| Information security professionals face challenges galore in 2008.
In Information Security's Priorities 2008 survey, 1,149 readers cite many challenges, primary among those being mobility and security, identity and access management, protecting data and intellectual property and vulnerability management.
These are the pieces of the security puzzle that have taken center stage as businesses work to comply with regulatory requirements and industry standards (75 percent of those surveyed said they would be spending more time on compliance in 2008), operate more efficiently, cut costs and avoid embarrassing and damaging security breaches.
Ultimately, today's regulatory and threat environment requires that organizations work on multiple fronts. For example, encrypting a piece of information isn't enough; there needs to be some system for tracking what users have done with the data, says Ben Halpert, an information security researcher and practitioner. Consequently, data protection goes hand in hand with identity and access management.
"All these aspects play together in the information security space," he says.
Clearly, many of these puzzle pieces interlock. Based on our survey results, we prioritize four of them for the coming year.
| (PRIORITIES2008) mobile security
With 50 employees and four branches, the bank is still a traditional brick-and-mortar business, says Dennis Weiskircher Jr., IT manager and security officer. "But we have started to get people to meet with customers in their area, so we implemented PGP full-disk encryption for all our laptops," he says.
And even though smart phones and BlackBerries are few and far between at the bank, the company is evaluating how it will control those portable devices so employees can use them without putting business data at risk.
"That's always the delicate balance," Weiskircher says. "They need these tools to work, but we also need them to work securely. ...We're trying to be proactive about this."
With the disappearing network perimeter an ongoing issue in the enterprise, it's no surprise that readers rated mobile security as a top concern for 2008. As employees increasingly work outside the office with laptops, PDAs and smart phones, nearly half of the security professionals surveyed say they plan to spend more time on mobile device security.
Time and again, there is news of a stolen or missing laptop containing confidential corporate data, and more organizations are determined to thwart the problem. Of the survey respondents, 27.3 percent say they will evaluate laptop encryption this year, and 16.4 percent will implement it. "Everybody needs to do that," says Leo Dittemore, director of IS security administration at HealthCare Partners in Los Angeles County.
An analysis of 2006 breaches by the Privacy Rights Clearinghouse showed that laptop theft made up 40 percent of security incidents in the private sector.
The organization's chronology of 2007 breaches includes many involving stolen laptops, including one containing 268,000 records of donors to Memorial Blood Centers in Duluth, Minnesota. Another stolen laptop contained personal information on an unknown number of Deloitte & Touche employees.
| (PRIORITIES2008) mobile security
Dittemore's organization wrapped up a laptop encryption project last year and is looking at how to secure smart phones. About 100 doctors use smart phones for secure email and to access patient data via SSL encrypted Web services. Some executives use the devices to access their email and calendar.
Securing mobile phones and PDAs is also a 2008 priority for Jack Henry & Associates, a provider of technology and data processing services for financial institutions. "We're moving to full-disk encryption," says John Hill, a manager in the firm's network and devices division.
The company tried to implement encryption in 2006, but ran into resistance from some employees who complained it made their devices run slower. To mitigate that problem, the firm bought faster PDAs and is moving forward with the project. "We're getting full support from our CEO, who has mandated that all mobile devices containing any customer or company information need to be encrypted."
Jonathan Gossels, president and CEO of security consulting firm SystemExperts, says PDAs and other devices have become powerful computing systems that businesses shouldn't take lightly.
"We've tried to get them to understand that these are real computers. Think about the risks you have with computers in your offices; be as concerned with these handhelds and go a level beyond that because they're so easily lost or stolen," he says.
| (PRIORITIES2008) identity management
"We'd like to be able to automate and save some ongoing costs as well as be more thorough about who's getting access and getting rid of that access when they no longer need it," says Leo Dittemore, director of IS security administration.
HealthCare Partners is among many organizations focusing on identity and access management this year. Forty-two percent of survey respondents say they will spend more time on identity management. Specifically, more than 60 percent say strong authentication is an important priority while nearly 56 percent rated improving user access rights/authorization as important. About 31 percent will evaluate provisioning technologies.
More businesses are waking up to the operational benefits of identity and access management (IAM), having overcome initial skepticism, says Paul Rohmeyer, consultant and assistant professor at the Howe School of Technology Management at Stevens Institute of Technology.
"You're starting to see more organizations trying to move (IAM) efforts forward. There was a period of time when they probably just didn't understand how important it was," he says. "The tools have matured."
SystemExperts CEO Jonathan Gos- sels says regulatory requirements drive much of the interest in IAM: "You need to continually know who has what rights, and when employees leave, you need procedures in place to terminate access."
The push toward strong authentication has been a trend for a quite awhile, Gossels says, and companies are continuing to implement smart cards, tokens, or even newer technologies that track a user's typing rhythm.
