A renewed interest in network security has vendors scrambling for ways to aim traditional products at "new" problems.
Latest among these is a joint effort by Nokia Internet Communications -- the division of Nokia that sells security hardware for corporate networks -- and Logical, a "network-centric" systems integrator, to market the idea of zoning security infrastructures for enterprises.
This approach effectively puts the firewall and intrusion-detection technologies that corporations used to put at the edge of their networks around each part of their IT infrastructures -- such as corporate finance or human resource systems -- according to how vulnerable those systems are and how they are used. The upside is enhanced network security defined by the ways corporate departments commonly access data. The downside is that enterprises' security costs are multiplied.
Quantifying the worth of its products and services has been a perennial problem for the IT security industry. Never has the term "solution" been more misplaced: IT security is a collection of complex and costly tools that add up to an imperfect attempt to mitigate an unquantified risk. Consequently, many vendors have used research that plays to an undefined sense of fear to sell their products.
According to market researcher Datamonitor, Web site security breaches cost companies more than $14.5 billion in repair costs and lost revenue each year. A survey conducted in 2000 by the CSI and FBI showed that 90% of large organizations surveyed had detected security breaches, and 74% of those acknowledged a financial loss. Just as significantly, 42% could not quantify that loss.
These pieces of research have been used to suggest a return on investment for IT security products and services -- and sometimes to obscure the truth that there rarely is one. Now companies like Nokia and Logical are telling prospective customers that security products are nothing without the corporate policies to make them function properly and, in the same breath, that more products in more parts of the network will go a long way to solving their security worries.
This plays to today's pitch in IT security that the old, perimeter-based "tiered" approach to corporate Internet security isn't enough in the face of corporations opening up parts of their networks to customers, suppliers, partners and remote workers. Instead, Nokia and Logical suggest segmenting, based on risk, the corporate IT infrastructure into business departments and secure zones, and installing the appropriate security.
But even aside from the extra cost involved, putting firewalls and intrusion-detection technology at every one of the zones is likely to proliferate the amount of information produced by firewalls and intrusion detection devices. This is specialized information that requires a expert to decipher and report on, and its dissemination back into the management of the corporate network is the real bottleneck in administrating corporate security.
Companies are buying specific authentication tools to handle external access to their networks in the current economic environment, rather than engaging in wholesale changes to their IT infrastructure. Research firm IDC says the worldwide market for security software will grow to $14 billion by 2005 from $5.1 billion in 2000 -- and that authentication, authorization and administration software will make up 67% of these sales.
Recent events, as well as the industry bodies formed by the likes of Microsoft and Sun to address concerns about network security, may have brought IT security into the spotlight, but they haven't changed the spending habits of corporations at board level. Security is expensive, it doesn't yet make or save money in any quantifiable fashion and enterprises won't buy companywide solutions to their security needs until data privacy legislation forces them to.
the451 (www.the451.com) is an analyst firm that provides timely, detailed and independent analysis of news in technology, communications and media. To evaluate the service click here.