The Issue:

The challenge today is that IT is accelerating, putting the CSO
between a rock and a hard place. On the one hand he or she must uphold
corporate policies and manage security and compliance. On the other
hand, the CSO cannot be seen as business prevention; security cannot be
the big red stop button on the IT assembly line. Simultaneous with IT
acceleration, an evolution is occurring in the security realm, defined
by unified threat management (UTM). Sitting at the confluence of
security and networking, UTM is evolving from a simple consolidation
value proposition to a ubiquitous solution that holds the potential to
provide the CSO with the tools to meet the corporate risk tolerance
while fully supporting the agility goals of the business.

Threat Management Must Evolve

From Nemertes’ conversations with IT executives, we know that
security can be both business enablement and business prevention. For
example, two-thirds of organizations that participated in Nemertes’
Security and Information Protection (Sec-IP) benchmark have avoided a
new technology because of security concerns. Our research also
indicates that CSOs are mostly successful in implementing security:
nearly 95% of participants in Security and Information Protection
(Sec-IP) consider their security efforts successful. (Please see Figure
1: Rating of Security Success, Page 2). Yet at the same time, nearly
35% of participants have had a security breach in the past year. This
tells us that security, and threat management in particular, still
leaves much room for improvement.

Read this Issue Paper:

The Issue:

IIT security staff, faced with the challenge of securing the inevitable flux in
their infrastructure, are usually stuck in reactive mode. They react – to systems
upgrades, mergers, and acquisitions; to the re-centralization of most IT function
into data centers and the consolidation of data centers; and to the spread of all
sizes and kinds of organizations over ever more space as a result of the
continuing 9 to 11% growth in the number of branch offices. Proactive security –
helping plan and execute security changes to enable adoption of new tools and
technologies – falls by the wayside.

IT security is set up to prevent and react to security problems, not to set
acceptable levels of risk. Significant increases in risk are traditionally viewed as
automatically “bad”. Given the difficulty of securing the complex interfaces
among different architectures, silos, and generations of technology, optional
changes and elective complexity are resisted if not simple to secure. How then
can IT security shift from a reactive to a proactive position?

One action security teams and IT are increasingly performing to reduce
risk and manage complexity is set policies to guide ongoing operations. By
defining policy, one can lay out more secure operational modes for everyone and
make dealing with complex infrastructures less a matter of individual memory,
capacity, and preference, and more a matter of documented practice.

Overview:

Service-oriented architectures (SOA) are poised to change dramatically how IT thinks and works in the enterprise, and how the enterprise thinks about IT as well. The shift from monolithic applications to loosely coupled constellations of collaborating software components is under way, with most of the enterprises we interviewed already having deployed at least a pilot SOA, and a few having completed the journey.

The shift is pervasive and promises to reduce the cost of integrating new systems into an existing infrastructure, as well as the cost of building and maintaining software. It opens the door to fully integrating software provided by service providers—software as a service (SaaS)—into an infrastructure, rather than that being a separate and disconnected island of functionality.

In this volume, we explore the technological and vendor landscape,including the major segments of the market for SOA wares and some vendors in each space. We also investigate the enterprise map of that same territory,including the vendors that participants see as important, even strategic; where participants plan to invest their dollars in the near term; and what they think about the vendors they work with now.

The Issue:

When it comes to VOIP security, most IT leaders have worried more about threats to the underlying data network than about potential attacks against VOIP systems themselves. Many IT managers see their VOIP networks as closed systems, protected from the outside world by the PSTN (public switched telephone network). So long as there was no way to reach their IP-PBXs via the public Internet or other outside networks, there is little threat of attack or compromise that could lead to data loss or service disruption. And by and large their views have been reinforced by the lack of attacks against VOIP servers,phones, gateways, and management systems. Less than 2% of enterprises had experienced a security incident directly involving their VOIP systems, while 96%had no known attacks.

Read this Issue Paper:

The Issue:

New technologies offer the possibility of business-process transformation and great
rewards – but they have significant risks, too. The enterprise must approach the
decision to implement such a technology not as a question of whether it can be done
safely, but rather safely enough to justify the reward. Balancing the risk against the
reward is essential, but not likely in an environment where security is focused on
threats and responses, and the security function reports up through a CIO whose
main interest is in delivering business value. One way to resolve that conflict is to
elevate IT security out of IT and align it instead with corporate risk management,
changing the CSO into, in essence, a Chief Risk Officer.

