The Issue:

The Issue:

The challenge today is that IT is accelerating, putting the CSO
between a rock and a hard place. On the one hand he or she must uphold
corporate policies and manage security and compliance. On the other
hand, the CSO cannot be seen as business prevention; security cannot be
the big red stop button on the IT assembly line. Simultaneous with IT
acceleration, an evolution is occurring in the security realm, defined
by unified threat management (UTM). Sitting at the confluence of
security and networking, UTM is evolving from a simple consolidation
value proposition to a ubiquitous solution that holds the potential to
provide the CSO with the tools to meet the corporate risk tolerance
while fully supporting the agility goals of the business.

Threat Management Must Evolve

From Nemertes’ conversations with IT executives, we know that
security can be both business enablement and business prevention. For
example, two-thirds of organizations that participated in Nemertes’
Security and Information Protection (Sec-IP) benchmark have avoided a
new technology because of security concerns. Our research also
indicates that CSOs are mostly successful in implementing security:
nearly 95% of participants in Security and Information Protection
(Sec-IP) consider their security efforts successful. (Please see Figure
1: Rating of Security Success, Page 2). Yet at the same time, nearly
35% of participants have had a security breach in the past year. This
tells us that security, and threat management in particular, still
leaves much room for improvement.

Read this Issue Paper:

The Issue:

Network vendors have, for some years, been surveying the landscape,
looking for new worlds to conquer as supplying connectivity per se has become
more and more a commodity game. First they built core network‐related
functionality, such as IP‐address assignment and DNS service, into their gear
(although many, if not most, shops still use servers for these functions). Then
they offered security functionality, first filling in gaps that server and desktop
vendors left between their own security functionality; year by year offering more
and moving gradually to supplant or compete with server and desktop security
functions. They began to offer bandwidth optimization, followed some years
later by application acceleration, most recently incarnated as the specific
acceleration for file sharing known as WAFS (wide‐area file services). They
branched into voice and video over IP, and then into collaborative applications
with voice and video built in.

Now, Cisco specifically is moving further “up the stack” and into the
realm of enterprise messaging, specifically into the business of managing XML
message traffic among nodes – not just speeding up XML traffic (which many
vendors do) through compression and the like, but actually taking on the
message routing and transformation functions of traditional messaging
middleware. Others network vendors may follow Cisco’s lead, as they often
have in the past – and some non‐network companies, like IBM and Intel, have
ventured into the converged space via acquisition of messaging appliance
companies (DataPower and Sarvega, respectively). But how should network
vendors approach this market, now that they are competing against major
software vendors and outside the traditional network space?

Clients: Read this issue Paper

Non Clients: Nemertes Issue Papers are available to clients only.
If you're not a client and would like to receive a copy of the Issue Paper, please contact us.

The Issue:

IIT security staff, faced with the challenge of securing the inevitable flux in
their infrastructure, are usually stuck in reactive mode. They react – to systems
upgrades, mergers, and acquisitions; to the re-centralization of most IT function
into data centers and the consolidation of data centers; and to the spread of all
sizes and kinds of organizations over ever more space as a result of the
continuing 9 to 11% growth in the number of branch offices. Proactive security –
helping plan and execute security changes to enable adoption of new tools and
technologies – falls by the wayside.

IT security is set up to prevent and react to security problems, not to set
acceptable levels of risk. Significant increases in risk are traditionally viewed as
automatically “bad”. Given the difficulty of securing the complex interfaces
among different architectures, silos, and generations of technology, optional
changes and elective complexity are resisted if not simple to secure. How then
can IT security shift from a reactive to a proactive position?

One action security teams and IT are increasingly performing to reduce
risk and manage complexity is set policies to guide ongoing operations. By
defining policy, one can lay out more secure operational modes for everyone and
make dealing with complex infrastructures less a matter of individual memory,
capacity, and preference, and more a matter of documented practice.

The Issue:

Major tectonic shifts in the way enterprises work with and provision their
core applications are forcing changes in the way the enterprise has to think about
securing them.

