Web services and compliance requirements are also driving the need for end-to-end enterprise identity solutions and federated identity standards that allow different organizations to set up trust relationships with one another. Identity management’s centralized auditing function, in particular, is becoming an important compliance tool.
Traditional desktop and network management solutions have increasingly taken on patch management and other security functions. Their hardware and software inventory capabilities have also become essential components of a viable security strategy, as PC-based technologies and Web servers have been incorporated into a variety of devices.
“My wife worked for a company that sold oscilloscopes running Windows 2000,” SANS’ Ullrich says. “Did you patch your oscilloscope today?” Switch vendors such as Cisco are working security into their mainstream network hardware. “Each port in your Cisco switch is a perimeter that you can shut down when a security event happens,” Ullrich says.
Finally, companies are working security into the development and implementation process much earlier. “Outside code review and vulnerability and penetration testing have become more widespread,” Ullrich says. Caralli agrees, “It’s much better to head off the security threat much earlier in the process, before you inherit it in the operations phase.” The result is that security is on its way to being part of everything else. “In the work we’re doing, we’re really trying to lose the term ‘security,’ ” Ullrich says.