Overview:

Service-oriented architectures (SOA) are poised to change dramatically how IT thinks and works in the enterprise, and how the enterprise thinks about IT as well. The shift from monolithic applications to loosely coupled constellations of collaborating software components is under way, with most of the enterprise IT executives with whom we spoke already having deployed at least a pilot SOA, and a few having completed the journey.

The shift is pervasive and promises to reduce the cost of integrating new systems into an existing infrastructure as well as the cost of building and maintaining software. It opens the door to fully integrating software provided by service providers – software as a service – into an infrastructure, rather than that being a separate and disconnected island of functionality.

In the first volume of this benchmark, we explore the basic organizational
and operational characteristics of the move to SOA: Why organizations pursue it (or choose not to), how much they are spending and how it is paid for, how IT and the enterprise organize around it, and what benefits they are seeing from it.

The Issue:

Overview:

It’s been a long time coming, but the indications are that security and information protection are finally within spitting distance of getting the mindshare they merit, based on the only metric that really matters: Cash on the barrelhead.

In volume 1 of our ground-breaking benchmark, "Security and Information Protection: Trends and Organizational Issues", we highlight the acceleration in spending on security and information protection, discuss critical drivers, and drill down into the organizational and operational impacts. Security budgets have grown another 20% since our last benchmark (in 2005), and indications are that double-digit growth will continue through 2008 and beyond. Moreover, that growth is increasingly shifting away from consultants and staff and toward products and services—good news for vendors and providers. Security organizations are evolving as well, with the most significant trend being the shift in focus from “chief security officer” to “chief risk mitigation officer,” mirroring the overall organizational shift in focus from security to risk mitigation.In line with this shift, security teams are picking up responsibility for areas they don’t historically support (such as business continuance and facilities) but which, if not well managed, can increase an organization’s risk. And security remains a great career path: along with this increased responsibility comes a welcome (and sustained) increase in salary. In our upcoming volumes, we drill down into the specifics.

Overview: 

It’s been a long time coming, but the indications are that security and information protection are finally within spitting distance of getting the mindshare they merit, based on the only metric that really matters: Cash on the barrelhead.

In volume 1 of our ground-breaking benchmark, "Security and Information Protection: Trends and Organizational Issues", we highlight the acceleration in spending on security and information protection, discuss critical drivers, and drill down into the organizational and operational impacts. Security budgets have grown another 20% since our last benchmark (in 2005), and indications are that double-digit growth will continue through 2008 and beyond. Moreover, that growth is increasingly shifting away from consultants and staff and toward products and services—good news for vendors and providers. Security organizations are evolving as well, with the most significant trend being the shift in focus from “chief security officer” to “chief risk mitigation officer,” mirroring the overall organizational shift in focus from security to risk mitigation. In line with this shift, security teams are picking up responsibility for areas they don’t historically support (such as business continuance and facilities) but which, if not well managed, can increase an organization’s risk. And security remains a great career path: along with this increased responsibility comes a welcome (and sustained) increase in salary.

Preliminary analysis of the data for Nemertes forthcoming Security and Information Protection benchmark shows that approximately 63% of participants want to deploy (or more broadly deploy) technologies that they felt they could not, for security reasons. Of those, half named wireless as the technology in question, and over a quarter named collaborative tools, especially IM.

Regulatory compliance offers security vendors a tremendous opportunity to hitch their sales pitch to something that has a dedicated budget. As a result we see many vendors touting compliance as a feature, even if all they do is provide a report that (possibly, maybe with a bit of massaging) can be used to document compliance.

But while vendors tout their ability to make you compliant they often forget to be compliant themselves! Many regulated industries require that companies use vendors who follow best practices and have proven compliance to certain regulations. A security architect participating in our Security and Information Protection research commented "Our internal requirements say that anybody who delivers services for us has a SAS 70, yet when we speak with a lot of vendors they do not understand what a SAS 70 is or why it is necessary. They don't have those docs or auditing functions in place. It makes it very difficult for us to purchase a product if they do not have those capabilities in place."

While enterprises are interested in the concept of endpoint control and admission, they are not committing budget just yet. IT executives are looking at both aspects of endpoint control: admission/access at L2/L3 and also policy verification and remediation (is the AV up to date etc.).

Some companies are implementing "poor man's NAC" by using RADIUS or ACLs to restrict access to known hosts. Such solutions may provide some control but become quite unmanageable in large networks. Others are using their VPN clients to do some basic policy checks on endpoints.

