An uncertain economy and tightening IT budgets are leaving security professionals with fewer dollars to spend on new security technologies. As a result, industry observers believe when IT professionals hit the show floor at RSA Conference 2008, they are likely to take a more cautious approach.
Over the last several years, organizations have been focusing on protecting the underlying infrastructure, but now companies are focused on data classification, said Paul Stamp, a principal analyst at Cambridge, Mass.-based Forrester Research. Security budgets have leveled out at about 7% to 8% of the IT budget. But IT budgets are increasing only 2.5% this year. There's a lot of belt tightening, Stamp said, and that translates into shifting strategies.
"Over the years, we've been very much blocking and tackling," Stamp said. "Now it's about identifying those information assets that are much more sensitive to us."
Thousands of security pros are flocking to San Francisco this week to attend RSA Conference 2008. The event is a weeklong security extravaganza, featuring vendor keynotes, panel discussions on encryption, security policy, and virtualization security, and educational sessions on a variety of security topics. Some of the largest software and hardware vendors and some of the tiniest security niche vendors pack the conference show floor to tout their products to any security pro that will listen.
"We're seeing people finding a flat budget for security and because of that vendors are being forced into showcasing their products as part of a wider, more strategic deployment," said Nick Selby, director of the enterprise security practice at New York City-based 451 Group.
Organizations continue to struggle to get a handle on their data. A recent survey conducted by the 451 Group found that 37% of enterprises have done no work at all to determine where their data resides, Selby said.
In addition to not knowing where the data resides, Selby said organizations are having trouble monitoring where the data is flowing. The survey found that 80% of organizations are unable to say who their employees are speaking to outside their organization. That ultimately results in a data breach, Selby said.
Analysts agree that the growing interest in virtualization technologies offers a unique challenge for security pros. While attacks have been so far theoretical, security pros are trying to understand the complexities of the technology such as how a patch is applied in a virtual environment, said Jon Oltsik, a senior analyst at Milford, Mass.-based Enterprise Strategy Group.
"There are a lot of people looking at theoretical threats here and there is a lot of academic brainpower going into this," he said. "We'll see a lot more virtualization architectural solutions."
451's Selby said most organizations are about three to five years away from full fledged virtualized deployments. Still, niche vendors and some of the more established players deserve a look at RSA.
A number of niche players are coming to market with products specifically for virtualized environments. Redwood City, Calif.-based Altor Networks Inc. opened its doors March 17. Scotts Valley, Calif.-based Catbird Networks, Inc. and Atlanta-based Reflex Security, Inc., sell appliances that monitor and control access to the virtual network. Cupertino, Calif.-based Blue Lane Technologies Inc. sells VirtualShield, which taps into the VMware platform. The vendors are also taking part in VMware's VMsafe program and will use VMware application program interfaces to produce software that integrates with VMware's hypervisor; tapping into the software that runs the virtualized environment.
"We see evidence that the tires are getting kicked," Selby said. "These vendors are getting bake offs and taken for spins."
Meanwhile, application security appears to be gaining priority for many security pros, Oltsik said. With applications becoming much more dynamic and complex, more attacks are happening at the application layer, he said.
"We have much more of a worldwide sophisticated threat network that knows how to attack those application vulnerabilities," Oltsik said.
Vendors are responding with more secure products, he said. Microsoft has taken a leadership position with its secure development lifecycle. Other vendors, such as Oracle and RSA, have followed, ensuring every product is going through security standards and evaluations.