Threat landscape and lapses justify security paranoia

Security remained foremost on the minds of IT leadership in 2005, and with good reason. The year saw a Microsoft research project discover the first so-called zero-day exploit; "identity theft," "phishing," and "spyware" became part of the popular lexicon; and the need grew for companies to treat any computer joining the network as hostile until proved secure. It's no wonder IT people at all levels sound paranoid.

Incredibly, the year passed without a crippling event of global reach -- although if one belongs to the glass-half-empty school, that bit of good luck can be interpreted as having simply prompted people to become complacent. After all, 2005 was a year in which some business, university, or government entity acknowledging that it had mishandled sensitive data seemed to be a weekly occurrence.

Network access control continues to be a hot marketing point, although vendors are taking myriad approaches to the subject. End-point security and device-based access controls appear to be the methods of choice, both for established vendors, including Juniper and Symantec -- which bought Funk Software and Sygate, respectively -- and relative newcomers such as ConSentry Networks, Elemental Security, and LockDown Networks. The ConSentry and Elemental solutions were the most promising we saw during the year, but the competition should be heavy in 2006.

The appliance approach to security management built some steam this year as well, with firewall vendors now offering IPS features and IPS

Click for larger view.

boxes behaving more like firewalls and routers. This method seems to appeal most in situations where network operations and the security team overlap substantially; where a strict delineation between the groups exists and all-in-one boxes are often considered a liability -- or at least an audit point -- instead of an asset. Even when they're described as "unified threat management," some IT organizations still don't trust them.

But network management and security will continue to overlap in 2006; particularly given the jerry-built nature of many smaller corporate networks. Consolidating threat management and network usage policy enforcement into one device makes sense for shops that invested in a high-quality network infrastructure that adapts easily to the new requirements; those IT organizations that built their networks on the cheap will be shut out of this brave new world.

Mind-set will remain one of the biggest problems to implementing a sensible security strategy: Most customers still make their security purchases from a tactical perspective, in effect using Band-Aids where reconstructive surgery is more appropriate. But that's all the budget can afford in too many cases.

Of course, all the gadgets in the world are pointless when basic security procedures aren't enforced or don't exist in the first place. Look at what happened this year: Unwiped hard drives with bank records showed up on auction blocks and backup tapes containing unencrypted personnel data went missing from the van transporting them. Moreover, the best place to look for a sensitive password continues to be a Post-It note. In many ways, it's as if the last decade of "there but for the grace of God go I" security breaches never happened. CTOs need to ask themselves: When the basics are so difficult, do all of the gadgets become money down the drain?