One shift is the continuing opening of the enterprise, with the gradual
federation and interpenetration of IT systems between an enterprise and its
partners, customers, and suppliers. The figurative walls of the data center are
being filled with doors, windows, and access ducts, and now serve more as a
framework for structuring the flow of information than as a barrier to it.
Another shift is the rise of service-oriented architectures (SOAs).

Enterprises are looking to SOA to provide an integration method for their
applications, a development methodology and framework, and an overall
architecture and philosophy for deploying new functionality. As enterprise
applications gain services interfaces, and sometimes are actually atomized and
turned into constellations of loosely-coupled services, each service creates on the
network a new set of access points; perhaps tens or hundreds of times as many as
there were before. Things that used to happen within an application, on a single
server, become network traffic among servers and even among data centers.
Some formerly internal functions even become invocations across the Internet of
software-as-a-service (SaaS) packages, or services in partner or supplier data
centers. Moreover, components in a SOA can scale independently of each other:
new instances of an application running on a Java application server might be
created to handle peak loads, and then destroyed as the load subsides.

Read this Issue Paper:

Clients:New Suit of Armor: Securing the Data Center

The Issue:

The very essence of “work” is changing. All across the world, but even
more so in the U.S., society is changing the definitions of “work” and “office”. As
communications and connectivity become more powerful and ever more widely
available, work has become less and less a place and more an activity which takes
place anywhere. In the last 4 years Nemertes Research has tracked the number of
employees working away from their company headquarters. That number has
gradually trended up, exceeding 90% in 2006. Today, branch office and mobile
workers dominate, and knowledge workers are increasingly mobile, operating out
of home offices, hotel rooms, airport lounges, coffee shops and taxis. As their
work habits have changed through enabling communications technologies, they
have in turn pushed adoption of those technologies by their companies: laptops,
wireless Ethernet, smart phones, and web applications.

Large companies have gradually shifted more and more of their critical
applications to the web. Through a web browser, the same application can be
delivered to a desktop, a laptop, a phone, regardless of location, operating system
or (mostly) browser. This “webification” of applications has become a catalyst for
further mobility and fluidity of the workforce.

Read this Issue Paper:

Clients - The Center is Everywhere

Non clients: Nemertes Issue Papers are available to clients only. If you're not a
client and would like to receive a copy of the Issue Paper, please
contact us.

The Issue:

As the role of the CSO shifts from technical security expert to risk
mediator, manager and advisor, compliance is rapidly becoming the domain of
the CSO. In this role, the CSO is faced with the continual tug-of-war in the
corporation between legal, business and IT. To make matters worse, the CSO –
as Chief Risk Officer – is put in the position of keeping the company out of
trouble, without having any control over the direction or the company, or the
actions of IT, business and legal. The only way that the CSO can affect risk and
manage risk is through implementation of a strong compliance management
process. Compliance management is the heart of governance and risk
management and as such, it’s the main tool in the CSO tool box.

Compliance is a complex issue and it requires a unique combination of
technical, legal, business and management skills. Compliance itself requires
solving the equivalent of a multi-variable equation: regulations, control
frameworks and change. To achieve continuous compliance management, CSOs
must implement tools and processes that automate and streamline the
compliance management process. The first step is implementation of logging,
eventually culminating in the establishment of a continuous compliance
management solution that not only reports on what has happened, but
implements triggers, monitors and controls to prevent what is going to happen.

Read this Issue Paper:

The Issue:

Information protection is one of the core disciplines of Information
Stewardship, alongside business continuity, information lifecycle management,
data quality management, and compliance. The purpose of Information
Stewardship is to enhance the value of information and reduce the risk to
information within the context of the business value. In other words, Information
Protection is only relevant in the context of the broader value of information.

Maximizing information protection must always be balanced against
maximizing the business value of information. The business value of information
is derived from the processing, transformation, sharing and dissemination of
information – the very activities that create risk! It is crucial to look at
information protection as one axis in a broader picture of investment and
innovation decisions: you cannot focus only on maximizing information
protection (maximizing security). After all, the best way to maximize the
protection of information is to lock it up and throw away the key – which of
course means that the information is then no longer available to the business.
Being a good steward of the information requires using security to enable
business functions but to minimize the risk of them as far as necessary.

