The Issue:

The challenge today is that IT is accelerating, putting the CSO
between a rock and a hard place. On the one hand he or she must uphold
corporate policies and manage security and compliance. On the other
hand, the CSO cannot be seen as business prevention; security cannot be
the big red stop button on the IT assembly line. Simultaneous with IT
acceleration, an evolution is occurring in the security realm, defined
by unified threat management (UTM). Sitting at the confluence of
security and networking, UTM is evolving from a simple consolidation
value proposition to a ubiquitous solution that holds the potential to
provide the CSO with the tools to meet the corporate risk tolerance
while fully supporting the agility goals of the business.

Threat Management Must Evolve

From Nemertes’ conversations with IT executives, we know that
security can be both business enablement and business prevention. For
example, two-thirds of organizations that participated in Nemertes’
Security and Information Protection (Sec-IP) benchmark have avoided a
new technology because of security concerns. Our research also
indicates that CSOs are mostly successful in implementing security:
nearly 95% of participants in Security and Information Protection
(Sec-IP) consider their security efforts successful. (Please see Figure
1: Rating of Security Success, Page 2). Yet at the same time, nearly
35% of participants have had a security breach in the past year. This
tells us that security, and threat management in particular, still
leaves much room for improvement.

Read this Issue Paper:

The Issue:

Network vendors have, for some years, been surveying the landscape,
looking for new worlds to conquer as supplying connectivity per se has become
more and more a commodity game. First they built core network‐related
functionality, such as IP‐address assignment and DNS service, into their gear
(although many, if not most, shops still use servers for these functions). Then
they offered security functionality, first filling in gaps that server and desktop
vendors left between their own security functionality; year by year offering more
and moving gradually to supplant or compete with server and desktop security
functions. They began to offer bandwidth optimization, followed some years
later by application acceleration, most recently incarnated as the specific
acceleration for file sharing known as WAFS (wide‐area file services). They
branched into voice and video over IP, and then into collaborative applications
with voice and video built in.

Now, Cisco specifically is moving further “up the stack” and into the
realm of enterprise messaging, specifically into the business of managing XML
message traffic among nodes – not just speeding up XML traffic (which many
vendors do) through compression and the like, but actually taking on the
message routing and transformation functions of traditional messaging
middleware. Others network vendors may follow Cisco’s lead, as they often
have in the past – and some non‐network companies, like IBM and Intel, have
ventured into the converged space via acquisition of messaging appliance
companies (DataPower and Sarvega, respectively). But how should network
vendors approach this market, now that they are competing against major
software vendors and outside the traditional network space?

Clients: Read this issue Paper

Non Clients: Nemertes Issue Papers are available to clients only.
If you're not a client and would like to receive a copy of the Issue Paper, please contact us.

Tuesday, July 8, 2008, 2:00 PM - 3:00 PM EDT

Overview:

More companies are discovering the cost and productivity benefits of
using advanced communication services, such as MPLS, Ethernet and SIP
trunking, which let them combine voice, data, video, imaging and enterprise
applications on the same network. They also see the value in using hosted
services, including hosted audio, video and Web conferencing, as well as hosted
VOIP, contact centers and data centers.

By implementing these advanced services, IT teams not only enable their
business to communicate more effectively, they provide the means to better serve
customers, boost sales and improve employee productivity.

These capabilities are extending over wireless networks, making it easier
not only to serve the remote workers in fixed branch locations, but also those who
are truly mobile. As this unified-communications environment expands to
include other communications modalities, IT decision-makers must understand
the implications for IT planning and investment.

Often, organizations will restructure or consolidate their IT departments
to more effectively manage and monitor voice and data networks. A majority of
organizations have dedicated a “communications group” within IT focused on
providing these services.

Tuesday, June 10, 2008 - 2:00 PM - 3:00 PM EDT

Virtualization Security 101: Virtual Insecurity = Real Problems

As organizations deploy virtualization (server, desktop, application, network and storage) the security arms-race is moving from the physical world to the virtual world. Unfortunately, most enterprises are securing their virtualized systems just as they do their physical servers and desktops. This is a reasonable first step, especially if they rely heavily on host-based measures. However, to exploit virtualization to its fullest - enabling IT agility - enterprise security teams will have to embrace security tools that can fully cope with servers or desktops that talk to each other in a virtual network, and that may move from place to place, or appear or disappear in an instant.

