Enterprise Briefing

 

 

As data becomes a focal point of security, companies are adopting knee-jerk reactions to protect it. Encryption is becoming an important trend in an increasingly data-centric world. “That’s where a lot of businesses are going first,” says Mark Murtagh, technical director, EMEA and APAC, for security software company Websense. “However, if data is compromised when a user is logged in, such measures are ineffective,” he adds. It must be married with measures such as information lifecycle management, and the concept of least privilege  - an idea that has been around for years, but which is sadly underused. “Unless an organization is trying to join those things together in a common data security strategy, then it becomes difficult to manage lots of individual point solutions,” he continues.

 

 

Companies are developing broad security strategies, but it is a slow process. Shortly after the RSA conference, the UK government released its Information Security Breaches report. Produced every two years, it charts enterprise approaches to security. Six years ago, only 22% of UK companies had any sort of documented security policy, but the 2008 edition shows 57% of companies with a cohesive strategy in place. The percentage of firms implementing the popular ISO 27001 security framework has more than doubled to 11%.

 

Large vendors are noticing the move towards end-to-end security strategies. At the RSA conference, IBM presented a holistic view of security spanning areas including data, applications, user identities and network operations. This makes sense to IDC analyst Eric Domage. “Security investments are no more just in the hands of the IT people. It’s now so expensive, and so broadly implemented,” he says. This move also reflects an increasingly business-focused approach to security, as board-level executives mull the implications of poor security from a governance perspective. Compliance fears are more pronounced in the US than in Europe, says Domage, although certain regulations such as the credit card industry’s PCI stretch across the ocean.

 

As vendors court business people with strategic security stories, they have had to change their product portfolios to address the new audience. Business people understand business-related data more than they understand MAC addresses and routing tables. This has meant that that the technical merits of ad-hoc security products are no longer at issue, Domage adds. Who cares about or understands the relative merits of heuristic pattern recognition or signature-based malware detection in the boardroom? “Vendors are saying that they’re the best anti-virus experts, but we no longer care about that. The same goes for anti-spam, and anti-malware solutions,” he says.

 

 

This business centric approach has manifested itself in new categories of security solution. “Instead of using a variety of tools from a variety of vendors to implement protection for servers, workstations, desktops and notebooks, security vendors are starting to roll out amalgamated packages bundled into one suite,” says James Quinn, security analyst at Info-Tech Research.

 

One example of this is data leak protection, which is a category that has come from nowhere in 18 months. "It's an aggregation of existing products," says Domage. It incorporates existing technologies such as port lockdown, data encryption, and device management. “There’s nothing new in terms of technical solutions. But data leak protection has a value proposition. It’s both a governance project and an IS-level project. ”Similarly, some vendors are now packaging the various technologies used to protect endpoints into single products, manageable across the enterprise from a single console.

 

Role-based access control is another popular concept among companies, because it restricts employee data access to those requiring the information on a ‘need-to-know’ basis. Similarly, Quinn is finally seeing movement on network access control - a concept that has been around for at least half a decade. “In the last 9-12 months the number of clients I’m talking to about NAC has increased dramatically, so it’s really hit the mainstream,” he says. The idea of vetting PCs before they connect to the corporate network has obvious attractions to companies worried about malware infection from unwitting users.

 

Security is finally starting to become part of many organizations’ DNA - but only as compliance issues cause the board to fold it into a broader corporate risk management strategy. For many companies, getting the IT department and the board to speak the same language will still be a challenge. A properly skilled CIO  - ideally complemented by an IT committee that reports to the board - will be a good start.