Category: Trends

A roving gang of European chief information security officers claims the key to better security is less walls not more — a concept they call deperimeterisation.

Security is a process not a product, says Jericho. Establish open standards for identity management, digital rights, encryption and data-level authentication, and we can eventually do away with the rest of the security infrastructure altogether while maintaining commercial and operational flexibility. But because the Jericho Forum is user-led, it is honest about the problems and pragmatic about a gradual introduction of these ideas.

ZDNet UK spoke to one of Jericho’s founders, Paul Simmonds, global information security director of chemical giant ICI, about the ideas behind deperimeterisation and pushing the organisations unique take on security to the US.

http://insight.zdnet.co.uk/internet/security/0,39020457,39194164,00.htm

Last year the market grew 49 per cent year-on-year to €536m, with Cisco dominating with 21 per cent of the market.

Nokia is the fastest growing vendor, however, with sales increasing by over 90 per cent on the quarter.

“The security market is poised to extend its impressive track record into 2005 and beyond,” said Andy Buss, senior analyst at Canalys. “Our expectation is that 2005 will be up by more than 15 per cent over 2004. Vendors need to continue the pace of innovation and integration, partnering where necessary to ensure short time to market and to develop industry-wide interoperability.”

The biggest growth area has been in security hardware, with 65 per cent year-on-year increases. This is part of a wider move to build security into the network at a hardware level.

The reseller channel has also proved important. Juniper saw its sales grow 57 per cent after an intensive channel support programme, and the Canalys research found that the channel as a whole benefited towards the end of the year as companies started spending the last of their annual budgets.

The findings contradict statements made by Gartner last month that this year would see the start of a decline in security spending.

http://www.computing.co.uk/news/1162250

Google has been allocated an address range, marking the start of its permanent presence on the new frontier. And Microsoft has tried to patent it, surely a rite of passage for any new technology that aspires to be taken seriously. In the US and Europe, it is still not on many people’s lists of things to worry about.

It promises to relieve the lack of address space in IPv4, replacing a mere four billion addresses with enough to label every atom on the planet, but so far the use of NAT to hide private networks behind a single public address has meant that nobody is hurting too much so far. It has better security, quality of service and routing, but IPv4 has proved flexible enough to incorporate its own advances here. These take some managing, so the thought of adding the challenges of an entirely new protocol to the mix — everyone expects that both versions will have to run concurrently for many years — will not come easily to those charged with looking after a company’s network.

All that means that ISPs are reluctant to spend the extra money to provide IPv6 — if nobody is prepared to pay more for it, then you’re better off spending on bandwidth, better security and higher reliability. The Japanese love it: major ISPs such as NTT and IIJ support it, and more are joining in. That is due to a rather over-generous allocation of IPv4 address ranges to the US accentuating the shortage elsewhere, and an enthusiastic take-up of mobile access and multimedia services in Asia. When every mobile and fixed phone, television, recording device and games console has its own network address, a household’s need for multiple independent connections to the Internet can overwhelm NAT’s somewhat limited and inflexible support for multiple services running on multiple devices behind the router.

This value is enhanced by the protocol’s other features, such as automatic configuration and understanding of quality of service requirements: at the moment, for example, there are plenty of problems running VoIP telephony through home routers. As a result of such moves, all the major infrastructure manufacturers have been including IPv6 in routers and other devices for some time — so ISPs and major customers have been acquiring the capability by default as part of the normal cycle of equipment upgrades.

Behind the scenes, IPv6 has already been rolling out — and large, specialist networks such as the 33 country European GEANT research system have provided a lot of practical experience in deploying and managing the protocol. 30 out of the 34 Internet exchanges in the European Internet Exchange Association support IPv6, and between them they have 201 IPv6 customer networks — around 11 percent of the total.

http://comment.zdnet.co.uk/0,39020505,39192571,00.htm

Speaking at the Business Continuity Expo in London’s Docklands, IT security experts from the Royal Mail Group, Proctor & Gamble and Barclaycard acknowledged that their companies are increasingly merging systems used to authenticate employees’ entry to physical facilities with those used to control access to computing resources.

“I have worked in a lot of different areas of our company and I have found that physical and IT security are coming together, especially around the area of identity management,” said David Lacey, director of information security, Royal Mail Group.

David McCaskill, section manager for global security solutions at Proctor & Gamble, explained that the pharmaceutical giant had also integrated its physical and IT authentication systems. Companies have generally treated physical security as the responsibility of the facilities department and computer security as that of IT. But employee information has increasingly become integrated, allowing businesses to link the two systems, Steve Hunt, an analyst with Forrester Research, said in a recent report.

