Nemertes Issue Paper

Overview:
The data center is undergoing a radical shift, from virtualization towards internal cloud environments where workloads dynamically move, start and stop driven by real-time performance needs. At the same time, IT practitioners are interested in exploring external cloud computing options---but security and compliance concerns are squelching adoption.

A key concern is trust. Moving to a cloud provider shifts the burden of trust onto the provider--something that few providers are able to handle today. To overcome this concern, responsibility for security and compliance needs to stay with the customer. This requires an overhaul of security practices – the same practices we’ve been using for 15 years. We need new security and compliance controls that span the physical, virtual, cloud continuum (not everything will be virtual so security must continue to protect physical assets). We also need security controls that are location-aware and dynamically enforce policy regardless of workload location. This requires an adaptive perimeter defense and restoration of depth for defense in depth.

All IT functions are heading into the clouds: Cloud computing, cloud storage, cloud collaboration, cloud content management, cloud unified communications and even cloud security and compliance. Yet, security and compliance concerns are holding back adoption.

Nemertes’ PilotHouse Awards recognizes how vendors and service providers perform in the eyes of their business customers. What makes Nemertes’ PilotHouse award so unique?

The winners of the Nemertes PilotHouse Awards represent the “movers and shakers” among communications and computing vendors, and their customers, the IT practitioners deploying those technologies.

Vendors:

It’s highly likely that in a few years, we’ll be looking back at 2009 as the year when everything changed for IT. The recession literally decimated IT forces, or worse: Sixty-seven percent of organizations are decreasing their IT departments by an average of 17%.

Overview:

Speaks to the IT manager concerned with security. Introducing virtualization into a data center increases the complexity of the environment and presents a new “threat surface,” the hypervisor and its associated management tools, to attack.

Tuesday, August 11, 2009 2:00 PM - 3:00 PM EDT

Next to NAC (Network Access/Admission Control), DLP (Data Loss/Leakage Protection/Prevention) is the second most abused acronym in IT. You know there is a problem when there isn’t an agreed upon meaning to a simple TLA (Three Letter Acronym). It turns out the source of the confusion is technology. It’s the last thing you need for DLP; not the first.

Last week I mentioned the lack of adoption Nemertes sees for virtualization security (VirtSec); despite a rapidly growing list of vendors. The main explanation we hear from companies we work with is, “We don’t monitor inter-server traffic on physical servers, why should we monitor inter-virtual-server traffic?” So, this got me thinking about a case where the opposite is true: Where VirtSec is required to match the existing controls on the physical network.

Overview:

The Issue:

Sustainable compliance involves the establishment, implementation and enforcement of process and policy. At the same time, there is a strong technology component to compliance management, and many organizations start their compliance management with technology selection. This is the wrong approach.

Overview:

Nemertes Market Analysis: Virtualization Security

The Issue:

The challenge today is that IT is accelerating, putting the CSO
between a rock and a hard place. On the one hand he or she must uphold
corporate policies and manage security and compliance. On the other
hand, the CSO cannot be seen as business prevention; security cannot be
the big red stop button on the IT assembly line. Simultaneous with IT
acceleration, an evolution is occurring in the security realm, defined
by unified threat management (UTM). Sitting at the confluence of
security and networking, UTM is evolving from a simple consolidation
value proposition to a ubiquitous solution that holds the potential to
provide the CSO with the tools to meet the corporate risk tolerance
while fully supporting the agility goals of the business.

Threat Management Must Evolve

From Nemertes’ conversations with IT executives, we know that
security can be both business enablement and business prevention. For
example, two-thirds of organizations that participated in Nemertes’
Security and Information Protection (Sec-IP) benchmark have avoided a
new technology because of security concerns. Our research also
indicates that CSOs are mostly successful in implementing security:
nearly 95% of participants in Security and Information Protection
(Sec-IP) consider their security efforts successful. (Please see Figure
1: Rating of Security Success, Page 2). Yet at the same time, nearly
35% of participants have had a security breach in the past year. This
tells us that security, and threat management in particular, still
leaves much room for improvement.

Read this Issue Paper:

The Issue:

IIT security staff, faced with the challenge of securing the inevitable flux in
their infrastructure, are usually stuck in reactive mode. They react – to systems
upgrades, mergers, and acquisitions; to the re-centralization of most IT function
into data centers and the consolidation of data centers; and to the spread of all
sizes and kinds of organizations over ever more space as a result of the
continuing 9 to 11% growth in the number of branch offices. Proactive security –
helping plan and execute security changes to enable adoption of new tools and
technologies – falls by the wayside.

IT security is set up to prevent and react to security problems, not to set
acceptable levels of risk. Significant increases in risk are traditionally viewed as
automatically “bad”. Given the difficulty of securing the complex interfaces
among different architectures, silos, and generations of technology, optional
changes and elective complexity are resisted if not simple to secure. How then
can IT security shift from a reactive to a proactive position?

