Tuesday, September 14, 2010, 2:00 - 3:00 PM EDT

The 2010 Nemertes PilotHouse Awards recognize enterprise-technology providers in 14 computing and communications categories: Carrier Ethernet Services, Cloud Computing, Data-Center Colocation, IP Contact Centers, IP Telephony, MPLS Services, Security as a Service, Servers for Virtualization, Sustainability, Unified Communications, Virtual Desktops, WAN Optimization, and Wireless LANs.

The annual PilotHouse Awards reflect how vendors and service providers perform in the eyes of their business buyers. What makes the PilotHouse award so unique? The results are based 100% on the views and experiences of actual technology buyers. Nemertes’ determines the methodology, conducts the research and analyzes the findings, however, Nemertes has no influence over vendor performance. The opinions rest with real buyers. In addition, no vendors sponsor this research.

During this Webinar, Nemertes will announce this year's winners and give details of the findings. We will discuss the methodology behind the selections, what stands out among winners, and how the results help IT technology buyers make well-informed purchasing decisions.

Presenter: Irwin Lazar, Vice President for Communications and Collaboration Research
Moderator: Johna Till Johnson, President and Senior Founding Partner

Tuesday, September 21, 2010, 2:00 - 3:00 PM EDT

What are the top three characteristics of highly successful IT organizations? Which technologies are emerging as must-haves for 2010, 2011, and beyond? Where are successful companies turning to managed, hosted, and cloud services—and why?

Nemertes Issue Paper

Overview: Thanks to the rapid growth of Web sites such as Facebook and Twitter, social computing has entered the enterprise lexicon quickly as business and IT managers seek to leverage the power of social applications to improve communications and collaboration both internally and externally. Though social computing can complement unified communications, it also can create potential challenges with respect to compliance and security. As social-computing adoption grows, IT and line-of-business managers must leverage "the wisdom of the crowds" to improve collaboration, while also meeting compliance and e-discovery requirements.

Nemertes Issue Paper

Overview: Technology is at a major transition point, similar to the shift from Management Information Systems (MIS) to Information Technology (IT) in the 1990s. In this case, the shift is from IT to Enterprise Technology (ET), driven by the confluence of new technologies and ongoing business imperatives. This transition point means that certain technology functions are commoditizing rapidly, while others are becoming more strategic. The fundamental challenge facing IT professionals is to determine quickly and accurately which functions are which, and react accordingly. This means IT leaders must embrace both strategic and utilitarian roles. Or, to put it another way, today’s IT professionals need a special version of the “serenity prayer”: “God grant me the ability to invest in enterprise technology, the courage to commoditize information technology, and the wisdom to know the difference.”

Nemertes Issue Paper

Overview: Distributed Denial of Service (DDoS) attacks are network-based in which the attacker plants malicious code on numerous, scattered, and usually unwitting, servers or desktops. Those machines (called zombies) then flood a single IP address with packets so it is driven offline, unable to handle the volume. The attacks are devastating, extremely difficult to trace, and impossible to predict. The only defense is to use purpose-built appliances that must stay one step ahead of the attackers in both performance and functionality. There are two primary choices for enterprise defense: on-premises do-it-yourself (DIY) and cloud-based DDoS defense service. Each has pros and cons but the unique characteristics of a DDoS attack in conjunction with significant cost savings of the cloud-based service shift the decision in favor of the service.

Nemertes Issue Paper

Overview:
The data center is undergoing a radical shift, from virtualization towards internal cloud environments where workloads dynamically move, start and stop driven by real-time performance needs. At the same time, IT practitioners are interested in exploring external cloud computing options---but security and compliance concerns are squelching adoption.

A key concern is trust. Moving to a cloud provider shifts the burden of trust onto the provider--something that few providers are able to handle today. To overcome this concern, responsibility for security and compliance needs to stay with the customer. This requires an overhaul of security practices – the same practices we’ve been using for 15 years. We need new security and compliance controls that span the physical, virtual, cloud continuum (not everything will be virtual so security must continue to protect physical assets). We also need security controls that are location-aware and dynamically enforce policy regardless of workload location. This requires an adaptive perimeter defense and restoration of depth for defense in depth.

All IT functions are heading into the clouds: Cloud computing, cloud storage, cloud collaboration, cloud content management, cloud unified communications and even cloud security and compliance. Yet, security and compliance concerns are holding back adoption.

Nemertes’ PilotHouse Awards recognizes how vendors and service providers perform in the eyes of their business customers. What makes Nemertes’ PilotHouse award so unique?

The winners of the Nemertes PilotHouse Awards represent the “movers and shakers” among communications and computing vendors, and their customers, the IT practitioners deploying those technologies.

Vendors:

It’s highly likely that in a few years, we’ll be looking back at 2009 as the year when everything changed for IT. The recession literally decimated IT forces, or worse: Sixty-seven percent of organizations are decreasing their IT departments by an average of 17%.

Overview:

Speaks to the IT manager concerned with security. Introducing virtualization into a data center increases the complexity of the environment and presents a new “threat surface,” the hypervisor and its associated management tools, to attack.

Tuesday, August 11, 2009 2:00 PM - 3:00 PM EDT

Next to NAC (Network Access/Admission Control), DLP (Data Loss/Leakage Protection/Prevention) is the second most abused acronym in IT. You know there is a problem when there isn’t an agreed upon meaning to a simple TLA (Three Letter Acronym). It turns out the source of the confusion is technology. It’s the last thing you need for DLP; not the first.

Last week I mentioned the lack of adoption Nemertes sees for virtualization security (VirtSec); despite a rapidly growing list of vendors. The main explanation we hear from companies we work with is, “We don’t monitor inter-server traffic on physical servers, why should we monitor inter-virtual-server traffic?” So, this got me thinking about a case where the opposite is true: Where VirtSec is required to match the existing controls on the physical network.

Overview:

The Issue:

Sustainable compliance involves the establishment, implementation and enforcement of process and policy. At the same time, there is a strong technology component to compliance management, and many organizations start their compliance management with technology selection. This is the wrong approach.

Overview:

Nemertes Market Analysis: Virtualization Security

The Issue:

The challenge today is that IT is accelerating, putting the CSO
between a rock and a hard place. On the one hand he or she must uphold
corporate policies and manage security and compliance. On the other
hand, the CSO cannot be seen as business prevention; security cannot be
the big red stop button on the IT assembly line. Simultaneous with IT
acceleration, an evolution is occurring in the security realm, defined
by unified threat management (UTM). Sitting at the confluence of
security and networking, UTM is evolving from a simple consolidation
value proposition to a ubiquitous solution that holds the potential to
provide the CSO with the tools to meet the corporate risk tolerance
while fully supporting the agility goals of the business.

Threat Management Must Evolve

From Nemertes’ conversations with IT executives, we know that
security can be both business enablement and business prevention. For
example, two-thirds of organizations that participated in Nemertes’
Security and Information Protection (Sec-IP) benchmark have avoided a
new technology because of security concerns. Our research also
indicates that CSOs are mostly successful in implementing security:
nearly 95% of participants in Security and Information Protection
(Sec-IP) consider their security efforts successful. (Please see Figure
1: Rating of Security Success, Page 2). Yet at the same time, nearly
35% of participants have had a security breach in the past year. This
tells us that security, and threat management in particular, still
leaves much room for improvement.

Read this Issue Paper:

The Issue:

IIT security staff, faced with the challenge of securing the inevitable flux in
their infrastructure, are usually stuck in reactive mode. They react – to systems
upgrades, mergers, and acquisitions; to the re-centralization of most IT function
into data centers and the consolidation of data centers; and to the spread of all
sizes and kinds of organizations over ever more space as a result of the
continuing 9 to 11% growth in the number of branch offices. Proactive security –
helping plan and execute security changes to enable adoption of new tools and
technologies – falls by the wayside.

IT security is set up to prevent and react to security problems, not to set
acceptable levels of risk. Significant increases in risk are traditionally viewed as
automatically “bad”. Given the difficulty of securing the complex interfaces
among different architectures, silos, and generations of technology, optional
changes and elective complexity are resisted if not simple to secure. How then
can IT security shift from a reactive to a proactive position?

One action security teams and IT are increasingly performing to reduce
risk and manage complexity is set policies to guide ongoing operations. By
defining policy, one can lay out more secure operational modes for everyone and
make dealing with complex infrastructures less a matter of individual memory,
capacity, and preference, and more a matter of documented practice.

Overview:

Service-oriented architectures (SOA) are poised to change dramatically how IT thinks and works in the enterprise, and how the enterprise thinks about IT as well. The shift from monolithic applications to loosely coupled constellations of collaborating software components is under way, with most of the enterprises we interviewed already having deployed at least a pilot SOA, and a few having completed the journey.

The shift is pervasive and promises to reduce the cost of integrating new systems into an existing infrastructure, as well as the cost of building and maintaining software. It opens the door to fully integrating software provided by service providers—software as a service (SaaS)—into an infrastructure, rather than that being a separate and disconnected island of functionality.

In this volume, we explore the technological and vendor landscape,including the major segments of the market for SOA wares and some vendors in each space. We also investigate the enterprise map of that same territory,including the vendors that participants see as important, even strategic; where participants plan to invest their dollars in the near term; and what they think about the vendors they work with now.

The Issue:

When it comes to VOIP security, most IT leaders have worried more about threats to the underlying data network than about potential attacks against VOIP systems themselves. Many IT managers see their VOIP networks as closed systems, protected from the outside world by the PSTN (public switched telephone network). So long as there was no way to reach their IP-PBXs via the public Internet or other outside networks, there is little threat of attack or compromise that could lead to data loss or service disruption. And by and large their views have been reinforced by the lack of attacks against VOIP servers,phones, gateways, and management systems. Less than 2% of enterprises had experienced a security incident directly involving their VOIP systems, while 96%had no known attacks.

