Although compliance and ID theft will remain challenges for security professionals this year, at least three top executives say that still other troubles will pester the corporate world online. Some of these, however, still have close ties to regulation and theft of personal data.
"One of the more significant issues associated with these areas is data protection. The fact that more and more devices are now connected to the global network makes it increasingly difficult to understand where a given network perimeter begins and ends," says John Chambers, president and CEO with Cisco. "This problem is amplified by the growing number of connected mobile devices with personal and company confidential data."
And the plight of enterprises only grows worse since so many companies and government agencies rely on the internet to conduct business, he adds.
Endpoint compliance is another area to watch, says Gary Bloom, vice chairman and president of Symantec.
"Regulatory requirements put increasing demands on companies to protect personal information, ensure data integrity, check internal controls, and safeguard network reliability. Endpoint compliance is critical to demonstrate information control, due diligence, and to promptly identify and rectify a breach," he explains.
The conundrum is that while open networks give companies more flexibility in conducting business with customers and partners, it also gives online criminals more opportunity, he notes. This means that "more stringent control over data assets" is required.
"A failure to act — or an act of failure — are both more expensive than ever as the ramifications can result in lost productivity, compromised customer or partner relationships, regulatory violations or possible damage to a company's brand integrity," he warns.
But whatever the old worries parading through the average IT security professional's mind this year, something new is bound to emerge, says Marc Willebeek-LeMair, chief technology officer, 3Com.
"What we've seen over the last few years is a constant introduction of new threats, from viruses to worms to spyware to phishing. This is driving us toward an industry inflection point based on the realization that we, in general, have limited control over our networks and the information that is going in and out of our corporations," he says. "This inflection point presents an opportunity to revisit the current network architecture and contemplate new ones that will offer much greater access, attack and application control."
Following are still more thoughts from these lead executives on questions we posed about the industry and some of its more problematic areas.
John Chambers, president and chief executive officer, Cisco
Q: Many experts would agree that routers are the most critical element of the network. Are companies doing enough to secure these and are vendors doing enough to offer appropriate security mechanisms for them?
A: At Cisco, we take more of an architectural approach to security, embedding it into many of our products, services and solutions. To be effective, security is really a process of continual response to a changing threat environment, not just protection from a one-time threat/ response. As a company we have been very active in security emergency response, consortia, and standards bodies to ensure that the products and services we provide to our customers are as secure as possible, and we remain vigilant in trying to protect our customers' business operations.
For example, a robust VoIP [Voice over Internet Protocol] deployment requires not only a secure router, but a router configuration that provides the proper security services to protect both the call control and data paths that make up the VoIP services. By doing this, we protect the VoIP application from an attack and prevent other types of vulnerabilities, such as denial-of-service.
So any discussion about securing a network must be done with the proper awareness of the broader environment in which the router is operating as well as an understanding that the environment is constantly changing and needs to be continually reassessed.
Q: Demand for secure routers is growing, according to Infonetics Research, with companies seeking routers that are integrated with firewalls and virtual private networks (VPNs), but is this enough? What else should corporate security pros be doing to safeguard this important network segment?
A: Firewall and VPN services are required, but are not sufficient by themselves. Routers are gradually incorporating a number of other security services, such as intrusion prevention services (IPS), which Cisco's routers have provided since 1998.
Another area that plays an important role in protecting corporate networks is access and wide area network routers. Cisco's Network Admission Control program, which is an industry collaboration amongst many security players, helps to restrict out-of-compliance connection requests (PCs with viruses or worms, for example) onto the network. This aids tremendously in keeping the network infrastructure protected.
Q: What other areas do companies need to focus on to better secure their IT infrastructures? That is, what do you find customers consistently overlooking when it comes to IT security?
A: Securing infrastructure in a comprehensive way is a huge undertaking. Today, a large portion of securing infrastructure has been about the deployment of best-of-breed products from a variety of vendors.
