Securing the Future

With Nick Selby of the 451 Group

Nick Selby, Research Director for the 451 Group, reveals where the data security sector is heading.

“You don’t want to hear that something isn’t possible from your security people. What you do want to hear is, if we were able to deploy X, then Y would become more lucrative.”
-Nick Selby, Research Director for the 451 Group

Nick Selby, Research Director for Enterprise Security at the 451 Group, believes that the biggest point of pain for CIOs is identity management and access control. “By looking at identity and access management as a multi-outlet power strip and products that give it context, like web application firewalls and database transaction monitoring products, it is easy to see that the real challenge for identity and access management vendors is that as well as giving the who, they need to give the what, why, when and how of transactions between computers,” he says.

Selby goes on to say that identity and access management will continue to be a hot topic for the next two to three years. “Companies that are able to provide products that give the ability to manage identities more effectively and at a more detailed level than what currently exists will find they have a pretty brisk take up.”

However, it’s not just identity management and access control that cause headaches for CIOs, corporate governance and compliance remain very much on the front burner for most senior executives. Selby believes that the real problem that executives face is that deployment of governance and compliance technologies is a reactive and not proactive process, which by its very nature is more expensive.

He goes on to explain that both small and large enterprises can be seen buying products that are designed to address a specific, for example, auditing or a precise compliance requirement. This leads to poorly thought out deployments and money repeatedly spent to solve the same problems. “Where CIOs must head over the coming three years, is to a situation where they are looking horizontally across their entire enterprise, and looking to legal for advice about industry and regulatory requirements, before finding a matrix of all the rules to which they must be compliant, and find products that meet the vast majority of those,” says Selby. “Until that happens we will see a lot of money being spent on short-term solutions, tactically driven as opposed to strategically.

Investment

A recent survey of IT directors in Computer Weekly revealed that most believed current levels of security investment to be inadequate. Selby believes that while much time is spent tying security to specific business processes as specifically as possible, risk is going sky high. “The typical XY axis of security spend versus risk is out of the window when you take into account an increasingly mobile workforce and increased reliance on outsourced application development to untrustworthy third parties,” he says.

There is no real way to look at the XY axis so that you can find the ideal point of security spend versus risk, continues Selby, but what it is possible to start seeing is a greater understanding of security as an enabler as soon as security is tied to income. “You don’t want to hear that something isn’t possible from your security people. What you do want to hear is, if we were able to deploy X, then Y would become more lucrative. Enabling business processes is something that both security and business sides of the organization can understand.”

Protection

Data protection is and continues to be a huge focus for companies throughout North America and worldwide, but despite this many businesses are not doing enough to defend themselves. Selby believes this is down to a lack of understanding of where data comes from and where data is stored in organizations. This is then followed by a lack of desire on the part of the C-level or IP employees to staunch the flow of sensitive data out of the organization.

The 451 Group recently did a survey of 391 IP security professionals and found that around 23% had taken measures to classify the data that resides in their networks. The problem is that if you have not begun to classify where your data comes from or what kind of data you have, you can’t protect your data, except by encrypting everything.

“The first step in data protection is understanding where your data comes from and where it lives. The second step is to understand why it is there. And finally, begin to classify, in as few buckets as possible, what kind of data you have, for example, is it public, internal, sensitive, regulated or non-disclosure,” says Selby. By making these determinations about the data, you can, in the future, make policy decisions about how the data can be used and what data can or cannot leave the building. However, until you make those first fundamental steps, any data protection initiative will likely be hopeless.

It is the same first step for protecting sensitive data, claims Selby. By doing a basic analysis of where the data comes from it is possible to move on to the second step of looking internally and making yourself aware of how your data is moving internally. “If you follow the data you’ll see whether or not it’s a legitimate flow or whether, for example, it’s data flow that has popped up in response to a poorly deployed security deployment,” explains Selby. “Once you have an idea of how your traffic is moving, the next step would be towards data classification, and finally, to policy management and controlling what data goes out, by understanding what data, and what kinds of data, are moving within and outside your organization.”

Future focus

Selby believes that over the next 12 to 18 months virtualization security and eco-efficient IT will have the biggest impact on the sector. “You can’t start to reap some of the benefits of power saving and virtualization without dealing with virtual server and virtual endpoint sprawl,” predicts Selby. He believes that virtual network intrusion and threat detection is particularly exciting, as is the securing of visual endpoints by looking between hardware and the hypervisor, as well as within the virtual instance itself.

Going back to identity and access management, Selby is keen to highlight that the sector should see some exciting developments. “Once you understand the context and begin to deal more with the problem of persona, as some vendors are moving towards, the possibilities become very interesting.”

Case study

In an interview with BM, Fred Vignes, Director of IT Security at Zoo Atlanta, explains how the implementation of a new IT security system has impacted on and improved operations at the zoo.

BM. Around 12 months ago, you implemented a new IT security system at Zoo Atlanta, can you outline the benefits of the new system?
FV. This new system has added a whole new layer of security for us. Having these new devices on our side enables me to sleep better at night.

Basically, we implemented a pair of high availability firewalls and a mail security device as well as some monitoring software. Having the pair of firewalls has enabled us to have a fallback device, previously, if we lost one device we would have had to reset up our IP address and delivery system, so having a failover device pretty much ensures that we constantly have that firewall protection up.

BM. How has the system improved user productivity?
FV. It has significantly improved operations and productivity. The spam filters have allowed the zoo to keep moving and employees are not worrying about having to deal with viruses. The mail security device for example, means that 95% of the email that comes into the zoo is pre-cleaned, which means we aren’t wasting time looking at spam.

BM. You have employed a lot of wireless technology, however, wireless technologies often present more potential vulnerabilities, how are you protecting against these vulnerabilities?
FV. We have a multi-layered approach, but the firewall and the mail security device are certainly at the forefront of the access to the zoo. These technologies are intelligent in that they do not work against a set of virus definitions but seek patterns and protect us against suspicious patterns before they’re ever even identified.

BM. What are your focus areas over the next six to 12 months? Are there any particular areas you are looking at improving?
FV. I plan to make more use of the site protector management tools because it will enable me to manage all of the various devices and have a bird’s eye view of what’s going on in terms of IT security at the zoo.