Based on Nemertes Research groundbreaking Virtualization Security Market Analysis, this webinar defines the components of a virtual infrastructure, the key attack vectors and the best practices and solutions available to defend against these attacks.

Nemertes Impact Analysis

Expert Insight On How Recent News Affects You

Sign up to receive the Nemertes Impact Analysis or register for access to free web site content.

Safe Flying in The Cloud: Google and Yahoo Add Security

In a cluster of cloud-based security announcements, both Google (NASDAQ:GOOG)
and Yahoo (NASDAQ:YHOO) enhanced their offerings: Google via its Postini
Software division and Yahoo via a partnership with McAfee (NYSE:MFE). Both
announcements affect consumer and enterprise users, though Google's primary goal
is the enterprise. These announcements underscore Nemertes Research's finding in
Nemertes' benchmark, Security and Information Protection, that 67 percent
of participants have avoided using a new service based on security concerns.

Impacts:

Overview:

Advanced Communications Services have become increasingly relevant to
businesses in large part because of the proliferation of branch offices, remote
workers, and the need for access to centrally provided data and applications.
These services, including Multi-Protocol Label Switching (MPLS), Ethernet,
Internet access, peering, hosted connectivity and mobile offerings, are becoming
even more critical because the way we work is changing dramatically.

The majority of companies now:

• Rely on MPLS VPN services for site-to-site connectivity.
• Are increasingly using Ethernet as part of their WAN strategies, eitherfor access to MPLS-VPNs,
  or to supplement (or even replace MPLSVPN services) with Layer-2 services.
• Are running multiple traffic types including voice, video, and/or data, across their WANs.
• Are increasing demands for bandwidth, both to the branch as well as to the Internet.
• Are deploying SIP trunking to reduce PSTN access costs while increasing call routing flexibility.

Consequently, understanding trends in service availability, features and
pricing around MPLS, Ethernet, Internet and SIP services is vital. IT have
aggressively leveraged these new service options to reduce operating costs, or
reduce per-bit cost of bandwidth enabling their organizations to meet everincreasing
demands for bandwidth with little or no increase in monthly operating
costs.

The limiting factor for many services continues to be availability as larger
providers are often slow to ramp up Ethernet or SIP-trunking service offerings, or
they must overcome challenges related to integrating past acquisitions. This has
led enterprise IT architects to leverage service offerings from emerging providers
as an alternative to their established service providers.

In the never-ending quest to stay ahead of industry trends, IT executives
are investigating hosted peering options to increase Internet resiliency. Finally, a
small number of organizations are investigating IPv6 to provide new
functionality or to meet growing governmental requirements.

The Issue:

IIT security staff, faced with the challenge of securing the inevitable flux in
their infrastructure, are usually stuck in reactive mode. They react – to systems
upgrades, mergers, and acquisitions; to the re-centralization of most IT function
into data centers and the consolidation of data centers; and to the spread of all
sizes and kinds of organizations over ever more space as a result of the
continuing 9 to 11% growth in the number of branch offices. Proactive security –
helping plan and execute security changes to enable adoption of new tools and
technologies – falls by the wayside.

IT security is set up to prevent and react to security problems, not to set
acceptable levels of risk. Significant increases in risk are traditionally viewed as
automatically “bad”. Given the difficulty of securing the complex interfaces
among different architectures, silos, and generations of technology, optional
changes and elective complexity are resisted if not simple to secure. How then
can IT security shift from a reactive to a proactive position?

One action security teams and IT are increasingly performing to reduce
risk and manage complexity is set policies to guide ongoing operations. By
defining policy, one can lay out more secure operational modes for everyone and
make dealing with complex infrastructures less a matter of individual memory,
capacity, and preference, and more a matter of documented practice.

Overview:

IT spending is generally up for 2008 and 2009 in terms of overall dollars
devoted to this area. But a growing number of organizations are decreasing their
IT spends or anticipating flat budgets moving into next year.

At the same time, communications budgets are not seeing hard times, with
many companies expecting increases in these budgets. This means that moving
into 2009, a greater percentage of IT spending will go toward communications
services costs.

This volume examines general trends in IT and communications spending.
Additionally, we review how different sizes of companies and different vertical
markets plan to spend their IT and communications dollars.

As the U.S. economy slows, it is key for companies to optimize every dollar
spent both in IT overall and within communications. Given the communications
budget is becoming a larger part of the overall IT budget, it’s imperative to stretch
a nickel into a dime. For example, managed services are one way companies can
leverage their communications spends because those services can help offload the
IT and network staffs.

In order to get the biggest bang for the buck, companies must devote time
and resources to effective carrier contract negotiations and procurement. In this
volume, we provide detailed recommendations on how to get the best deal from
the carriers. We also analyze what companies are doing today and where they fall
short.

Overview:

Advanced Communications Services have become increasingly relevant
to businesses in large part because of the proliferation of branch
offices, remote workers, and the need for access to centrally provided
data and applications. These services, including Multi-Protocol Label
Switching (MPLS), Ethernet, Internet access, peering, hosted
connectivity and mobile offerings, are becoming even more critical
because the way we work is changing dramatically.

The majority of companies now:

• Centralize their applications and data in primary and backup data centers;
• Open new branch locations, with an average growth rate of about 12% a year;
• Expand the percentage of employees who telecommute full- or part-time;
• Implement new collaborative applications to improve productivity, customer service, and remote management of staff.

Nemertes Impact Analysis

Expert Insight On How Recent News Affects You

Sign up to receive the Nemertes Impact Analysis or register for access to free web site content.

Everyone into the Pool! Storage Virtualization Reaches for
the Desktop

Server and storage virtualization increase utilization and decrease space and
energy footprints by aggregating IT assets into resource pools. Start-up Kapsean
is looking to extend the resource pooling to include desktop computers' disks.

Nemertes' benchmark, New Data Center, found that the majority of
participants already use at least one storage virtualization technology -
chiefly backup to disk. As desktop storage is well suited to this application,
Kapsean's offering may meet with a warm reception if pitched and priced
properly.

Impacts:

The Issue:

Major tectonic shifts in the way enterprises work with and provision their
core applications are forcing changes in the way the enterprise has to think about
securing them.

One shift is the continuing opening of the enterprise, with the gradual
federation and interpenetration of IT systems between an enterprise and its
partners, customers, and suppliers. The figurative walls of the data center are
being filled with doors, windows, and access ducts, and now serve more as a
framework for structuring the flow of information than as a barrier to it.
Another shift is the rise of service-oriented architectures (SOAs).

Enterprises are looking to SOA to provide an integration method for their
applications, a development methodology and framework, and an overall
architecture and philosophy for deploying new functionality. As enterprise
applications gain services interfaces, and sometimes are actually atomized and
turned into constellations of loosely-coupled services, each service creates on the
network a new set of access points; perhaps tens or hundreds of times as many as
there were before. Things that used to happen within an application, on a single
server, become network traffic among servers and even among data centers.
Some formerly internal functions even become invocations across the Internet of
software-as-a-service (SaaS) packages, or services in partner or supplier data
centers. Moreover, components in a SOA can scale independently of each other:
new instances of an application running on a Java application server might be
created to handle peak loads, and then destroyed as the load subsides.

Read this Issue Paper:

Clients:New Suit of Armor: Securing the Data Center

The Issue:

The very essence of “work” is changing. All across the world, but even
more so in the U.S., society is changing the definitions of “work” and “office”. As
communications and connectivity become more powerful and ever more widely
available, work has become less and less a place and more an activity which takes
place anywhere. In the last 4 years Nemertes Research has tracked the number of
employees working away from their company headquarters. That number has
gradually trended up, exceeding 90% in 2006. Today, branch office and mobile
workers dominate, and knowledge workers are increasingly mobile, operating out
of home offices, hotel rooms, airport lounges, coffee shops and taxis. As their
work habits have changed through enabling communications technologies, they
have in turn pushed adoption of those technologies by their companies: laptops,
wireless Ethernet, smart phones, and web applications.

Large companies have gradually shifted more and more of their critical
applications to the web. Through a web browser, the same application can be
delivered to a desktop, a laptop, a phone, regardless of location, operating system
or (mostly) browser. This “webification” of applications has become a catalyst for
further mobility and fluidity of the workforce.

Read this Issue Paper:

Clients - The Center is Everywhere

Non clients: Nemertes Issue Papers are available to clients only. If you're not a
client and would like to receive a copy of the Issue Paper, please
contact us.

The Issue:

As the role of the CSO shifts from technical security expert to risk
mediator, manager and advisor, compliance is rapidly becoming the domain of
the CSO. In this role, the CSO is faced with the continual tug-of-war in the
corporation between legal, business and IT. To make matters worse, the CSO –
as Chief Risk Officer – is put in the position of keeping the company out of
trouble, without having any control over the direction or the company, or the
actions of IT, business and legal. The only way that the CSO can affect risk and
manage risk is through implementation of a strong compliance management
process. Compliance management is the heart of governance and risk
management and as such, it’s the main tool in the CSO tool box.

