Security

Security in the year of the 'BUT'

IT watcher Jon Oltsik says businesses are finally changing the way they think about information security--and none too soon.

Stay on top of the latest tech news with our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

By Jon Oltsik

The way businesses think about information security is about to undergo a fundamental change.

We saw the trend take shape last year when security grew beyond being a low-level techno-geek concern to being an essential part of business strategy. Management started to get it and demanded new levels of risk assessment, protection and reporting from the nerds in IT.

This was not a smooth path. The language and cultural gaps between these two groups remained, but the abyss was filled more often than not by a chief risk officer whose thankless job included regulatory compliance, information security and business continuity.

In 2005, companies will take a more comprehensive business approach to security, making it the year of the "BUT." BUT is a typical tech-industry, three-letter acronym that stands for Back, Up and Together.

"B," or "Back," means that companies will focus on securing the unprotected internal assets behind the network perimeter that are vulnerable to sophisticated hackers and rogue employees. This is a big, ugly job, to say the least, as it means assessing and addressing risk on loads of internal stuff.

"BUT" is a typical tech-industry, three-letter acronym that stands for Back, Up and Together.

In 2005, we'll see companies taking advantage of security built into the internal network to prevent virus proliferation, to segment the network and to provide granular access control for employees and outsiders. Cisco Systems has some good ideas here, but Alcatel, Enterasys Networks and Hewlett-Packard are shipping products. They will also build Network Security Architectures anchored by tools from companies like Arbor Networks, eIQ Networks, Mazu Networks and Q1 Labs.

To protect corporate data and comply with regulations, we'll also see more attention paid to securing critical corporate information, whether it lives in laptops, databases or storage arrays.

"U," or "Up," is short for "up the technology stack," which is geek-speak for protecting critical applications themselves. The network can and should do a lot of the security heavy lifting, but bad guys are getting smarter about going around network security and attacking or exploiting applications. According to a recent ESG survey, 45 percent of users believe their systems are most vulnerable through e-mail (SMTP) traffic, 22 percent said Web (HTTP) traffic, and 8 percent named Web services traffic. To address these vulnerabilities, companies will build security strategies on an application-by-application basis in 2005.

Take e-mail, for example. Antivirus gateways from Symantec and Trend Micro are selling like hotcakes, and antispam solutions are picking up steam. Look for bundled solutions that include these functions plus antifraud, backup/restore and archiving features.

The "Up" trend also bodes well for other application security products such as HTTP vulnerability scanning and firewall tools, and XML/Web services gateways. Good news for start-ups like Kavado and DataPower. We'll also see more host and PC-based security software to lock out bad users and code.

Of course, application security also means doing a better job of writing code in the first place. There will be more internal focus on this in 2005 through developer training and quality assurance tools and testing.

In 2005, we'll see companies taking advantage of security built into the internal network to prevent virus proliferation.

Packaged applications will continue to get more scrutiny. We should see some visible instances where software vendors are either thrown out of major accounts or sued because of constant security issues. On the flip side, look for more software companies to try and use secure development processes and code quality as a differentiator.

The final "T" stands for "Together," which has two meanings. First off, it means integration. In 2005, there will be more aggregated hardware packages and security blade servers similar those from Crossbeam Systems, and more integrated software packages from companies such as F-Secure, all of which should help ease operations and lower costs.

In addition, big vendors like Check Point Software Technologies and McAfee will continue to integrate their products to provide enterprise solutions. This togetherness will also light a fire under standards organizations like OASIS (Organization for the Advancement of Structured Information Standards) and the Trusted Computing Group (TCG) to help connect the chaotic security morass.

"Together" also means users should expect more bundled security products that address a particular business problem. Compliance is the big one here—anticipate product templates, end-to-end configurations, and services to help companies deal with the Gramm-Leach-Bliley Act, HIPAA (the Health Insurance Portability and Accountability Act) and Sarbanes-Oxley. Once again, this move favors big multiproduct companies, service providers and security integrators who can design and implement the whole enchilada.

Compliance will also be the "killer application" that finally accelerates the identity management market. The government says that you had better know who is accessing your systems, or there will be problems. Computer Associates bought Netegrity for this very reason. Expect a good year from RSA Security, Novell and the services arm of Unisys.

What do these trends mean for the security technology industry? Several things:

• Corporate security budgets will continue to rise, but the money will be spread over a wider area. Strategic point tools still have a chance, but companies will winnow down their list of vendors and the big will grow even bigger.

• Acquisition fever escalates. The big guys will look to fill in their product gaps, so start-ups will get acquired, or they will expire.

• Security services grow rapidly. Most companies just don't have the skills necessary to build or manage this type of next-generation security infrastructure, but CSC, IBM and VeriSign do. The stigma around outsourcing security will end.

• Security vendors start speaking in business terms rather than technical terms. Companies that can navigate through this transition will be best-positioned. In other words, business savvy, not just technical advantage, will win.

Hope you enjoyed the holidays and got some rest. You'll need all your energy to keep up with the pace of the information security industry in 2005.

Editor's Picks