There is ongoing recognition of the importance of IT security in the business world, but this has all too often been combined with a perception of complexity. Thus, many organisations have implemented IT security without a real understanding of what is being done. IT security is crucial for the well-being of any organisation connected to the outside world, be it giving customers the option of e-mail contact, through to opening up networks to partners and suppliers.
Most companies today connect to the biggest network of all - the Internet - in order to go about their daily business. The latter two words are key: 'daily business'. Any implemented IT security must not prevent an organisation from conducting its business efficiently, effectively, and achieving the objectives of the business (for example, making a profit). To this end IT security becomes a balancing act with the daily processes operated by the business. Implementing a firewall and closing down all access to the Internet will result in an organisation's network being extremely secure, but if the Marketing Department cannot conduct its research into competitors using the Internet, then the organisation's efficiency is damaged.
Following on from this, IT security should not be implemented in a haphazard nature. Of course most organisations would deny that this happens, but certainly some companies have had a knee-jerk reaction to the hype put about by both the press and IT security vendors alike, and have purchased firewalls, Anti-Virus (AV) solutions, and Intrusion Detection Systems (IDSs) because they think they should. There are a number of crucial points that have resulted from our research for this Report, one of which is that an IT security solution that suits one company does not necessarily suit another. In other words it is not a one-size-fits-all scenario and any snap-decision purchase of IT security stands a good chance of not achieving what it was purchased for.
A roadmap for the implementation of IT security is required in order to commit to the layered defence recommended by Butler Group. No single product can be purchased with the expectation that it will protect the enterprise from attack - multiple solutions are required in order to put up as many barriers as possible to deter intruders. Although no network can ever be realistically described as impenetrable, there are steps to be taken that might encourage a would-be hacker to move on to an easier target - IT security should ensure that your network is not the easy target.
Business Issues
The business aspect of 'securing the enterprise' - that is, doing everything possible to prevent an organisation's IT resources from being compromised - is equally as important as the technology chosen to do the job. The primary business aspect discussed in this Report is the creation and application of an IT security policy. Any enterprise, irrespective of size, should have a security policy in place, with someone at board-level or senior management level responsible for its execution. The technology deployed will then reflect that security policy. It is important to be aware that the security policy must continually evolve in response to the developing business as well as updated security threats.
There are two useful examples to demonstrate the use of an IT security policy: The first example can only be protected against to an extent by technology, with the remainder by the adherence of staff to the security policy. The second example can be set up using technology, but it is a policy that must initially be laid down by the business.
A top-down approach to IT security is recommended; from the top of the organisation and disseminated to all employees. If commitment to the security policy is not demonstrated at Board level, then it is unlikely to be a success and the technology implemented will have its effectiveness reduced. This results in poor value for money. Although spending on IT security cannot really provide a traditional Return On Investment (ROI), it can be likened to purchasing insurance, and all companies want to receive some value from the money they spend.
Technology Issues
There are a wide variety of products designed to assist organisations in their quest for protection from hackers, crackers, and virus writers. This Report focuses specifically on securing the enterprise, therefore we cover products that can help businesses secure their networks, before allowing anyone in. Thus we do not review products and technology providing, for example, authentication and encryption. We cover three specific areas: In this section we have very briefly touched on Butler Group's recommendation for a layered approach to IT security. The three areas identified above help develop this layered approach by presenting different levels of security. The first two technologies, AV and firewalls, have been around for quite some time now and are well established in the market place. Most organisations connecting to the Internet will have at least one firewall in place, and use AV software to check e-mail and other packets coming into the network.
It is Butler Group's belief, however, that these products are not used as efficiently and effectively as they could be, certainly because organisations lack the defined policy discussed above, but also because of the perceived complexity and therefore companies do not want to configure the products too much. Certainly some vendors have been accused in the past of making their IT security solutions overly complex or difficult to use, but it appears that today vendors are working towards ease-of-use. It is a question we put to all of the vendors that we saw, and a subject that they all claimed to have fully embraced and addressed. On the other side of the coin is the issue of training - one would not spend £10,000 on a car without being able to drive. A similar analogy can be applied to the purchase of IT security, particularly considering that very few Small to Medium-sized Enterprises (SMEs) have the finance available for a dedicated IT security administrator to implement and manage their IT security. Training in the use of a product should be taken up wherever possible in order to get best use from the solution - returning to the issue of value for money discussed above.
IDS solutions are comparatively new on the market and require a great deal more day-to-day management than AV solutions and firewalls. These systems detect that an attack might be happening, with the only automation being the alerting of someone that an attack could be taking place. There are a lot of events on a network or appliance that may appear to be an attack but actually are not, and this is part of the reason for the high level of management necessary. At the beginning of using an IDS the volume of alerts is extremely high because the solution has not been tuned for use by that particular customer - once tuning has begun to take place then the number of incidents should reduce. As with any IT product, training is recommended in order for the customer to obtain maximum use from the IDS.
Market Analysis
Butler Group has analysed the market drivers and identified eight major areas that are pushing customers to desire and purchase IT security solutions. The first driver we have identified is hype - both the press and IT security vendors love to report stories of security breaches and imply that security is severely lacking in all organisations. From the perspective of the press it is an easy story to write, and one which readers are likely to be interested in. There are also political reasons for highlighting particular stories, an excellent example being the repeated reporting of breaches on Microsoft products. We strongly believe that the reporting on Microsoft is not a fair representation of security breaches as a whole. Some vendors seize on these reports and use them to exploit the fears of customers.
Most of the other drivers are more positive, looking at factors such as the increasing connectivity between organisations and their customers, partners, and suppliers. Legislation is another driver, pushing businesses to ensure they are protecting customer data as much as possible. The development of standards is important - most software vendors have adopted those interim standards already developed, and as they are enhanced, technology will be driven forward.
Following on from the market drivers, we have found that there are a number of adoption issues surrounding the use of IT security. Many companies today look for an ROI on any investment, and IT security is no different. However, it is extremely difficult to calculate ROI on security projects, as the traditional calculations cannot really be used. The most appropriate view to take is one of insurance: without IT security your business is uninsured against attack. A gradual approach to the adoption of IT security is likely to be taken by most customers. This results in a modular approach being preferred and vendors are looking to address this by providing interoperable modules (OPSEC, the Open Platform for Security, is a good example here). Ease-of-use is a crucial part of any security solution and those that are unnecessarily complex are unlikely to achieve widespread adoption.
Moving on to what Butler Group expects to happen in the short-, medium-, and long-term, we believe that of the three technology types reviewed, AV is the one with the most uncertain future as a standalone product. Pure-play vendors that are solely dependent on AV functionality must either capture and maintain best-of-breed status, and partner with other technologies, or face a bleak future. Firewall and IDS technologies will continue to increasingly overlap in functionality, but will remain largely separate markets. Application developers are likely to continue in their production of insecure software in the immediate future, guaranteeing the continued success of the security market as a whole. At the moment it is too early to worry about Web services or wireless networks, as in their separate ways these are not really mature enough for hackers to pay serious attention to them. However, their use in conjunction with production networks should be strictly controlled.
Der vollständige Bericht kann bei der Butler Group bestellt werden.