“Locks, cameras, entry systems, and even guard desks will be upgraded to work with the same computing systems that control computer and network sign-on, identity management and security incident management,” Hunt wrote.

Twice as much will be spent on such integration this year compared with 2004, reaching $1.1bn in Europe and the United States, according to Forrester.

http://news.zdnet.co.uk/internet/security/0,39020375,39191839,00.htm

Signs of the shift have appeared in a flurry of recent deals. Security giant Symantec is moving outside its niche with its pending purchase of storage maker Veritas Software. On the other side, networking company Cisco Systems and software giant Microsoft have snapped up fast-growing security companies, looking to give their own growth a boost.

This push toward diversification, coming amid widespread consolidation in many areas of the tech industry, has investment bankers and analysts wondering whether companies that specialize purely in security products can continue to thrive.

“There’s a debate whether the security market (will remain) its own market, over time–or will it be subsumed into two other markets, like the communications equipment market, or the networking or systems management industry?” said Kevin Sidders, a managing director at Credit Suisse First Boston. Sidders heads up U.S. software efforts in the investment bank’s technology group.

Some security players say the industry will stay as is, selling standalone products such as antivirus software. They note that network threats are evolving so rapidly that companies are continually being born to tackle the new problems.

Others, however, argue that the future of security lies in the technology being integrated at all levels of a company’s network, from the hardware to the interface, and that the recent merger-and-acquisition activity bears this out.

Rapid revenue growth in the security industry is a key factor driving the deals. Software, services and hardware companies in the sector will pull in $52.2 billion in sales in 2008, compared with $22.8 billion in 2003, predicts market research firm IDC.

That makes those businesses attractive targets for acquirers in the networking, communications and systems management industries, among others.

Still, some say that security companies may be stronger if they provide a soup-to-nuts IT package rather than a product to be bolted onto an existing network.

“Security, ultimately, will not be a standalone market,” said one investment banker who asked to remain anonymous. “It will just be just another layer of the infrastructure stack. It’s no longer about just making the security products work together.”

However it’s done, the important thing for the customer is to make the technology as smooth to use as possible, said Fred Rickabaugh, chief security officer at Premier, a Charlotte, N.C.-based provider of support services to health care companies. “I want the capability to build the ‘best of breed’ in certain areas were it’s critical,” Rickabaugh said.

In segments of the market where too few players exist to create competitive bidding, Rickabaugh said consolidation would benefit the customer by bringing one-stop shopping for multiple features.

Given this importance to customers, security businesses will wield influence.

Laura Koetzle, a security analyst with Forrester Research, said that security companies may find themselves part of a portfolio where they’re considered core to the future of the acquirer. “Security may be more of an influence as companies become blended,” Koetzle said.

Networking companies, for example, are finding that intrusion prevention technologies need to sit on top of or next to the network, in order to keep the data moving at a fast clip.

http://news.zdnet.com/2100-1009_22-5624251.html

The biggest problem when businesses are hit by a virus is user downtime.

The survey, completed last month by research firm InsightExpress and commissioned by SupportSoft Inc., a developer of software for managing software updates, portrays patch management as an ongoing issue that poses a variety of risks.

For example, patching still takes a week or longer at about a quarter of companies. That compares with 19% of respondents who say their IT organizations distribute patches to all computers within hours and 57% that do the job in days.

When asked how well prepared their IT organizations were for a virus attack, three-quarters are only “somewhat prepared,” compared with 21.3% that are completely prepared.

“It shows companies are struggling to get a handle on patching,” says Michael Cherry, an analyst with Directions On Microsoft.

The biggest concern among survey respondents is spyware, cited by 25%, followed by viruses and other kinds of malicious software. The most difficult part of patch management is an inability to update all systems with a single patch (24% of respondents) and the sheer number of patches that need to be distributed each month (21%).

Keeping up with Microsoft’s monthly security bulletins and associated software patches has been a challenge for some IT departments. In February, Microsoft issued a dozen security bulletins that addressed 17 vulnerabilities in Windows or its other products.

The negative effect most associated with viruses is end-user downtime, cited by 43% of respondents to the InsightExpress survey.

Chris Grejtak, senior VP of products and marketing with SupportSoft, says the survey underscores that remote and mobile computers are particularly hard to keep updated.

Microsoft’s Systems Management Server 2003 is used by some large companies to distribute updates to Microsoft products

http://www.securitypipeline.com/news/60405613;jsessionid=SUEDHZPSUU2BWQSNDBCCKHSCJUMEKJVN