Compliance is a complex issue and it requires a unique combination of
technical, legal, business and management skills. Compliance itself requires
solving the equivalent of a multi-variable equation: regulations, control
frameworks and change. To achieve continuous compliance management, CSOs
must implement tools and processes that automate and streamline the
compliance management process. The first step is implementation of logging,
eventually culminating in the establishment of a continuous compliance
management solution that not only reports on what has happened, but
implements triggers, monitors and controls to prevent what is going to happen.

Read this Issue Paper:

The Issue:

Information protection is one of the core disciplines of Information
Stewardship, alongside business continuity, information lifecycle management,
data quality management, and compliance. The purpose of Information
Stewardship is to enhance the value of information and reduce the risk to
information within the context of the business value. In other words, Information
Protection is only relevant in the context of the broader value of information.

Maximizing information protection must always be balanced against
maximizing the business value of information. The business value of information
is derived from the processing, transformation, sharing and dissemination of
information – the very activities that create risk! It is crucial to look at
information protection as one axis in a broader picture of investment and
innovation decisions: you cannot focus only on maximizing information
protection (maximizing security). After all, the best way to maximize the
protection of information is to lock it up and throw away the key – which of
course means that the information is then no longer available to the business.
Being a good steward of the information requires using security to enable
business functions but to minimize the risk of them as far as necessary.

Read this Issue Paper:

Clients: Not an End in Itself: Information Protection and Return on Risk

Non clients: Nemertes Issue Papers are available to clients only. If you're not a
client and would like to receive a copy of the Issue Paper, please
contact us.

The Issue:

Enterprise IT security is being pulled steadily towards a risk-based view of
the world. Companies need to understand their tolerance for risk, and embrace
technologies and practices that allow them to meet, but not exceed, that
tolerance. The disciplines of information stewardship provide a lens through
which the enterprise can focus its actions in information risk management. By
focusing on the discipline of information protection, it can choose where and how
to apply technologies, such as encryption, to maximize the return on risks of
information leak or theft. Focusing on data quality management can minimize
both the operational risks from inconsistent or incorrect data, and the legal risks
from lapses in compliance, inadvertent disclosure, or unintentional failure to
disclose information in court. Focusing on continuity mitigates risk from data
being unavailable due to natural disaster, systems break down, or attack.

Read this Issue Paper:

Overview:

Advanced communications services encompass managed and hosted
services providing network connectivity between sites and to the
Internet. Connectivity options typically include MPLS, Ethernet, and/or
fixed/mobile wireless. Additional advanced communications services
include hosted applications such SIP trunking, and voice/video/Web
conferencing. Taken together, these services provide the backbone that
enables businesses to communicate, on a basic level. But they also
provide the means to serve customers, boost sales, and improve employee
productivity.

Providers differentiate their offerings based on price,
availability, speed, reliability, manageability, and functionality.
Advanced services harness new technologies, including third-generation
wireless and advanced internetworking protocols, and required features,
including quality of service and quick response time. And, they
facilitate a collaborative work environment, regardless of location or
communications device being used. This market is rapidly changing as
standards evolve and as businesses adopt new collaborative
technologies.

Clients - Read this Market Analysis: Internet Services

Nemertes Market Analyses are available to clients only. If you're not a
client and would like to receive a copy of this Market Analysis please
contact us.

Overview:

Advanced communications services encompass managed and hosted
services providing network connectivity between sites and to the
Internet. Connectivity options typically include MPLS, Ethernet, and/or
fixed/mobile wireless. Additional advanced communications services
include hosted applications such SIP trunking, and voice/video/Web
conferencing. Taken together, these services provide the backbone that
enables businesses to communicate, on a basic level. But they also
provide the means to serve customers, boost sales, and improve employee
productivity.

Providers differentiate their offerings based on price,
availability, speed, reliability, manageability, and functionality.
Advanced services harness new technologies, including third-generation
wireless and advanced internetworking protocols, and required features,
including quality of service and quick response time. And, they
facilitate a collaborative work environment, regardless of location or
communications device being used. This market is rapidly changing as
standards evolve and as businesses adopt new collaborative
technologies.

Clients - Read this Market Analysis: Peering Services

Nemertes Market Analyses are available to clients only. If you're not a
client and would like to receive a copy of this Market Analysis please
contact us.