The shifting security landscape

Graham Titterington, Principal Analyst at Ovum dissects the latest trends in IT security.

“It is not surprising that the need to satisfy external regulators, to adopt new technology without incurring undue risk, and to stand up to more ferocious attacks is driving the security industry to offer new types of products”
-Graham Titterington, Ovum

IT security remains a hot topic for businesses and IT professionals. It has consistently been close to the top of the league table of IT managers’ concerns and it is evolving at a rapid rate. The IT security industry is developing new types of products and services in response to new business requirements and the deteriorating threat scenario, while changing how it delivers them. We will look at these factors in turn.

Business requirements
The loudest call from business to the industry has been for help in meeting the myriad range of legal, regulatory and compliance demands it faces. These require a business to secure its information, and to be able to show that its information is secure. The Payment Card Industry (PCI) standard has had a particularly large impact because it affects every organisation that handles payment cards (that is virtually every organisation) whereas other regulations had been more limited in their scope. The walls around a business are coming down. More business is being done over the Internet, as opposed to simply using it to communicate and supply information. Internet-facing processes are performing automated transactions without human involvement. Employees are spending more time working outside company premises. Telephone calls often go over the Internet and mingle with data traffic. Web 2.0 technologies are making it possible for outsiders to work with corporate data systems in a more interactive way, and to push data into these systems. The challenges of Web 2.0 are still not fully understood. Businesses are also becoming more concerned the damage that can be done to their commercial operations and reputations through data leakage, or indeed by any visible security failure. These risks are increased by the poor economic climate in which cutbacks can disrupt operations and lead to demoralised or disaffected staff.

A hostile world
The world, which is here represented by the internet, is a hostile place. Hacking has been transformed from a kind of sporting contest into a mainstream criminal activity driven by financial gain. The cyber criminal world is large and highly organised. There is really no such thing as cyber crime, but rather the criminals have found new ways to perpetrate lots of old world crimes on a larger scale. Law enforcement is hampered by the technical complexity of detection, the speed at which the criminals can change their strategy, and the international nature of much of the activity. Attacks are growing exponentially in both volume and sophistication.

The defence
It is not surprising that the need to satisfy external regulators, to adopt new technology without incurring undue risk, and to stand up to more ferocious attacks is driving the security industry to offer new types of products. The days when security could be equated to a firewall and an anti-virus product are sadly long gone.

The “hot” areas where interest is growing most rapidly are:

• Data leakage protection: Technology that detects, blocks or controls sensitive information that is moving around or leaving corporate networks. While most data leakage incidents are caused by mistakes rather than malicious intent, the consequences are often similar.
• Application protection: The opening up of IT systems to external use is causing the focus of protection to shift from the network to applications, data and servers. Application protection is being enhanced both by placing greater attention on developing applications that are inherently secure, and by using an “application firewall” to filter communications going in and out of the application. SQL Injection attacks through database applications to steal corporate data are still one of the hackers’ favourite weapons. Applications can be made more secure by improved development processes such as those that have been published by leading ISVs, by using code analysis tools to check for bad coding practices, and by adding security testing to the pre-delivery QA procedures.
• Protecting mobile devices that have been lost, including laptops: Two complementary approaches are enhanced access control and encrypting data that is stored locally on the device – and indeed on removable media.
• Security audit services, and “penetration testing” services in which the service provider tests its client’s defences by simulated attacks, are required by the PCI standard and are therefore a growing area of activity.
• Activity audit and log analysis: You cannot eliminate all security breaches, but you can detect them when they occur. Computer systems produce log files containing millions of events each day. Automated tools can sift and correlate these and show what has happened at a meaningful level, as well as raising alerts in real-time. These tools are enjoying increased use, both as a specific requirement of some compliance regimes and as the ultimate check on information security.

Delivering information security
The evolution of the supply side of the industry is as rapid as its products. Maturity is bringing commoditisation to the more established product areas such as network protection and anti-malware. An extreme example of this is Microsoft’s intention to make some of its anti-malware products free. The vendors are consolidating and we expect to see acceleration in this process in response to the economic downturn. Security is moving out of its silo and over the last few years we have seen the big IT vendors buying companies to increase their range of security offerings. This is largely the result of realising that security depends on good management practices in the wider sense and it is therefore sensible to integrate security planning into IT management. This view is consistent with leading management frameworks such as ITIL and COBIT. Finally we are seeing a trend to deliver security as a service rather than by selling software products or hardware appliances. Remotely managed services are provided by the security vendors, but will increasingly be delivered by ISPs and telcos. They provide pools of expertise and economies of scale, although at the low end of the scale this comes at the expense of flexibility.

The future
Economic crises always increase the rate of change as we shall see in the security sector. However in a hostile world the demand for security can only increase and we will continue to see rapid innovation from a shrinking supplier base.

This article first appeared in Business Management magazine, European edition, in June 2009: www.bme.eu.com/article/Issue-11/IT-Security/The-shifting-security-landscape/.