees) organizations, 46% of all firms reported they will increase investment in networking products and services in 2011 while 58% said they will increase investment in security products and services this year.

    What I found especially intriguing is that both networking and security professionals claim that their organizations will make their most significant investments in network security over the next 12-18 months. In other words, networking AND security folks believe that network security is their highest priority. This emphasis on network security also came out with regard to infrastructure management. When IT professionals were asked which areas of infrastructure management their organizations would make the most significant investments in, the top two responses were security management (31%) and network management (29%).

    What does this data mean? It’s easy to dismiss firewalls, IDS/IPS and SIEM software as mature legacy technologies. The ESG data indicates just the opposite–these venerable safeguards are going through a metamorphosis. Why? Perhaps data center consolidation and rich-media applications are driving new scaling needs. It may be that the threat landscape demands new types of safeguards. It is possible that existing network security and management tools have simply grown long in the tooth. I believe that all of these factors are driving network security upgrades and new requirements.

    From an industry perspective, there is a lot of opportunity here. Some possible winners include:

    • Cisco. Cisco always gets its share of the pie but the ESG data indicates a better than usual opportunity for Cisco initiatives like TrustSec and Borderless networks. Cisco is also back in the high-end with its AXA 5585X.
    • Crossbeam/Check Point and Juniper. These companies lead in large enterprise perimeter security–a nice place to be with data center consolidation, wireless carriers, and cloud computing investments galore. Crossbeam and Check Point work well together but Crossbeam is building its multi-platform status with relationships with other leaders like McAfee as well.
    • HP. HP paid a lot for ArcSight but the ESG data shows that the timing may be fortuitous. HP is also re-investing in TippingPoint after the company’s on-again-off-again relationship with 3Com. HP should look at acquiring as a complement to ArcSight in the federal and large enterprise space.
    • Sourcefire. When is someone (perhaps HP) going to buy this successful firm? Should be another good year for Sourcefire both inside and outside the federal market.
    • McAfee. Killing it with IPS/IDS and has something up its sleeve with Sidewinder integration. The ESG data indicates that the market is ready for new solutions so the timing may be perfect for a new visionary offering.
    • The App firewall crowd. Palo Alto leads here but I keep hearing that its acquisition price is too rich for anyone. Better hurry as Check Point, Juniper, and others are catching up quickly.
    • Other SIEM vendors. Many organizations will be upgrading old SIEM systems or migrating away from Cisco MARS. Good opportunity for upstarts like LogLogic, LogRhythm, NitroSecurity, and Q1 Labs.

    Beyond these mainstream players, there is plenty of business for others like Blue Coat, Citrix, F5 Networks, and Riverbed.

    Top IT Priorities for 2011

    Thursday, January 13th, 2011

    According to the ESG’s 2011 IT Spending Intentions survey, here are the five IT priorities for enterprise (i.e., more than 1,000 employees) and midmarket (100 to 999 employees) organizations over the next 12-18 months:

    • 30% Increase use of server virtualization
    • 24% Manage data growth
    • 24% Information security initiatives
    • 23% Major application deployments or upgrades
    • 22% Improve data backup and recovery

    Note that the hyperbolic topic of cloud computing is conspicuously absent from the list. It does make an eventual appearance: 16% of the 611 global IT professionals surveyed responded that “increase use of cloud computing services,” was a 2011 priority, making this the 12th most popular response. There may be lots of interest in cloud computing, but the top five list is composed of more immediate priorities.

    Homegrown Software is Not Secure

    Tuesday, January 11th, 2011

    Ask 100 security professionals to name a weak link in the cyber security chain, and a majority will point to software vulnerabilities. This is especially true in two areas: 1) Internally-developed software where developers may lack the skills or motivation to write secure code, and 2) Web applications where rapid development and functionality trump security concerns.

