Security remained foremost on the minds of IT leadership in 2005, and with good reason. The year saw a Microsoft research
project discover the first so-called zero-day exploit; "identity theft," "phishing," and "spyware" became part of the popular
lexicon; and the need grew for companies to treat any computer joining the network as hostile until proved secure. It's no
wonder IT people at all levels sound paranoid.
Incredibly, the year passed without a crippling event of global reach -- although if one belongs to the glass-half-empty school,
that bit of good luck can be interpreted as having simply prompted people to become complacent. After all, 2005 was a year
in which some business, university, or government entity acknowledging that it had mishandled sensitive data seemed to be
a weekly occurrence.
Network access control continues to be a hot marketing point, although vendors are taking myriad approaches to the subject.
End-point security and device-based access controls appear to be the methods of choice, both for established vendors, including
Juniper and Symantec -- which bought Funk Software and Sygate, respectively -- and relative newcomers such as ConSentry Networks,
Elemental Security, and LockDown Networks. The ConSentry and Elemental solutions were the most promising we saw during the
year, but the competition should be heavy in 2006.
The appliance approach to security management built some steam this year as well, with firewall vendors now offering IPS features
and IPS
boxes behaving more like firewalls and routers. This method seems to appeal most in situations where network operations and
the security team overlap substantially; where a strict delineation between the groups exists and all-in-one boxes are often
considered a liability -- or at least an audit point -- instead of an asset. Even when they're described as "unified threat
management," some IT organizations still don't trust them.
But network management and security will continue to overlap in 2006; particularly given the jerry-built nature of many smaller
corporate networks. Consolidating threat management and network usage policy enforcement into one device makes sense for shops
that invested in a high-quality network infrastructure that adapts easily to the new requirements; those IT organizations
that built their networks on the cheap will be shut out of this brave new world.
Mind-set will remain one of the biggest problems to implementing a sensible security strategy: Most customers still make their
security purchases from a tactical perspective, in effect using Band-Aids where reconstructive surgery is more appropriate.
But that's all the budget can afford in too many cases.
Of course, all the gadgets in the world are pointless when basic security procedures aren't enforced or don't exist in the
first place. Look at what happened this year: Unwiped hard drives with bank records showed up on auction blocks and backup
tapes containing unencrypted personnel data went missing from the van transporting them. Moreover, the best place to look
for a sensitive password continues to be a Post-It note. In many ways, it's as if the last decade of "there but for the grace
of God go I" security breaches never happened. CTOs need to ask themselves: When the basics are so difficult, do all of the
gadgets become money down the drain?
E-mail
Printer Friendly Version
(InfoWorld) - I could probably fill up my column just reporting on who's buying whom -- or who's...