With the growing sophistication of blended threats, companies need to be more adept at deploying security solutions that link these various products together to better deal with these new classes of threats. This also frequently requires different IT administrators to work more closely together. Therefore, the network, desktop, data center, and telephony IT teams need to be able to share data and policies more seamlessly so that they can diagnose and respond to attacks more efficiently.
Marc Willebeek-LeMair, chief technology officer, 3Com
Q: Organizations, more than ever before, have extended their networks beyond their corporate walls. Are they doing enough to secure all their deperimeterized endpoints? Are vendors doing enough to offer the necessary products and services to help them?
A: Over the past few years corporate networks have steadily been evolving from an environment with a well-defined network perimeter to a blurred perimeter. The blurring, however, is gradually evolving to a new, resource perimeter. End-users and devices will eventually all be treated equally, as outside nodes that must all go through an integrity check in order to be granted access to the networked resources. As a consequence, we are observing a trend toward securing the internal network, and key resources attached to it, with intrusion prevention technology that segments the network and protects key segments from attacks from any device — internal or external.
Q: What must they consider when it comes to securing these far-reaching corporate networks?
A: As always, the best approach is a defense-in-depth, using a network-based intrusion prevention system (IPS) complemented with an access control solution. With regard to intrusion prevention, 3Com recently introduced the TippingPoint X505 Intrusion Prevention System that unifies firewall, VPN and content management technology with our leading IPS technology into a single system designed specifically to address our customer's needs to protect their remote branch offices. Agentless network-based access control solutions are easier to deploy than host-based solutions. Ultimately, a combination is best. We're seeing a plethora of competing endpoint access control technologies hitting the market. Currently, there is a lot of confusion, and these solutions will have to converge on a few standardized approaches before customers will be comfortable choosing one.
Q: One issue that continually pops up is that of secure coding practices. While many industry luminaries argue for more robust secure coding training at universities and in companies, others say that the demands placed on developers will always undermine security goals. What's the answer?
A: The answer is pretty simple. Customers are finally starting to speak with their wallets. Security is no longer a nice-to-have, it is a must-have and only vendors that recognize this will survive.
Gary Bloom, vice chairman and president, Symantec
Q: There were acquisitions and mergers galore in 2005. What does such consolidation mean for the IT security market overall?
A: Consolidation in our industry is a trend that was initiated by customer demand for integrated solutions and the opportunity to purchase a broader suite of products from a smaller number of large vendors. The cost and complexity of implementing multi-vendor solutions has resulted in low IT productivity and increased costs for consumers of all sizes.
Symantec has historically been an acquisitive company and you can expect to see us continue to explore M&A activity as it makes sense for our business and for customers. Over the last several months, we announced the acquisition of Bindview, Sygate, and Whole Security…and on January 3 we announced the intent to acquire IMLogic. These acquisitions complement our merger with VERITAS to further address the needs for customers to secure their environments, meet emerging compliance requirements, and ensure systems are readily available and information is secure. The IT security market will continue to evolve, and the lines between security, compliance and availability will continue to blur.
Q: In what ways has the IT security market evolved these last ten years?
A: It's a new frontier for security. Just protecting the endpoint from malware or monitoring the wire is not nearly enough. These solutions protect from the obvious threats, but the world has moved on and become much more subtle, interconnected and dangerous. The world has transitioned from disruptive attacks to outright fraud — moved from prevention of malicious code execution to surveillance, monitoring and prevention of any malicious activity — all in a regulated society.
Q: What can we expect to see?
A: Over the next ten years, the notion of secure information management becomes critical, and the line between 'inside the firewall' and 'outside the firewall' continues to blur. The ultimate form of protection will emerge when all endpoints are managed for policy compliance, and all data and information in transit — inbound and outbound — is scanned for not only viruses, but fraud, ID theft, policy compliance and regulatory compliance.
Key areas to watch: endpoint compliance, content scanning, policy management and database security.