When Parsons Behle & Latimer, a Salt Lake City-based law firm with about 250 employees, looked for a way to strengthen authentication for lawyers working remotely, it chose BioPassword. The technology combines users' ID and password with their unique typing rhythm. It was the easiest to use and implement, says Jason Smith, applications administrator. "It's another layer of security," he says.
| (PRIORITIES2008) identity management
For survey participants, single sign-on (SSO) is another technology in the IAM arena that's important this year (see chart, above). In fact, Andras Cser, a senior analyst at For-rester Research, says interest in enterprise SSO is up because it is relatively simple to implement, and a good candidate to start off an IAM project because most applications can be supported without much development effort.
"As eSSO provides a streamlined end-user experience, it reduces reluctance toward IAM in general and its back-end repository information--built by the end users themselves--is often the most accurate starting point for building an enterprise-wide provisioning role system," Cser says.
HealthCare Partners recently deployed SSO for doctors.
"Having to enter their password a bunch of times annoys them," Dittemore says. "It's really about user experience--that's what single sign-on is for us."
| (PRIORITIES2008) data protection
Data Protection in a Snap
The strategy includes a homegrown database monitoring program to ensure compliance with its access policy, laptop encryption, a secure system for sending email containing confidential information, ongoing data security awareness training, and background checks on vendors.
John Moynihan, who recently left his job as deputy commissioner and internal control officer at MDOR and is setting up a data governance consulting practice, says data protection is the overriding issue in IT today and requires a comprehensive approach that includes technical and non-technical components. "One hole in your information security strategy can really compromise your whole data governance structure."
Protecting sensitive and confidential data is top of mind for a lot of organizations; about 68 percent of readers surveyed say they will be spending more time on data protection this year while 58 percent say creation of a data deletion and retention process is vital (see chart, below).
| (PRIORITIES2008) data protection
In the past, companies put a lot of effort into securing data in transit, but now are making database security a priority, experts say. Securing databases involves making sure they're properly set up with strong access controls so only authorized people can obtain the data, and implementing tools that permit fine-grained data extraction, says Jonathan Gossels, CEO of consultancy SystemExperts.
"The best way to protect your data is to keep control over it, and if you're going to extract some to perform analysis, extract only that information you need," he says.
About 31 percent of readers say they will evaluate database encryption tools, while nearly 30 percent plan to take a look at software-based encryption and about 29 percent will review hardware-based.
Paul Stamp, principal analyst at Forrester Research, says encryption addresses multiple concerns companies have, from meeting mandates such as PCI and preventing employees from accessing data they shouldn't, to protecting data when it leaves their premises on a tape or a laptop.
"Encryption is a good way to mitigate those types of worries," he says.
With all the news stories of data loss due to missing or stolen backup tapes, Citizens Bank makes sure to encrypt its backups. "That's been a huge focus," says IT manager and secu- rity officer Dennis Weiskircher Jr. "Our offsite facility is only 15 miles away, but that's still 15 miles where data is traveling."
Another area of concern for companies is preventing employees from accidentally leaking or stealing sensitive data via email or by copying it onto a removable storage device. Data leak prevention products will be evaluated by 35 percent of the readers surveyed.
"Information leak protection really holds some promise, but it's got to be part of a wider information lifecycle management issue," Stamp says.
| (PRIORITIES2008) vulnerability management
Correlation can help organizations facing an array of vulnerabilities, from software flaws to humans susceptible to social engineering, says Marcus Sachs, director of the SANS Internet Storm Center.
"There's no way to patch every vulnerability, so which ones do you go after?" he says. "One good approach is [to look at] which ones the threats are most likely to go after. ...It at least gives some hope, a place to start for some poor system administrator in this sea of vulnerabilities that their bosses told them to fix."
Sachs says many companies rely on some type of threat intelligence service, such as those offered by IBM Internet Security Systems and VeriSign iDefense, for insight into what hackers are doing.
Others have in-house capabilities based on homegrown honeypots and other sensors that can detect and analyze attack trends.
"Security is about risk management. There's no such thing as perfect security," Sachs says. "Just try to manage it to get to some acceptable level of risk that you're willing to live with."
Video Gaming Technologies' senior network engineer Dan Goldberg agrees correlating threats to vulnerabilities is important but says his firm needs more "bedrock in place" before tackling it.
"It's all really part of risk management," he adds. "Risk assessment is going to be high on my priorities for ."
While companies traditionally have focused on protecting their networks from external attackers, many are increasingly concerned about attacks by trusted insiders-- employees, contractors and vendors who have access to corporate networks and data. Seventy percent of survey participants said they're worried about detecting and thwarting internal attacks.
| (PRIORITIES2008) vulnerability management
For survey participants, another area of concern on the vulnerability management front is simplifying security management. About 60 percent ranked it as important for this year. While 19 percent plan to evaluate security information management systems (SIMs), 25 percent will evaluate an alternative: log management systems (see chart, above).
Forrester Research analyst Paul Stamp says he hears a lot of interest in simplifying security management.
Part of the reason is that security duties are often handed to employees who aren't necessarily security specialists, such as a network technician managing the firewall. Security is just one of their responsibilities, so they're looking to make it easier, he says.