But the vast majority are still waiting for Cisco, Microsoft and others to agree on standards and provide broadly interoperable and mature solutions.

Network World Editorials  By John Dix, Network World, 03/22/07

In a recent study about spyware by Nemertes Research, Senior Vice President Andreas Antonopoulos was surprised to find that 16% of the companies examined were not concerned about the threat.

Suspecting that was because they were small companies, he dug deeper, but found they were some of the largest companies analyzed. He also discovered why they weren't concerned: they spent 6% to 8% of their IT budgets on security, twice what the average company spends.

The data center is the new castle, and the botnet hordes are coming for it

New Data Center Strategies Newsletter, By Andreas M. Antonopoulos, Network World, 2/6/07

One of the main findings from Nemertes’ security research in 2005 and 2006 was that the security perimeter is eroding.

With all the connections to partners, suppliers and customers and all the mobile workers, it was almost impossible to define a clear perimeter outside the data center. So the data center has become the retrenched position for most security defenses. The data center has become like the castle keep: a central hardened tower, the most defended area and the location of the most prized possessions.

The Issue: A New World to Secure

Data centers today are truly “new” from every perspective: facilities, storage, management, computing, and networking. Although data centers have existed as long as enterprise computing itself has, a confluence of economic, enterprise, and technological changes is driving a major metamorphosis in data center design and implementation. This, in turn, is determining how data center and security professionals approach the problem of securing the data center and the enterprise network from threats, internal and external.

Network World: Security, By Andreas M. Antonopoulos, Network World, 3/5/07

Looking at the development of different technologies in the last two decades, I am amazed at the vast difference between how a technology was first envisioned and how it ended up being implemented.

You start with a tightly coupled, hierarchical, centralized design by committee. Invariably, an august organization is chosen to run it: a phone company, the postal service, the government, a big vendor. Examples of this type of design are: X.25, X.500, X.400, PKI and Microsoft Passport (Windows Live ID). The design languishes for years while politics and control issues prevent its implementation. Then some organization, committee or coder takes the original design, strips it down and implements it as a more loosely coupled, decentralized, ad-hoc version. See IP, SMTP, DNS, Lightweight Directory Access Protocol, the Web and OpenID.

Does it take 200 products to secure the enterprise?

Network World: Security, By Andreas M. Antonopoulos, Network World, 2/13/07

Visiting RSA '07 last week, I tried to embrace the fact that this security conference is no longer an insiders' gathering, and tried to put myself in the shoes of a newbie to figure out what I should pay attention to in a new security job. The first mistake I made as a newbie was to wear new shoes: ouch. The second was to try to take it all in. If you accept the premise that security should be holistic and not about silver bullets, then the RSA show floor was big bucket of silver bullets. Hundreds of features disguising themselves as products, loudly touting the latest scare: “Did you know there are ogres lurking in this obscure part of your infrastructure? Anti-OGRE!” It was difficult to see what the big new theme for security is in 2007.

By Andreas M. Antonopoulos, SVP and Founding Partner, Nemertes Research, Feb. 22, 2007

The announcement on Feb. 21 that Cisco Systems (NASDAQ:CSCO) plans to purchase privately-owned XML-appliance vendor, Reactivity, spotlights the increasing importance of XML as an application integration protocol and the need for application-level security and management tools in the network.

Reactivity makes appliances that accelerate the adoption of XML Web services and SOA software development by helping to deploy, control and manage XML application interfaces and data streams. The acquisition complements Cisco's Application-Oriented Networking offerings and strengthens its security portfolio.

By John E. Burke, Principal Research Analyst, February 15, 2007.

Cisco (NASDAQ:CSCO) this week announced that it would cease development on its desktop network access control (NAC) agent, called the Cisco Trust Agent (CTA) and spin it off as an open-source project. Cisco's decision highlights Microsoft's (NASDAQ:MSFT) growing maturity in providing core desktop security.

Cisco's action is an admission that Microsoft's Network Access Protection (NAP) agent can satisfy enterprise demands well enough that CTA is no longer a viable (profitable) offering. Fewer organizations will need CTA since Microsoft and Cisco agreed last September to have the NAP agent be Cisco's NAC agent for Vista and what follows, and since Microsoft boosted the features for XP's NAP agents, as well. By throwing the code open, Cisco gets out of the business of maintaining CTA for non-Windows systems and unsupported Windows versions, and can shift its attention elsewhere.

