The wide angle
- Reduce text size Decrease text size
- Increase text size Increase text size
- Print article Print
- Jump to comments Comment
- Share this article Share
- Email article to a friend Email
The cost and complexity of IT security is forcing organisations to adopt a more sophisticated approach to protecting the corporate body.
Survey after survey confirms it. Security has become the single most important issue for IT and communications management, as companies struggle to deal with an ever-broader range of threats and the associated cost and complexity.
To meet these challenges organisations are trying to do less fire-fighting, to move away from 'point solutions' and 'quick fixes' towards a more proactive, co-ordinated, integrated and automated approach to security that encompasses infrastructure, employee awareness and business processes.
In the analogy-rich world of security, that prompts calls for the establishment of a 'network immune system', a set of technologies and strategies that can be employed to build a self-defence system for the networked infrastructure.
And there is good reason for such a goal. Systems and network security has historically evolved in an ad-hoc fashion, with different tools applied to different areas of exposure (viruses, authentication, denial of service, software patches, and so on). But not only is that insufficient, it is hurting the organisation - sometimes even causing as much damage as the potential threat it is designed to counteract.
"When discussing security technologies, the main thing organisations talk about is application count, the number of security technologies they have deployed," says Doug Card, channel manager for Check Point in the UK.
That is not the way to think of securing the enterprise. Security budgets may be growing at 6% to 8% but the security threats are growing at a far greater rate. "If you just keep throwing technologies at these problems you end up piling more and more resources - money and human effort - into trying to fix the specific problem and less and less into managing security," says Card.
The canonical example of this focus on point technology is anti-virus. Every time a new virus appears, organisations need an updated filter. However, if they could approach threats in a more general fashion, by putting rules around behaviour in place, then they could actually block a lot of threats even before they become apparent.
"That is the idea of a pre-emptive immune system," says Card. "Even with lots of technology in place, you still need to actually manage it and analyse it and generate reports. And that is certainly a huge problem for customers."
In the lifecycle of security threats the tasks are to analyse, design, deploy and monitor. But observers suggest that complete loop does not really exist today because so much emphasis is placed on designing and deploying, leaving very little effort available for monitoring systems and providing that feedback.
Closing the gap
The primary step for closing that loop is to consolidate security management, to bring it into as few points as possible and ultimately into a single management point. "I don't think it is quite there at the moment, but certainly the industry is getting pretty close to that," says Card.
According to Jane Goh, product manager for Check Point: "Today security is based on disparate point products: best of breed solutions which really don't integrate with each other. That often leads to inconsistent and ineffective policy management and lack of visibility of the entire security posture across the organisation; and also really increases their management overhead and complexity of management."
Despite this, the sheer proliferation of tools and the fragmentation of the industry still mean that organisations need a minimum of two or three management platforms from different vendors to handle their integrated security needs.
One of the drivers for consolidation of management is regulatory compliance. Organisations have a central point from which they can generate reports for auditors and so they can prove they have implemented security policy in line with specific regulations and secondly, that they are being enforced.
"That all comes down to security management," says Card. "Set policy, enforce it in technology solutions, and then prove you have enforced it and that it hasn't been breached. Centralised management gives you the ability to do that. I don't believe you can actually do that without centralised management."
The shift towards a smaller number of platforms is a natural consequence of industry consolidation, as the larger vendors acquire point product players, and their technologies are adapted and plugged into the larger vendor's management platforms.
However, the speed with which new threats appear is equalled by the rise in new companies with products to address those threats.
Strategic thinking
Organisations should avoid thinking they can secure their infrastructures by plugging holes with such tools, when what they need is a strategy, says Alex Black, director of strategy at communications integrator, Affiniti. "Because a lot of the bolt-on products are being put in to cope with a tactical problem, people haven't sat back and asked themselves, 'What is my security strategy?'."
"Because people are under pressure, they don't necessarily look at the big picture. So we end up with a myriad of software in the company, all over the place, all unco-ordinated and, dare I say, almost unmanagable. Whereas what people need is a blueprint where everything ties together, where they know why they are doing it. What we need is agreement in the industry on management standards," says Black.
He sees it as a two pronged attack. "The industry needs to be a lot clearer and accept management as a pre-requisite in everything companies develop. But also the customer needs to take a more strategic view of it," he adds.
Standards response
So if there is such a requirement for centralised security management why has no set of standards emerged?
The problem is that unless a de facto standard emerges vendors are not going to agree. That might mean there needs to be a customer-led initiative akin to that of the open systems movement where customers said, 'You will support these standards or we won't buy your products'," says Black.
Although platforms from Check Point, Cisco and others have started down that road, there is still some way to go. And customers are beginning to add a push. "Their eyes always light up when you talk about centralised security management. It does ring a bell across quite a lot of sectors," says Card, "although the sense is 'it's about bloody time really'."
Given the vast amounts of money such customers are spending on security - some of it effectively, a lot of it not - their frustration is not unjustified.
"The next year or two will see a big crunch point," says Card, "where the pressure on security spending to rise in proportion to the threats will hit a ceiling. Companies are going to push back and say they just can't afford to have security budgets rising that quickly and that there has got to be a different approach to security. And that has got to be driven from the management aspect."
| |||