One action security teams and IT are increasingly performing to reduce
risk and manage complexity is set policies to guide ongoing operations. By
defining policy, one can lay out more secure operational modes for everyone and
make dealing with complex infrastructures less a matter of individual memory,
capacity, and preference, and more a matter of documented practice.

Overview:

Service-oriented architectures (SOA) are poised to change dramatically how IT thinks and works in the enterprise, and how the enterprise thinks about IT as well. The shift from monolithic applications to loosely coupled constellations of collaborating software components is under way, with most of the enterprises we interviewed already having deployed at least a pilot SOA, and a few having completed the journey.

The shift is pervasive and promises to reduce the cost of integrating new systems into an existing infrastructure, as well as the cost of building and maintaining software. It opens the door to fully integrating software provided by service providers—software as a service (SaaS)—into an infrastructure, rather than that being a separate and disconnected island of functionality.

In this volume, we explore the technological and vendor landscape,including the major segments of the market for SOA wares and some vendors in each space. We also investigate the enterprise map of that same territory,including the vendors that participants see as important, even strategic; where participants plan to invest their dollars in the near term; and what they think about the vendors they work with now.

The Issue:

When it comes to VOIP security, most IT leaders have worried more about threats to the underlying data network than about potential attacks against VOIP systems themselves. Many IT managers see their VOIP networks as closed systems, protected from the outside world by the PSTN (public switched telephone network). So long as there was no way to reach their IP-PBXs via the public Internet or other outside networks, there is little threat of attack or compromise that could lead to data loss or service disruption. And by and large their views have been reinforced by the lack of attacks against VOIP servers,phones, gateways, and management systems. Less than 2% of enterprises had experienced a security incident directly involving their VOIP systems, while 96%had no known attacks.

Read this Issue Paper:

The Issue:

New technologies offer the possibility of business-process transformation and great
rewards – but they have significant risks, too. The enterprise must approach the
decision to implement such a technology not as a question of whether it can be done
safely, but rather safely enough to justify the reward. Balancing the risk against the
reward is essential, but not likely in an environment where security is focused on
threats and responses, and the security function reports up through a CIO whose
main interest is in delivering business value. One way to resolve that conflict is to
elevate IT security out of IT and align it instead with corporate risk management,
changing the CSO into, in essence, a Chief Risk Officer.

Overview:

Service-oriented architectures (SOA) are poised to change dramatically how IT thinks and works in the enterprise, and how the enterprise thinks about IT as well. The shift from monolithic applications to loosely coupled constellations of collaborating software components is under way, with most of the enterprise IT executives with whom we spoke already having deployed at least a pilot SOA, and a few having completed the journey.

The shift is pervasive and promises to reduce the cost of integrating new systems into an existing infrastructure as well as the cost of building and maintaining software. It opens the door to fully integrating software provided by service providers – software as a service – into an infrastructure, rather than that being a separate and disconnected island of functionality.

In the first volume of this benchmark, we explore the basic organizational
and operational characteristics of the move to SOA: Why organizations pursue it (or choose not to), how much they are spending and how it is paid for, how IT and the enterprise organize around it, and what benefits they are seeing from it.

The Issue:

Overview:

It’s been a long time coming, but the indications are that security and information protection are finally within spitting distance of getting the mindshare they merit, based on the only metric that really matters: Cash on the barrelhead.

In volume 1 of our ground-breaking benchmark, "Security and Information Protection: Trends and Organizational Issues", we highlight the acceleration in spending on security and information protection, discuss critical drivers, and drill down into the organizational and operational impacts. Security budgets have grown another 20% since our last benchmark (in 2005), and indications are that double-digit growth will continue through 2008 and beyond. Moreover, that growth is increasingly shifting away from consultants and staff and toward products and services—good news for vendors and providers. Security organizations are evolving as well, with the most significant trend being the shift in focus from “chief security officer” to “chief risk mitigation officer,” mirroring the overall organizational shift in focus from security to risk mitigation.In line with this shift, security teams are picking up responsibility for areas they don’t historically support (such as business continuance and facilities) but which, if not well managed, can increase an organization’s risk. And security remains a great career path: along with this increased responsibility comes a welcome (and sustained) increase in salary. In our upcoming volumes, we drill down into the specifics.

Overview: 

It’s been a long time coming, but the indications are that security and information protection are finally within spitting distance of getting the mindshare they merit, based on the only metric that really matters: Cash on the barrelhead.

In volume 1 of our ground-breaking benchmark, "Security and Information Protection: Trends and Organizational Issues", we highlight the acceleration in spending on security and information protection, discuss critical drivers, and drill down into the organizational and operational impacts. Security budgets have grown another 20% since our last benchmark (in 2005), and indications are that double-digit growth will continue through 2008 and beyond. Moreover, that growth is increasingly shifting away from consultants and staff and toward products and services—good news for vendors and providers. Security organizations are evolving as well, with the most significant trend being the shift in focus from “chief security officer” to “chief risk mitigation officer,” mirroring the overall organizational shift in focus from security to risk mitigation. In line with this shift, security teams are picking up responsibility for areas they don’t historically support (such as business continuance and facilities) but which, if not well managed, can increase an organization’s risk. And security remains a great career path: along with this increased responsibility comes a welcome (and sustained) increase in salary.

Preliminary analysis of the data for Nemertes forthcoming Security and Information Protection benchmark shows that approximately 63% of participants want to deploy (or more broadly deploy) technologies that they felt they could not, for security reasons. Of those, half named wireless as the technology in question, and over a quarter named collaborative tools, especially IM.

Regulatory compliance offers security vendors a tremendous opportunity to hitch their sales pitch to something that has a dedicated budget. As a result we see many vendors touting compliance as a feature, even if all they do is provide a report that (possibly, maybe with a bit of massaging) can be used to document compliance.

But while vendors tout their ability to make you compliant they often forget to be compliant themselves! Many regulated industries require that companies use vendors who follow best practices and have proven compliance to certain regulations. A security architect participating in our Security and Information Protection research commented "Our internal requirements say that anybody who delivers services for us has a SAS 70, yet when we speak with a lot of vendors they do not understand what a SAS 70 is or why it is necessary. They don't have those docs or auditing functions in place. It makes it very difficult for us to purchase a product if they do not have those capabilities in place."

While enterprises are interested in the concept of endpoint control and admission, they are not committing budget just yet. IT executives are looking at both aspects of endpoint control: admission/access at L2/L3 and also policy verification and remediation (is the AV up to date etc.).

Some companies are implementing "poor man's NAC" by using RADIUS or ACLs to restrict access to known hosts. Such solutions may provide some control but become quite unmanageable in large networks. Others are using their VPN clients to do some basic policy checks on endpoints.

But the vast majority are still waiting for Cisco, Microsoft and others to agree on standards and provide broadly interoperable and mature solutions.

Network World Editorials  By John Dix, Network World, 03/22/07

In a recent study about spyware by Nemertes Research, Senior Vice President Andreas Antonopoulos was surprised to find that 16% of the companies examined were not concerned about the threat.

Suspecting that was because they were small companies, he dug deeper, but found they were some of the largest companies analyzed. He also discovered why they weren't concerned: they spent 6% to 8% of their IT budgets on security, twice what the average company spends.

The data center is the new castle, and the botnet hordes are coming for it

New Data Center Strategies Newsletter, By Andreas M. Antonopoulos, Network World, 2/6/07

One of the main findings from Nemertes’ security research in 2005 and 2006 was that the security perimeter is eroding.

With all the connections to partners, suppliers and customers and all the mobile workers, it was almost impossible to define a clear perimeter outside the data center. So the data center has become the retrenched position for most security defenses. The data center has become like the castle keep: a central hardened tower, the most defended area and the location of the most prized possessions.

The Issue: A New World to Secure

Data centers today are truly “new” from every perspective: facilities, storage, management, computing, and networking. Although data centers have existed as long as enterprise computing itself has, a confluence of economic, enterprise, and technological changes is driving a major metamorphosis in data center design and implementation. This, in turn, is determining how data center and security professionals approach the problem of securing the data center and the enterprise network from threats, internal and external.

Network World: Security, By Andreas M. Antonopoulos, Network World, 3/5/07

Looking at the development of different technologies in the last two decades, I am amazed at the vast difference between how a technology was first envisioned and how it ended up being implemented.

You start with a tightly coupled, hierarchical, centralized design by committee. Invariably, an august organization is chosen to run it: a phone company, the postal service, the government, a big vendor. Examples of this type of design are: X.25, X.500, X.400, PKI and Microsoft Passport (Windows Live ID). The design languishes for years while politics and control issues prevent its implementation. Then some organization, committee or coder takes the original design, strips it down and implements it as a more loosely coupled, decentralized, ad-hoc version. See IP, SMTP, DNS, Lightweight Directory Access Protocol, the Web and OpenID.

Does it take 200 products to secure the enterprise?

Network World: Security, By Andreas M. Antonopoulos, Network World, 2/13/07

Visiting RSA '07 last week, I tried to embrace the fact that this security conference is no longer an insiders' gathering, and tried to put myself in the shoes of a newbie to figure out what I should pay attention to in a new security job. The first mistake I made as a newbie was to wear new shoes: ouch. The second was to try to take it all in. If you accept the premise that security should be holistic and not about silver bullets, then the RSA show floor was big bucket of silver bullets. Hundreds of features disguising themselves as products, loudly touting the latest scare: “Did you know there are ogres lurking in this obscure part of your infrastructure? Anti-OGRE!” It was difficult to see what the big new theme for security is in 2007.