Security Trend Redux – Guess the Year(s)

Not sure how I came across this on my hard drive, but I thought it was interesting. Can you guess what year I wrote these? (actually, it was a past year / coming year type of thing):

TOP TREND OF XXXX: Reinventing the firewall.

XXXX started with a great sigh of relief in the security space — for the most part, companies had emerged unscathed in the face of dire predictions of massive software failures due to the poor programming practices of past years. This collective sigh turned into a hurricane-force gale of concern as organizations threw themselves into a flurry of activity surrounding their e-Business initiatives. Two months later, the first electronic "snowstorm" closed the "shops" of sites like Yahoo and Amazon.com until the bandwidth plows cleared the roads. These denial-of-service attacks threw the cold waters of harsh reality onto the supposed security of e-Business systems. In addition, they hit the press heavily, and many organizations took heed: The threat of Y2K was nothing compared to the fundamental security needs of e-Business initiatives. When network administrators scrambled to secure their environments, the firewall moved to center stage.

Alas, there was a problem — it turned out that firewalls, with their cumbersome implementations, were a bit too problematic for these e-Business initiatives — all those blocked ports limit the ability to offer fast connections in an efficient manner to business partners, marketplaces, ASPs, and other entities vital to business success. So the work began (and continues) to render firewalls essentially useless or at least less of a roadblock to the rapid information exchange required for business success:

  • Applications and services are being developed to "squeeze" all network traffic through specific ports. Microsoft’s SOAP and standard virtual private networks (VPNs) are designed to do just that.
  • Unfortunately, in other environments, ports are open routinely — defeating the purpose of firewalls.

In some camps, these initiatives provide nothing more than a "smoke screen" to satisfy the oft-competing needs of security ("sure, we have a firewall") while allowing the kind of flexibility necessary for e-Business. But for others, it was a wake-up call that firewalls are fine for what they do, but they represent a rigid and unsatisfactory solution to a real problem in a very dynamic world.

Firewalls can no longer serve as the security panacea for network administrators; however, they do retain their value as strategic security tools in a number of ways — for example, for managing different types of network traffic and segmenting networks based on assessed risk. In addition, firewall vendors are now concentrating on reinventing their products to meet the emerging and demanding needs of organizations. The use of firewalls on client PCs and host systems provides new opportunities for established solutions, although today’s competition has evolved into something new and different — TCP wrappers and the newer intrusion detection systems provide some similar capabilities.

The ongoing requirements of e-Business will continue to erode the notion of the robust, static firewall as a reliable and secure enterprise gatekeeper. Firewalls are now deployed as just one of a handful of tools, which must include specialized applications for intrusion detection and access management. All of these tools must be evaluated and deployed in concert with one another to secure an environment effectively.

Top Trend of XXXX: Managed security services.

As we move into XXXX, organizations have been spurred into action by a need for a much stronger sense of security, particularly in intrusion detection. Unlike firewalls, intrusion detection systems do not merely prevent activities from occurring, so they can’t just be configured and forgotten. Intrusion detection systems are like the puppies some will receive for Christmas this year — they start off as a great and popular idea until it becomes apparent that they require a significant amount of "care and feeding" if there is to be any hope that they will accomplish what is expected of them. The demand for managed security services will be driven by this realization and will be reinforced by the recognition of the existence of a couple of other "missing ingredients":

  • Scarcity of security expertise — the ability to hire and retain professionals who can (and want to) read logs and evaluate the security implications.
  • Requirement for intense focus — the ability to dedicate resources to the monitoring of network traffic without distractions.

Security functions and their implementation are highly sensitive to the idiosyncrasies of each organization. This means that any and all outsourcing decisions require careful deliberation. Although operations and daily monitoring of devices and network traffic can be outsourced, the ultimate and final responsibility for activities and decisions about such issues as risk assessments, security architecture, configurations, and incident response must stay firmly within the organization. In fact, one of the best benefits of outsourcing security services is that these other activities must be performed to ensure that an SLA (service level agreement) has been developed that is specific enough to truly protect an organization’s interests.

Managed security services represent an excellent alternative for organizations unable to establish and fully staff a security operations center to operate 24×7 to monitor security. This solution can provide a company with the dedicated resources necessary for proper monitoring of network traffic as a means of identifying and responding to potential attacks.

A number of challenges loom over managed security services that must be dealt with in XXXX. These challenges include:

  • Determining a mutually beneficial pricing model.
  • Understanding and articulating clearly the multiple aspects involved in the delivery of different security services.
  • Integrating the managed security service decision with the many other outsourcing decisions being made within an organization.
  • Selection of an MSP from the many that are cropping up — with everyone from local systems integrators to security boutiques and the "omnipresent players" attempting to position themselves as the dominant solution provider.

All of these points must be considered, but in the end, it boils down to one thing: The word "trust" will be used frequently in the year to come.

1 comment for “Security Trend Redux – Guess the Year(s)

  1. August 28, 2007 at 4:14 pm

    Ah, come on. Obvious ref to Yahoo DDoS makes it 2000. So? Your point? :-)

Comments are closed.