    How vulnerable are today’s web apps? Here’s how the IBM X-Force answered this question in its 2008 Trend and Risk Report:

    “Web applications in general have become the Achilles Heel of Corporate IT Security. Nearly 55% of vulnerability disclosures in 2008 affect web applications, and this number does not include custom-developed applications (only off-the-shelf packages). Seventy-four percent of all Web application vulnerabilities disclosed in 2008 had no available patch to fix them by the end of the year.”

    ESG Research looked further into software security in its recently published report, “Assessing Cyber Supply Chain Security Vulnerabilities Within the U.S. Critical Infrastructure” (note: this report is available for free download at the ESG website, www.enterprisestrategygroup.com). Security professionals working at critical infrastructure organizations were asked, “To the best of your knowledge, has your organization ever experienced a security incident directly related to the compromise of internally-developed software?” Alarmingly, 30% answered “yes.”

    What does all this mean? IBM X-Force data clearly demonstrates an abundance of insecure web applications out in the market. ESG’s data shows that many critical infrastructure organizations are not only writing insecure code but are also being compromised as a result of these vulnerabilities. Yikes!

    Insecure software is a problem that is too often swept under the rug because it isn’t easily addressed with a tactical threat management tool Du Jour. Yes, software security requires new skills and processes but unless we make these changes we will continue to be vulnerable. If your lights go out sometime soon, insecure software may be to blame.

    WikiLeaks and Cyber Security

    Thursday, December 16th, 2010

    There’s been a lot written about WikiLeaks over the past few weeks–some of it fair and some a bit off base. No question that there was a security breach related to classified documents ending up on WikiLeaks but it is important to dig a bit further to define what may have gone wrong.

    Here are the elements of security involved and where a breakdown may have occurred:

    1. Data classification. Every organization creates a lot of data but not all data has the same value. To distinguish between pedestrian and top secret data, many organizations employ some type of taxonomy for data classification. This should create a hierarchy of data, from public to top secret, where each type of data has different access policies and security controls. This is what should happen but it often doesn’t. In a 2009 ESG Research survey, 33% of the security professionals surveyed rated their enterprise organization as either “fair” or “poor” at classifying and tracking confidential data. The point here is that most organizations have sensitive data around that is not treated as such.
    2. Access control. Access to sensitive data should adhere to the principle of least privilege which means that the data should only be accessible by users who need to see it to do their jobs. Easier said than done. If data is too restricted, workers complain, and there is a general feeling that data visibility leads to creativity and productivity. It is likely that people who shouldn’t have had access to the WikiLeaks documents did.
    3. Acceptable use policy. These policies define what employees can and can’t do with sensitive data. Everyone has them but few organizations make sure that users read them, understand them, and know the ramifications of a policy violation.
    4. User behavior monitoring. I know this one sounds Orwellian and to some extent it is but there has to be an audit trail indicating who accessed which sensitive documents. Some organizations go further and either restrict what users can do with these documents (i.e., digital rights management or enterprise rights management), or at least monitor what they actually do when they access sensitive documents (i.e., email them, print them, save them to a USB drive, etc.). Again, this isn’t easy to do and in my opinion many organizations either don’t monitor user behavior at all or don’t do it very well.
    5. Insider attacks. Most large organizations have their fair share of alienated employees willing to expose or steal sensitive data. This is especially problematic if these malcontents work in IT or have especially high security privileges. Obviously, the problem gets worse if alienated employees work at organizations with poor security controls, weak policies, AND lots of sensitive data.

    It’s easy to point fingers at the State Department or Federal Government but any security professional can tell you that these problems are fairly pervasive. In fact, see the recent ESG Research Report, “Assessing Cyber Supply Chain Security Vulnerabilities Within the US Critical Infrastructure,” for more alarming data about how vulnerable we are (the report can be downloaded at www.enterprisestrategygroup.com).

    The sooner we realize and address these cyber security vulnerabilities, the better. This won’t eliminate breaches like the embarrassing WikiLeaks events, but it will lower the risk.

    Search
    © 2011 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

    Switch to our mobile site