Organizations also are looking to streamline security management for auditing purposes.
| (PRIORITIES2008) compliance
Here to Stay
Inevitable and a perpetual priority, compliance remains prominent on to-do lists according to Information Security's Priorities 2008 survey.
More than three-quarters of 947 respondents say they'll be working more on compliance this year, and that's in line with some estimates that have compliance spending topping out at $28 billion, according to AMR Research.
That number is about $600 million more than 2006; AMR projects companies will spend more than $6 billion on Sarbanes-Oxley compliance alone. SOX, meanwhile, is a regulation 42 percent of Priorities 2008 survey takers must comply with (HIPAA and PCI round out the top three).
"[IT pros] hated compliance for a while, but I'm hearing less and less about it because, for example, they've baked SOX requirements into their everyday behavior, so we're seeing more mature response to the requirements," says Richard E. Mackey, vice president of consultancy SystemExperts. "They already understand goals and compliance requirements and have changed their processes. I like the positive impact it's had, but I still question whether this is the right vehicle to get change in place."
Whether it's the proper way, it currently is the best way to win project and budget support from senior management; 53 percent of Priorities 2008 respondents say their company's CEO cares more about security.
"Auditors are looking at IT controls that make sure systems are compliant for what auditors are asking for," Mackey adds. "That cycle has given rise to more IT budget spent to produce measurable results auditors can use."
In light of the fact compliance spending is flat, but still high, respondents are confident their policy creation and enforcement processes, security metrics and measurement programs and risk management strategies are average or better compared to their peers. Respondents cited continuous process improvement and the establishment of baseline processes as the biggest challenges. Mapping regulations to IT controls and mapping technologies to compliance are also priorities.
--MICHAEL S. MIMOSO
| (PRIORITIES2008) Cisco
A Security Player
Sixty percent of 680 Priorities 2008 respondents believe Cisco provides equal or better security than a third-party provider, lending credence to the trend that enterprises want some security integrated into the network fabric, and most of all, are willing to have a giant infrastructure player satisfy their security needs. Only IBM did better than 35 percent on the same question, while Microsoft tread the most water with 23 percent support.
Recently, Cisco introduced Trusted Security architecture, which is essentially role-based network access control baked into routers, switches and wireless controllers. Add to that its firewall, VPN, endpoint and multifunction appliances, and Cisco, like a lot of infrastructure providers, is a compelling market presence.
"They are a legitimate player; they've got a huge R&D budget, and they can leverage this infrastructure to the hilt," says Andrew Braunberg, research director at Current Analysis.
--MICHAEL S. MIMOSO
| (PRIORITIES2008) consolidation
Where Are All the Startups?
RSA, ISS, Cybertrust, IronPort, SPI Dynamics and Watchfire all have been acquired in the last 20 months--all by traditional IT companies. The number of big standalone security companies is dwindling, and according to the 700 who answered a Priorities 2008 question about consolidation, that's just fine.
Companies like IBM, EMC, HP and Cisco have been spending billions on security. Enterprises with established relationships with these vendors aren't reluctant to extend those relationships to security.
"I wouldn't discount the one-throat-to-choke aspect, if you've got an existing relationship with an infrastructure provider," says Andrew Braunberg, research director at Cur- rent Analysis.
"[For example], Cisco shops are a pretty loyal customer base. As long as Cisco can make these security solutions available to its installed base without having to do radical upgrades and add capabilities to an existing device without a major up-grade, that's an attractive sell."
We asked and you answered loudly. Almost 60 percent of respondents say they'd be reluctant to buy new products from smaller security vendors or startups, while 75 percent say they would not be reluctant to buy new products from a vendor that had been acquired, a la RSA or ISS.
Braunberg cautions it is early.
"You hear so much emphasis on the UTM market, you'd think UTM is a good case study in this distinction between best-of-breed, standalone and suites, but we get mixed results from our clients," he says. "UTM spending is a low priority, and it makes us wonder where people want this functionality to reside; whether it's pushed into the network or OS infrastructure, or into the cloud and away from the network perimeter with carriers providing SLAs."
--MICHAEL S. MIMOSO
| (PRIORITIES2008) NAC
On the Agenda
"I want to make sure, before people can get on the network, that they have antivirus and antispyware," says senior network engineer Dan Goldberg. "Basically, I want to make sure they won't cause harm on the network."
About 34 percent of Priorities 2008 respondents say they plan to evaluate NAC technologies this year, while 31 percent have already implemented it; 16 percent say they will implement this year.
Beth Israel Deaconess Medical Center in Boston plans to begin experimenting with NAC in a lab environment, says Mark Olson, manager of IS security and disaster recovery. As a research and teaching hospital, a large percentage of endpoints on its networks aren't subject to the hospital's IT policies, which makes NAC attractive.
"The goal will be to provide the appropriate IT staff the ability to dynamically move a misbehaving system off a production VLAN to a remediation/Internet-only VLAN," Olson says.