Author: admini

Remember the OpenPGP and S/MIME email encryption wars? Back then, it was all about which encryption protocol would become the standard for protecting email messages from prying eyes. The headache and complexity of using encryption keys for messaging wasn’t appealing to the typical organization or end user. “The way a traditional PKI works, it’s useless to make the majority of information workers send and receive email” with it, says Richi Jennings, an analyst with Ferris Research.

But email encryption technology is actually getting easier to deploy and manage today, with new approaches such as identity-based encryption (IBE) from companies like Voltage Security and Identum that match users to their more tangible email addresses or logons.

So far, email encryption is still mainly used by organizations with highly sensitive missions or information, or paranoid security types who know too much. But enterprises, especially those under the heaviest regulatory microscopes like healthcare and financial services, are starting to look more closely at email encryption.

Aside from Voltage Security’s SecureMail, which uses a special algorithm that turns a user’s logon or email address into a public/private key pair, email encryption pioneer PGP yesterday rolled out a new feature for its PGP Universal Gateway product that lets you send encrypted mail to an organization or recipient that doesn’t have secure messaging. “It’s [email encryption] becoming more usable,” says Christopher Gervais, enterprise architect for Partners HealthCare System, a Boston-based network of hospitals and research labs, who says email encryption may be an option for the company in the near future.

“Some of the email encryption experience for end users has become more integrated — there’s no more goofy manual certificate management, or [having to decide] do I encrypt this or that. Integro Insurance, for instance, runs Voltage’s appliance for internal email among its 13 locations worldwide, and then with a Web-based setup for external messaging. “Encryption has to be painless or people are not going to do it,” says Fred Danback, principal and head of global technology services for Integro Insurance Brokers. “The [win] was largely due to the security of our infrastructure and our ability to send and receive encrypted messages.” “That’s not what encryption maestros call desktop-to-desktop, but it means certain email is not going unencrypted over the public Internet.”

http://www.darkreading.com/document.asp?doc_id=133830&WT.svl=news1_4

However, security is a complex issue, where many remedies are required for different aspects, so such a simplistic view may not be enough to look at when selling our security wares. Some industry participants complain about increased competition as a factor in depressing their security sales.

However, let’s take a quick look at a typical large European country as a “market” for example Germany or the UK. This reveals that there will be, on average, ten firms providing Managed Security Services (MSS), with the biggest firm holding about a 20% market share.

Then there is another way: proving security ROI. In the security industry, however, every vendor seems to have one, which is slightly different from other vendors’ and which ‘proves’ that buying that vendor’s product or service makes the best economic sense. For example, I’m sure we’ve all seen the statistics stating that having someone else to manage your company’s firewalls is a 400% ROI over one year, when compared to managing them in house. Whenever we are confronted with such figures, there are several things we need to ask: How many firewalls do these figures refer to?

How many clients participated in the survey, how many vendors? Many ROI calculations adopt a simplistic and/or simplified view of the underlying costs. From a client perspective, a lot of energy is usually spent debating whether security is best kept ‘in house’ and delivered by client’s own personnel (or built by internal efforts), or is it better to outsource or buy ‘off the shelf’. Because security is essentially a trust issue, the natural inclination is to keep it in house, shrouded in secrecy.

From an economic perspective, there will be security tasks which are more efficiently carried out by an outsourcer (e.g. managing firewalls or IDS), and some which are more suited for in house delivery (e.g. fraud and incident investigations), if skills exist in-house. A good provider will remind the client that they always retain the full responsibility for their organization’s security posture, even if some security tasks have been ‘delegated’ to hands and brains outside the firm. Economics also plays a part in everyday decisions taken by individuals (employees) when it comes to doing the “right security thing.”

The answer is making security a business enabler and with a relatively low compliance cost. The main idea we need to tell our clients is that security can be a business enabler and not just an “IT cost,” Let’s stop viewing information security through the prism of fear and start to quantify it and, more generally, technology risks and threats in economic terms.

At the end of the day, buying decisions are made by business people and not necessarily by technologists, so security investment decisions must make business sense in order to be adopted. We need to articulate the economics angle whenever we buy or sell security.

The economic benefit of complying with the security policy will accrue to both you and your organization. Then, you can concentrate on doing what you do best, knowing you’ve done “your bit” to keep your information safe.

http://www.net-security.org/article.php?id=1062&p=1