Read this Issue Paper:

Clients: Not an End in Itself: Information Protection and Return on Risk

Non clients: Nemertes Issue Papers are available to clients only. If you're not a
client and would like to receive a copy of the Issue Paper, please
contact us.

The Issue:

Enterprise IT security is being pulled steadily towards a risk-based view of
the world. Companies need to understand their tolerance for risk, and embrace
technologies and practices that allow them to meet, but not exceed, that
tolerance. The disciplines of information stewardship provide a lens through
which the enterprise can focus its actions in information risk management. By
focusing on the discipline of information protection, it can choose where and how
to apply technologies, such as encryption, to maximize the return on risks of
information leak or theft. Focusing on data quality management can minimize
both the operational risks from inconsistent or incorrect data, and the legal risks
from lapses in compliance, inadvertent disclosure, or unintentional failure to
disclose information in court. Focusing on continuity mitigates risk from data
being unavailable due to natural disaster, systems break down, or attack.

Read this Issue Paper:

The Issue:

Server virtualization is one of the most-discussed technologies of the past
few years. We find that although some organizations are already generating
substantial savings with virtualization in their production environments, the
majority of participants in Nemertes’ Security and Information Protection
benchmark research are not yet using virtual servers in production. They plan to,
however, looking for the increased resource utilization, broader platform
standardization, and deeper management automation that server virtualization
enables.

As virtual servers move into production, IT needs to address security and
compliance issues. Unfortunately, most participants in the benchmark, when
asked how they secure their virtual servers, say they treat them like physical
servers as much as possible! Sensibly, they use host-based security such as antivirus
and anti-malware agents. However, they also use network tools to protect
virtual servers exactly as if they were simply very thin, very densely stacked rackmount
boxes.

What kind of research is this?

Nemertes’ Issue Paper is a research deliverable that examines a specific technical or business problem that we have identified through our primary research.

A risk analysis of large‐scaled and dynamic virtual server environments

Executive Summary

As virtualization has gained acceptance in corporate data centers, security has gone from afterthought to serious concern. Much of the focus has been on the technologies of virtualization rather than the operational, organizational and economic context. This comprehensive risk analysis examines the areas of risk in deployments of virtualized infrastructures and provides recommendations

The Issue:

For some organizations, migration to unified messaging is a key
component of their voice over IP plans. Most VOIP vendors offer unified
messaging products as either an embedded capability within their VOIP
platforms, or as a stand-alone component of their product portfolios. But for an
increasing number of enterprises, voice messaging replacement has taken on a
new urgency, leading organizations to address voice messaging separately from
their VOIP plans.

A number of factors are converging to lead to a renewed interest in unified
messaging. These include obsolescence of many legacy voice mail systems, new
e-discovery and compliance rules requiring preservation and archiving of
voicemail messages, and the need for new features and capabilities to support the
virtual and distributed worker. Finally, enterprises are looking to reduce the cost
of managing complex disparate systems assembled by distributed purchasing or
acquisition of other businesses.

Read this issue paper: Next-Generation Unified Messaging

The Issue:

For some organizations, migration to unified messaging is a key
component of their voice over IP plans. Most VOIP vendors offer unified
messaging products as either an embedded capability within their VOIP
platforms, or as a stand-alone component of their product portfolios. But for an
increasing number of enterprises, voice messaging replacement has taken on a
new urgency, leading organizations to address voice messaging separately from
their VOIP plans.

A number of factors are converging to lead to a renewed interest in unified
messaging. These include obsolescence of many legacy voice mail systems, new
e-discovery and compliance rules requiring preservation and archiving of
voicemail messages, and the need for new features and capabilities to support the
virtual and distributed worker. Finally, enterprises are looking to reduce the cost
of managing complex disparate systems assembled by distributed purchasing or
acquisition of other businesses.

Read this issue paper: Next Generation Unified Messaging

The Issue:

When it comes to VOIP security, most IT leaders have worried more about threats to the underlying data network than about potential attacks against VOIP systems themselves. Many IT managers see their VOIP networks as closed systems, protected from the outside world by the PSTN (public switched telephone network). So long as there was no way to reach their IP-PBXs via the public Internet or other outside networks, there is little threat of attack or compromise that could lead to data loss or service disruption. And by and large their views have been reinforced by the lack of attacks against VOIP servers,phones, gateways, and management systems. Less than 2% of enterprises had experienced a security incident directly involving their VOIP systems, while 96%had no known attacks.

