NAC, disk encryption gaining attention, survey shows

By Robert Westervelt, News Editor 05 Mar 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Network access control (NAC), disk encryption and application security technologies and services topped the list of interests of IT professionals, according to a survey conducted by Cambridge, Mass.-based Forrester Research Inc.

We've got the mobility of users and the mobility of data and companies want to address the risks associated with that. Jonathan Penn, analyst, Forrester Research Inc.

Forrester surveyed more than 1,000 IT decision-makers in 2007 to gauge the state of the IT security industry and project the security issues gaining the most attention. Forrester said 21% of respondents were the company's senior-most IT decision maker, 29% were executives in IT, and 48% were IT managers.

The survey revealed that many managers are struggling with a lack of money to begin projects, were missing in-house skills to oversee them and were overburdened to address too many security issues. But it also showed that many companies are interested in new technologies to automate security, focus on threats at the end point and begin to address Web application and internal threats.

While NAC got off to a sluggish start, with slower than expected adoption rates in 2007, it remains on the minds of Forrester's survey respondents. About 43% expressed interest in NAC or planned to adopt the technology within the next 12 months.

"We've got the mobility of users and the mobility of data and companies want to address the risks associated with that," said Jonathan Penn, an analyst with Forrester Research. "Businesses are also extending their processes to others through outsourcing and off-shoring so they need to have more controls in those environments and that brings up all sorts of management challenges."

IT pros say they are still wary about the maturity of NAC technologies, and vendor viability. The market is also still working itself out. Cisco acquired Perfigo in 2004, Symantec bought Sygate and, more recently, Sophos and Novell acquired Endforce and Senforce, respectively.

Richard Jacobs, the chief technology officer of antimalware vendor Sophos, said the NAC market would continue to consolidate and change in 2008. Jacobs said Microsoft would have an affect on the market once it releases more information about its Network Access Protection (NAP) strategy.

"We see large numbers of people who have evaluated NAC and very small numbers that have actually deployed it," Jacobs said in a recent interview. "The problem is that there's confusion about what it is, confusion about the problem it's solving and therefore the technologies to approach it."

NAC, disc encryption in the news: As hype subsides, NAC moves ahead: IT pros still have an interest in NAC technology. But as Neil Roiter explains, the cost and complexity of NAC means the road to adoption will not be quick. NAC growth sluggish as companies consider network security options: Companies are taking a wait-and-see approach, hoping the technology's maturity will make it more cost effective. Federal government pushes full-disk encryption: Businesses need to follow the federal government's lead in reducing data breaches by holding employees responsible and examining full-disk encryption (FDE) products. Seagate pushes hard drive encryption to the data center: Seagate wants to extend full disk encryption to hardware, but is the enterprise ready?

Currently people are approaching NAC via network devices or they are taking an endpoint technology approach, but it will take a combination of the two ways that will ultimately make NAC work, Jacobs said.

Forrester's Penn said client security and client management as a managed service will also be a popular choice because end users are no longer in the confines of the company's four walls and corporate perimeter.

The massive TJX data breach dominated the news of 2007, and shed light on disk encryption technologies. Forrester said 46% of those surveyed expressed interest or planned to adopt the technology within the next 12 months.

TJX also highlighted the importance of protecting consumer data as well as a company's proprietary information from data thieves. Much of that data can be found within separate systems and the growth of Web applications has also increased the risk of a breach. Forrester said 44% of those surveyed were interested in or planned to adopt application security technologies or services.

To guard against cross-site scripting (XSS) attacks and other threats, many firms are turning to code scanning tools and penetration testing software to conduct application level scanning, Penn said. If problems can't be resolved through patching and in-house development firms are looking at Web application firewalls to block a set of specific attacks.

"There's some tremendous cost savings associated with making sure from a development standpoint that your code has been assessed," Penn said.

Many respondents said database security technologies as well as content filtering had already been adopted, according to the survey.

In addition, Forrester said compliance may not be driving spending on security technologies. Over the last year, vendors have been touting products and services to meet the Payment Card Industry Data Security Standards (PCI DSS). However, 57% those surveyed said they were either fully compliant with PCI DSS or would be compliant within the next 12 months.

Most of those surveyed also said they were fully compliant with the Health Insurance Portability and Accountability Act (HIPPA) and Sarbanes-Oxley with 75% of respondents saying they were compliant with HIPPA or would be in the next 12 months and 67% indicating they were either fully compliant with Sarbanes-Oxley or would be in the next 12 months. Still, Forrester said many firms would be conducting ongoing compliance initiatives to ensure they stay compliant.

"Compliance may be driving budgets, but it's not the highest priority," Penn said. "Effective compliance should be an outgrowth of having effective controls in place to serve both security and compliance, so I think a lot of people have gotten a bit of overload of compliance."

Tags: Security Industry Market Trends, Predictions and Forecasts,  Client security,  Web Application Security,  Application Firewall Security,  Disk Encryption and File Encryption,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Industry Market Trends, Predictions and Forecasts Cybersecurity czar candidate questions clout of new position Gartner sees better days ahead for security budgets Sophos CEO on Symantec, McAfee after Utimaco acquisition WH cybersecurity plan needs private sector guidance Obama announces creation of cybersecurity coordinator position Security budgets take hit in media, tech industry, survey finds Cybersecurity Act of 2009: Power grab, or necessary step? Opinion: Gartner gets NAC wrong, again Cloud computing security group releases report outlining trouble areas White House cybersecurity advisor calls for public-private cooperation Security Industry Market Trends, Predictions and Forecasts Research Client security How to defend against rogue DHCP server malware Symantec offers endpoint protection management, monitoring services Sophos integrates encryption into endpoint security Quiz: Endpoint security on a budget How to find sensitive information on the endpoint Trend Micro gets more competitive with BigFix deal CA steers DLP towards access, identity management CA to acquire Orchestria for DLP Microsoft to embed data classification, strengthen ties with DLP Diverse mobile devices changing security paradigm Web Application Security nCircle statistics show rising Web application vulnerabilities Twitter bugs, DNSSEC and broswer security Month of Twitter Bugs project to document Twitter flaws Are Web application penetration tests still important? IT pros can detect, prevent website vulnerabilities, thwart attacks PCI compliance requirement 6: Systems and applications Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits XSS bugs, information leakage top list of website vulnerabilities How to find and stop automated SQL injection attacks

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary backscatter body scanning  (SearchSecurity.com) marketecture  (SearchSecurity.com) NCSA  (SearchSecurity.com) Palladium  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary