Security practitioners dispute several Gartner Group recommendations on technologies enterprises need -- and those they likely don't -- when forming or evaluating security programs.
Enterprise security managers need host-based intrusion prevention systems, gateway spam and antivirus filtering, and vulnerability, identity and automated password management to secure their systems, Gartner Group analysts advised recently. Conversely, information security programs can do without personal digital signatures, passive intrusion detection and quantum key exchange, among other technologies.
Gartner's recommendations are based on what the firm's managing vice president called the "plateau of productivity," the window of time between adopting an emerging technology and when it begins to provide a return on investment. The analyst firm recommended that organizations focus on that plateau in combination with their business needs and threat assessments to prioritize security purchases.
Other Gartner-recommended technologies and processes include the use of the Advanced Encryption Standard, the wireless protocol 802.1x, quarantine/containment products, SSL/TLS Web-based encryption, as well as having a business continuity plan and security audit capabilities. "Business continuity planning is essential to the 'keeping the wheels on' part of information security to anticipate natural or other disasters and to ensure that the enterprise can stay functioning," Wheatman said.
"For example, vulnerability management not only implies advancement from passive vulnerability monitoring to near-continuous monitoring, but also integration with workflow and rule engines to effectively correct vulnerable states without creating system conflicts," he continued.
"Wouldn't it be nice if this was more than vaporware?" asked Paul Schmehl, an adjunct information security officer at The University of Texas at Dallas. "I'm not aware of any products that allow 'near-continuous monitoring, but also integration with workflow and rule engines to effectively correct vulnerable states without creating system conflicts.'"
On the flip side, Gartner said many enterprises could do without personal digital signatures. Passive intrusion detection, another "don't need," can be replaced by technologies that can respond to incidents instead of simply logging them.
"Gartner is way off base here," said Schmehl. "Apparently they haven't heard of the Federal Government's Federated Bridge, the Higher Education Bridge and other initiatives to facilitate collaboration between entities, all of which will require individual certificates. Add to that HIPAA, Gramm-Leach-Bliley and Sarbanes-Oxley, and the need for personal certificates has never been greater. How does Gartner propose that entities protect personally identifiable information and personal health information during transmission? Wax seals?"
Schmehl added, "Not every enterprise wants to proactively block traffic rather than log it. Despite Gartner's claim that IDS is 'dead,' I don't see a high rate of adoption of IPS -- and where I see it the use of proactive measures is limited primarily to blocking viruses and DoS attacks. IPS is over-hyped technology that hasn't lived up to its advance billing."
Though he agreed with several of Gartner's recommendations, Ron Baklarz, chief information security officer at The American Red Cross, said some things are missing from the list. He said, "Implementation of security technologies is based on an in-depth understanding of the corporate culture as well as the overall network and the systems connected to it. For example, Gartner does not mention Web content filtering which in addition to its intended function can be leveraged in with the enterprise's overall antivirus solution as a sensor of sorts."
Security awareness posters, default passwords and 500-page security policies have got to go, too. Instead, Wheatman recommended that security policies be a maximum of two pages in length so they are read rather than consigned to a shelf.