Read this Issue Paper:

The Issue:

New technologies offer the possibility of business-process transformation and great
rewards – but they have significant risks, too. The enterprise must approach the
decision to implement such a technology not as a question of whether it can be done
safely, but rather safely enough to justify the reward. Balancing the risk against the
reward is essential, but not likely in an environment where security is focused on
threats and responses, and the security function reports up through a CIO whose
main interest is in delivering business value. One way to resolve that conflict is to
elevate IT security out of IT and align it instead with corporate risk management,
changing the CSO into, in essence, a Chief Risk Officer.

Overview:

Service-oriented architectures (SOA) are poised to change dramatically how IT thinks and works in the enterprise, and how the enterprise thinks about IT as well. The shift from monolithic applications to loosely coupled constellations of collaborating software components is under way, with most of the enterprise IT executives with whom we spoke already having deployed at least a pilot SOA, and a few having completed the journey.

The shift is pervasive and promises to reduce the cost of integrating new systems into an existing infrastructure as well as the cost of building and maintaining software. It opens the door to fully integrating software provided by service providers – software as a service – into an infrastructure, rather than that being a separate and disconnected island of functionality.

In the first volume of this benchmark, we explore the basic organizational
and operational characteristics of the move to SOA: Why organizations pursue it (or choose not to), how much they are spending and how it is paid for, how IT and the enterprise organize around it, and what benefits they are seeing from it.

The Issue:

Overview:

It’s been a long time coming, but the indications are that security and information protection are finally within spitting distance of getting the mindshare they merit, based on the only metric that really matters: Cash on the barrelhead.

In volume 1 of our ground-breaking benchmark, "Security and Information Protection: Trends and Organizational Issues", we highlight the acceleration in spending on security and information protection, discuss critical drivers, and drill down into the organizational and operational impacts. Security budgets have grown another 20% since our last benchmark (in 2005), and indications are that double-digit growth will continue through 2008 and beyond. Moreover, that growth is increasingly shifting away from consultants and staff and toward products and services—good news for vendors and providers. Security organizations are evolving as well, with the most significant trend being the shift in focus from “chief security officer” to “chief risk mitigation officer,” mirroring the overall organizational shift in focus from security to risk mitigation.In line with this shift, security teams are picking up responsibility for areas they don’t historically support (such as business continuance and facilities) but which, if not well managed, can increase an organization’s risk. And security remains a great career path: along with this increased responsibility comes a welcome (and sustained) increase in salary. In our upcoming volumes, we drill down into the specifics.

Overview: 

It’s been a long time coming, but the indications are that security and information protection are finally within spitting distance of getting the mindshare they merit, based on the only metric that really matters: Cash on the barrelhead.

In volume 1 of our ground-breaking benchmark, "Security and Information Protection: Trends and Organizational Issues", we highlight the acceleration in spending on security and information protection, discuss critical drivers, and drill down into the organizational and operational impacts. Security budgets have grown another 20% since our last benchmark (in 2005), and indications are that double-digit growth will continue through 2008 and beyond. Moreover, that growth is increasingly shifting away from consultants and staff and toward products and services—good news for vendors and providers. Security organizations are evolving as well, with the most significant trend being the shift in focus from “chief security officer” to “chief risk mitigation officer,” mirroring the overall organizational shift in focus from security to risk mitigation. In line with this shift, security teams are picking up responsibility for areas they don’t historically support (such as business continuance and facilities) but which, if not well managed, can increase an organization’s risk. And security remains a great career path: along with this increased responsibility comes a welcome (and sustained) increase in salary.

Preliminary analysis of the data for Nemertes forthcoming Security and Information Protection benchmark shows that approximately 63% of participants want to deploy (or more broadly deploy) technologies that they felt they could not, for security reasons. Of those, half named wireless as the technology in question, and over a quarter named collaborative tools, especially IM.

Regulatory compliance offers security vendors a tremendous opportunity to hitch their sales pitch to something that has a dedicated budget. As a result we see many vendors touting compliance as a feature, even if all they do is provide a report that (possibly, maybe with a bit of massaging) can be used to document compliance.

But while vendors tout their ability to make you compliant they often forget to be compliant themselves! Many regulated industries require that companies use vendors who follow best practices and have proven compliance to certain regulations. A security architect participating in our Security and Information Protection research commented "Our internal requirements say that anybody who delivers services for us has a SAS 70, yet when we speak with a lot of vendors they do not understand what a SAS 70 is or why it is necessary. They don't have those docs or auditing functions in place. It makes it very difficult for us to purchase a product if they do not have those capabilities in place."

While enterprises are interested in the concept of endpoint control and admission, they are not committing budget just yet. IT executives are looking at both aspects of endpoint control: admission/access at L2/L3 and also policy verification and remediation (is the AV up to date etc.).

Some companies are implementing "poor man's NAC" by using RADIUS or ACLs to restrict access to known hosts. Such solutions may provide some control but become quite unmanageable in large networks. Others are using their VPN clients to do some basic policy checks on endpoints.

But the vast majority are still waiting for Cisco, Microsoft and others to agree on standards and provide broadly interoperable and mature solutions.