Walking the show floor at RSA last week, I found the perfect metaphor for the state of enterprise security. With 200+ products on the floor, there’s still no holistic solution to the problem of end-to-end security. (I also found out that wearing new shoes to a trade show is not the best of ideas—my feet were aching before I got past the first couple dozen).

Even worse, most of the products didn't even, strictly speaking, qualify as "products"—more like “features”, because each one only tackles a single aspect of security. Tying them all together becomes a daunting task.

Consider what I, as an IT executive, would need to deploy in my enterprise to secure against all these threats:

PRESS RELEASE

February 6, 2007
FOR IMMEDIATE RELEASE

Nemertes Research VP to Join Network World Editorial Team
Andreas Antonopoulos to Share Security Expertise in Weekly Column

NEW YORK, NY -- February 6, 2007 – Nemertes Research, a leading research firm specializing in the business impact of emerging technology, announces that its security expert and sr. vice president, Andreas Antonopoulos, is the new security columnist for Network World.

“We are looking forward to Andreas taking over our security column and offering his industry insight and knowledge to our readers," said Michael Cooney, news editor for Network World. “Having him share his expertise with the readers of Network World is the latest milestone in the long-standing relationship between Nemertes Research and Network World.”

The Issue

IP-address management is a critical component in the operation of modern networks. Organizations need to implement secure, scalable and resilient IP-address management and DNS/DHCP infrastructures to meet current operational requirements as well as to support new initiatives such as RFID, VoIP, ENUM, and IPv6 . A simple spreadsheet, homegrown solution or scattered DNS/DHCP islands will not provide the necessary features and functionality needed to manage, plan and control the IP space in an organization. Enterprises and services providers must have a way to efficiently configure, automate, integrate and administer IP services across the entire IP network in a secure fashion.

Banks may be dropping support for online direct connections from Money and Quicken while scrambling to comply with new banking regulations. If you are a user of these software applications you may find that you lose features either temporarily or permanently.

In October of 2005 the FFIEC (a bank regulator) created a regulatory "guidance" that pushes banks towards stronger authentication. Authentication that is appropriate for the risk level is required for transactions involving large sums of money, transfers out of the account or other transactions which may be the target of hackers. That may mean two-factor or other approaches, but any changes must be made by the end of 2006 (see FAQ)

By Johna Till Johnson, President; and John Burke, Principal Research Analyst, Nemertes Research Inc.

Aug. 25, 2006

IBM's (NYSE: IBM, http://www.ibm.com) recently announced intent to purchase ISS (Nasdaq: ISSX, http://www.iss.net) for $1.3 billion in cash highlights the increasingly high profile of information stewardship in general, and information protection in particular.

ISS dramatically augments IBM's existing information management and security capabilities, and IBM says the acquisition will enhance its managed security services and address the growing need for information protection.

IBM is right, but isn't being bold enough

If you would like to receive our full Impact Analysis, sign up for our weekly newsletters.

By Andreas M. Antonopoulos, Senior Vice President & Founding Partner, Nemertes Research Inc.
June 16, 2006

The FBI arrested a man in Miami on Wednesday for allegedly hacking the networks of Internet telephone service providers to fraudulently sell more than 10 million minutes of calls. This highlights the increase in security threats against VOIP and more specifically the escalation from simple denial/loss of service threats to more serious theft of service attacks

Converged networks lead to converged threats: VOIP is likely to suffer from both data attacks and voice attacks as data and voice are converged. As with any new technology there is a short “honeymoon” period during which attackers familiarize themselves with the new technology. In an article published in 2002, Nemertes predicted four stages of security threats emerging in voice technologies:

If you would like to receive our full Impact Analysis, sign up for our weekly newsletters.

By Andreas M. Antonopoulos, SVP, Nemertes Research Inc.
June 2, 2006

Two recent items in the news highlight an important trend in security: Companies are struggling more and more with patches.

Symantec Corp. (NASDAQ: SYMC, http://www.symantec.com/) just released a patch for its Norton AntiVirus 10.x product to fix a critical security vulnerability that could have led to attacks against thousands of companies running the corporate anti-virus suite.

Just two months ago, McAfee (NASDAQ:MFE http://www.mcafee.com/), suffered from a flawed signature which caused it to mis-identify documents and spreadsheets as malware.

If you would like to receive our full Impact Analysis, sign up for our weekly newsletters.

Andreas Antonopulos, Nemertes EVP & Founding Partner, discusses Open Standards and their impact in the endpoint security market place.