Read this Issue Paper:

The Issue:

New technologies offer the possibility of business-process transformation and great
rewards – but they have significant risks, too. The enterprise must approach the
decision to implement such a technology not as a question of whether it can be done
safely, but rather safely enough to justify the reward. Balancing the risk against the
reward is essential, but not likely in an environment where security is focused on
threats and responses, and the security function reports up through a CIO whose
main interest is in delivering business value. One way to resolve that conflict is to
elevate IT security out of IT and align it instead with corporate risk management,
changing the CSO into, in essence, a Chief Risk Officer.

The Issue:

The history of computing shows several major architectural changes, most
of which were quite clear and easy to discern (or is that just 20-20 hindsight?).
Today it seems a lot harder to discern what the next computing architecture will
be, but in fact the trends are all pointing in the same direction.

Looking back we see that mainframe computing was partially eclipsed by
client-server computing and then n-tier web architectures. Partially eclipsed,
because no part of computing history ever disappears. Any sufficiently large
computing organization is a bit like a museum: you will find different stages of
history preserved on the pragmatic basis of “if it isn’t broken, why fix it”.
Mainframes still abound, client-server is king and n-tier web is growing in leaps
and bounds. So what is the next-generation computing architecture?

Puzzlingly, if you look at the data center today, it almost seems like we are
trying to re-create the mainframe from distributed components - on-demand
computing, provisioning and orchestration, scheduling and coordination - all
these activities seem to be attempts to build a data-center-scale mainframe. But
at the same time, computing within the data center could not be more
distributed. Far from consolidating computing onto bigger and bigger CPUs, we
seem to be moving to plug-and-play blade servers.

The Issue:

Unlike its TDM predecessor, IP telephony is not a closed-network, single-application environment using its own network resources. Rather, IP telephony is part of an overall unified-communications infrastructure, where multiple applications compete for finite network resources. As a result, IP telephony implementations require new monitoring and management tools and skills. But is the cost of these IP telephony management tools worth the benefit?

Nemertes Research has conducted an analysis evaluating the operational and capital costs of IP telephony, and has concluded that companies using IP telephony management tools demonstrate a compelling return on investment.

The Issue:

Headquarters and data centers have received ample attention in the past
five years from the IT and networking staffs. With data-center consolidation
projects in place at most organizations, an entire reassessment of the core
infrastructure has taken place. (Please see Nemertes’ Next-Generation Data
Centers benchmark series for more information). As data-center consolidation
projects wind down, IT focus is shifting to branch offices. In many cases, voice
and data applications and even security functions are in data centers.

Now, IT needs to deliver these centralized services to a steadily increasing
number of branches so employees can access applications and data securely and
consistently. This growing virtual workplace puts ever greater demands on the
network and IT infrastructure to support collaborative applications in a
consistent, predictable, and reliable manner. IT staffs must evaluate the needs of
each branch location and respond with a consistent set of products and services
enterprise-wide. They also must evaluate management options to find those that
most effectively prevent problems from emerging and quickly resolve the
problems that do.

The Issue:

The Issue:

Many organizations do not have centralized control when it comes to who is making the decisions to mobile-enable applications. According to Nemertes’recent benchmark, Building the Successful Virtual Workplace, it’s a mixed bag: Groups make 47.4% of the decisions and a variety of individuals, from engineers to CEOs, make the remaining 52.6% of decisions. This kind of “collaborative purchasing” framework makes it difficult for enterprises to put in place a consistent process and set of standards for wireless procurement, because different groups/units often purchase against their own requirements, which may not match those of other groups. And without centralized control, in cases of conflicting requirements, which set of requirements wins?

Organizations must focus on putting a consistent framework in place, in order to move smoothly from planning to implementation. The entire enterprise must work together to access the true current state, allowing the organization to leverage any mobility infrastructure it already has in place.

The Issue:

The Issue:

The Issue:

The Issue: