Overview:

Overview:

Overview:

Overview:

Overview:

Overview:

Overview:

Overview:

Overview:

Overview:

Overview:

The shift to service-oriented architectures (SOA)—loosely coupled constellations of collaborating software components—is under way, with most enterprises in Nemertes’ Service Oriented Architectures and Applications benchmark already deploying at least a pilot SOA, and a few running full-blown SOA implementations.

Overview:

Overview:

The Issue:

The Issue:

The Issue:

The challenge today is that IT is accelerating, putting the CSO
between a rock and a hard place. On the one hand he or she must uphold
corporate policies and manage security and compliance. On the other
hand, the CSO cannot be seen as business prevention; security cannot be
the big red stop button on the IT assembly line. Simultaneous with IT
acceleration, an evolution is occurring in the security realm, defined
by unified threat management (UTM). Sitting at the confluence of
security and networking, UTM is evolving from a simple consolidation
value proposition to a ubiquitous solution that holds the potential to
provide the CSO with the tools to meet the corporate risk tolerance
while fully supporting the agility goals of the business.

Threat Management Must Evolve

From Nemertes’ conversations with IT executives, we know that
security can be both business enablement and business prevention. For
example, two-thirds of organizations that participated in Nemertes’
Security and Information Protection (Sec-IP) benchmark have avoided a
new technology because of security concerns. Our research also
indicates that CSOs are mostly successful in implementing security:
nearly 95% of participants in Security and Information Protection
(Sec-IP) consider their security efforts successful. (Please see Figure
1: Rating of Security Success, Page 2). Yet at the same time, nearly
35% of participants have had a security breach in the past year. This
tells us that security, and threat management in particular, still
leaves much room for improvement.

Read this Issue Paper:

The Issue:

Network vendors have, for some years, been surveying the landscape,
looking for new worlds to conquer as supplying connectivity per se has become
more and more a commodity game. First they built core network‐related
functionality, such as IP‐address assignment and DNS service, into their gear
(although many, if not most, shops still use servers for these functions). Then
they offered security functionality, first filling in gaps that server and desktop
vendors left between their own security functionality; year by year offering more
and moving gradually to supplant or compete with server and desktop security
functions. They began to offer bandwidth optimization, followed some years
later by application acceleration, most recently incarnated as the specific
acceleration for file sharing known as WAFS (wide‐area file services). They
branched into voice and video over IP, and then into collaborative applications
with voice and video built in.

Now, Cisco specifically is moving further “up the stack” and into the
realm of enterprise messaging, specifically into the business of managing XML
message traffic among nodes – not just speeding up XML traffic (which many
vendors do) through compression and the like, but actually taking on the
message routing and transformation functions of traditional messaging
middleware. Others network vendors may follow Cisco’s lead, as they often
have in the past – and some non‐network companies, like IBM and Intel, have
ventured into the converged space via acquisition of messaging appliance
companies (DataPower and Sarvega, respectively). But how should network
vendors approach this market, now that they are competing against major
software vendors and outside the traditional network space?

Clients: Read this issue Paper

Non Clients: Nemertes Issue Papers are available to clients only.
If you're not a client and would like to receive a copy of the Issue Paper, please contact us.

The Issue:

IIT security staff, faced with the challenge of securing the inevitable flux in
their infrastructure, are usually stuck in reactive mode. They react – to systems
upgrades, mergers, and acquisitions; to the re-centralization of most IT function
into data centers and the consolidation of data centers; and to the spread of all
sizes and kinds of organizations over ever more space as a result of the
continuing 9 to 11% growth in the number of branch offices. Proactive security –
helping plan and execute security changes to enable adoption of new tools and
technologies – falls by the wayside.

IT security is set up to prevent and react to security problems, not to set
acceptable levels of risk. Significant increases in risk are traditionally viewed as
automatically “bad”. Given the difficulty of securing the complex interfaces
among different architectures, silos, and generations of technology, optional
changes and elective complexity are resisted if not simple to secure. How then
can IT security shift from a reactive to a proactive position?

One action security teams and IT are increasingly performing to reduce
risk and manage complexity is set policies to guide ongoing operations. By
defining policy, one can lay out more secure operational modes for everyone and
make dealing with complex infrastructures less a matter of individual memory,
capacity, and preference, and more a matter of documented practice.

The Issue:

Major tectonic shifts in the way enterprises work with and provision their
core applications are forcing changes in the way the enterprise has to think about
securing them.

One shift is the continuing opening of the enterprise, with the gradual
federation and interpenetration of IT systems between an enterprise and its
partners, customers, and suppliers. The figurative walls of the data center are
being filled with doors, windows, and access ducts, and now serve more as a
framework for structuring the flow of information than as a barrier to it.
Another shift is the rise of service-oriented architectures (SOAs).

Enterprises are looking to SOA to provide an integration method for their
applications, a development methodology and framework, and an overall
architecture and philosophy for deploying new functionality. As enterprise
applications gain services interfaces, and sometimes are actually atomized and
turned into constellations of loosely-coupled services, each service creates on the
network a new set of access points; perhaps tens or hundreds of times as many as
there were before. Things that used to happen within an application, on a single
server, become network traffic among servers and even among data centers.
Some formerly internal functions even become invocations across the Internet of
software-as-a-service (SaaS) packages, or services in partner or supplier data
centers. Moreover, components in a SOA can scale independently of each other:
new instances of an application running on a Java application server might be
created to handle peak loads, and then destroyed as the load subsides.

Read this Issue Paper:

Clients:New Suit of Armor: Securing the Data Center

The Issue:

The very essence of “work” is changing. All across the world, but even
more so in the U.S., society is changing the definitions of “work” and “office”. As
communications and connectivity become more powerful and ever more widely
available, work has become less and less a place and more an activity which takes
place anywhere. In the last 4 years Nemertes Research has tracked the number of
employees working away from their company headquarters. That number has
gradually trended up, exceeding 90% in 2006. Today, branch office and mobile
workers dominate, and knowledge workers are increasingly mobile, operating out
of home offices, hotel rooms, airport lounges, coffee shops and taxis. As their
work habits have changed through enabling communications technologies, they
have in turn pushed adoption of those technologies by their companies: laptops,
wireless Ethernet, smart phones, and web applications.

Large companies have gradually shifted more and more of their critical
applications to the web. Through a web browser, the same application can be
delivered to a desktop, a laptop, a phone, regardless of location, operating system
or (mostly) browser. This “webification” of applications has become a catalyst for
further mobility and fluidity of the workforce.

Read this Issue Paper:

Clients - The Center is Everywhere

Non clients: Nemertes Issue Papers are available to clients only. If you're not a
client and would like to receive a copy of the Issue Paper, please
contact us.

The Issue:

As the role of the CSO shifts from technical security expert to risk
mediator, manager and advisor, compliance is rapidly becoming the domain of
the CSO. In this role, the CSO is faced with the continual tug-of-war in the
corporation between legal, business and IT. To make matters worse, the CSO –
as Chief Risk Officer – is put in the position of keeping the company out of
trouble, without having any control over the direction or the company, or the
actions of IT, business and legal. The only way that the CSO can affect risk and
manage risk is through implementation of a strong compliance management
process. Compliance management is the heart of governance and risk
management and as such, it’s the main tool in the CSO tool box.

Compliance is a complex issue and it requires a unique combination of
technical, legal, business and management skills. Compliance itself requires
solving the equivalent of a multi-variable equation: regulations, control
frameworks and change. To achieve continuous compliance management, CSOs
must implement tools and processes that automate and streamline the
compliance management process. The first step is implementation of logging,
eventually culminating in the establishment of a continuous compliance
management solution that not only reports on what has happened, but
implements triggers, monitors and controls to prevent what is going to happen.

Read this Issue Paper:

The Issue:

As the role of the CSO shifts from technical security expert to risk
mediator, manager and advisor, compliance is rapidly becoming the domain of
the CSO. In this role, the CSO is faced with the continual tug-of-war in the
corporation between legal, business and IT. To make matters worse, the CSO –
as Chief Risk Officer – is put in the position of keeping the company out of
trouble, without having any control over the direction or the company, or the
actions of IT, business and legal. The only way that the CSO can affect risk and
manage risk is through implementation of a strong compliance management
process. Compliance management is the heart of governance and risk
management and as such, it’s the main tool in the CSO tool box.

Compliance is a complex issue and it requires a unique combination of
technical, legal, business and management skills. Compliance itself requires
solving the equivalent of a multi-variable equation: regulations, control
frameworks and change. To achieve continuous compliance management, CSOs
must implement tools and processes that automate and streamline the
compliance management process. The first step is implementation of logging,
eventually culminating in the establishment of a continuous compliance
management solution that not only reports on what has happened, but
implements triggers, monitors and controls to prevent what is going to happen.

Read this Issue Paper: The Path to Continuous Compliance Management

The Issue:

Information protection is one of the core disciplines of Information
Stewardship, alongside business continuity, information lifecycle management,
data quality management, and compliance. The purpose of Information
Stewardship is to enhance the value of information and reduce the risk to
information within the context of the business value. In other words, Information
Protection is only relevant in the context of the broader value of information.

Maximizing information protection must always be balanced against
maximizing the business value of information. The business value of information
is derived from the processing, transformation, sharing and dissemination of
information – the very activities that create risk! It is crucial to look at
information protection as one axis in a broader picture of investment and
innovation decisions: you cannot focus only on maximizing information
protection (maximizing security). After all, the best way to maximize the
protection of information is to lock it up and throw away the key – which of
course means that the information is then no longer available to the business.
Being a good steward of the information requires using security to enable
business functions but to minimize the risk of them as far as necessary.

Read this Issue Paper: Not an End In Itself: Information Protection and Return on Risk

This Issue Paper is available to registered users. Registration is free - please register for access.

The Issue:

Information protection is one of the core disciplines of Information
Stewardship, alongside business continuity, information lifecycle management,
data quality management, and compliance. The purpose of Information
Stewardship is to enhance the value of information and reduce the risk to
information within the context of the business value. In other words, Information
Protection is only relevant in the context of the broader value of information.

Maximizing information protection must always be balanced against
maximizing the business value of information. The business value of information
is derived from the processing, transformation, sharing and dissemination of
information – the very activities that create risk! It is crucial to look at
information protection as one axis in a broader picture of investment and
innovation decisions: you cannot focus only on maximizing information
protection (maximizing security). After all, the best way to maximize the
protection of information is to lock it up and throw away the key – which of
course means that the information is then no longer available to the business.
Being a good steward of the information requires using security to enable
business functions but to minimize the risk of them as far as necessary.

Read this Issue Paper: Not an End in Itself: Information Protection and Return on Risk

The Issue:

Enterprise IT security is being pulled steadily towards a risk-based view of
the world. Companies need to understand their tolerance for risk, and embrace
technologies and practices that allow them to meet, but not exceed, that
tolerance. The disciplines of information stewardship provide a lens through
which the enterprise can focus its actions in information risk management. By
focusing on the discipline of information protection, it can choose where and how
to apply technologies, such as encryption, to maximize the return on risks of
information leak or theft. Focusing on data quality management can minimize
both the operational risks from inconsistent or incorrect data, and the legal risks
from lapses in compliance, inadvertent disclosure, or unintentional failure to
disclose information in court. Focusing on continuity mitigates risk from data
being unavailable due to natural disaster, systems break down, or attack.

Read this Issue Paper:

The Issue:

Enterprise IT security is being pulled steadily towards a risk-based view of
the world. Companies need to understand their tolerance for risk, and embrace
technologies and practices that allow them to meet, but not exceed, that
tolerance. The disciplines of information stewardship provide a lens through
which the enterprise can focus its actions in information risk management. By
focusing on the discipline of information protection, it can choose where and how
to apply technologies, such as encryption, to maximize the return on risks of
information leak or theft. Focusing on data quality management can minimize
both the operational risks from inconsistent or incorrect data, and the legal risks
from lapses in compliance, inadvertent disclosure, or unintentional failure to
disclose information in court. Focusing on continuity mitigates risk from data
being unavailable due to natural disaster, systems break down, or attack.

Read this Issue Paper: Information Risk Management in the Enterprise

The Issue:

Server virtualization is one of the most-discussed technologies of the past
few years. We find that although some organizations are already generating
substantial savings with virtualization in their production environments, the
majority of participants in Nemertes’ Security and Information Protection
benchmark research are not yet using virtual servers in production. They plan to,
however, looking for the increased resource utilization, broader platform
standardization, and deeper management automation that server virtualization
enables.

As virtual servers move into production, IT needs to address security and
compliance issues. Unfortunately, most participants in the benchmark, when
asked how they secure their virtual servers, say they treat them like physical
servers as much as possible! Sensibly, they use host-based security such as antivirus
and anti-malware agents. However, they also use network tools to protect
virtual servers exactly as if they were simply very thin, very densely stacked rackmount
boxes.