The Future of Enterprise Security Scenario

1
The Future of Enterprise Security (Scenario)

• Victor Wheatman

2
About Gartner, Inc.

• Gartner, Inc. is the leading provider of research
  and analysis on the global IT industry. We help
  support enterprises as they drive innovation and
  growth through the use of technology. We help
  clients make informed technology and business
  decisions by providing in-depth analysis and
  actionable advice on virtually all aspects of
  technology.
• Gartner Intelligence offers advice for IT
  professionals, technology companies and
  technology investors in the form of research
  reports, briefings or events.
• Gartner Executive Programs offers peer networking
  services and membership programs designed
  specifically for CIOs and other senior
  executives.
• Gartner Consulting offers customized engagements
  that allow CIOs and other business executives to
  apply our knowledge to their specific situation,
  with an emphasis on outsourcing and IT
  management.

3
Security-Related Technology Remains Top
Technology Priority
Top-10 Technology Priorities, 2004
New question for 2004
? ? Selected change in ranking compared with 2003
Source Gartners EXP Premier Report Preparing
for the Upswing The 2004 CIO Agenda, March 2004
4
Security and Privacy Remain Top Trends
Top-10 Business Trends, 2004
New question for 2004
? ? Selected change in ranking compared with 2003
Source Gartners EXP Premier Report Preparing
for the Upswing The 2004 CIO Agenda March 2004
5
Gates Security Off Top 5 List in Two Years ...
I think within the next two years security
will get off the top five list of concerns
its probably two years until all the issues
around easy quarantine, and everybody being
educated and having all the really great auditing
tools out there. ...
Gartner Symposium/Itxpo, 29 March 2004, San Diego
6
A Safe Bet Security Is Here to Stay
Due Care Then
Due Care Now
After each paradigm shift a new need for
security
The NextBig Thing
PC
C/S
Wireless
Java
LAN
Mainframe Era
Internet
Time
7
Cyberthreat Hype Cycle
8
Mythbuster No. 1 Security in Depth Means Spend
on More Stuff While Continuing to Spend on
Everything Else
6
Percentage of IT Budget Spent on Security
Hardware and Software 2004
5
Average All Surveyed Industries 3.9
4
3
2
Does NOT Include Salaries or Services
1
0
Tech.
Manufac- turing
Education
Government
Financial
Health
Services
Retail
Other
Mfg./Comm.
Services
Services
Source Gartner IT Watch Respondents, March 2003
through December 2003
9
The Business Value of Information Security
Keeping the Bad Guys Out ... Letting the Good
Guys In ...
Cost of Doing Business

• Insurance
• Loss
• Fines

ROI
and Keeping the Wheels On (Business Continuity
Planning and System Upkeep)
10
Mythbuster No. 2 Security Is a Journey, Not a
Destination Means You Are on a Cruise to Nowhere
What the ?
11
Mythbuster No. 3 Software Has to Have Flaws Is
Only True If You Keep Buying Software That Has
Flaws
Security Testing
Pre-prod QA
Vuln. Scan
Requirements
Design
QA
Code
Release
Development Phases
12
Mythbuster No. 4 Next Year Is Not the Year Of
...Information Security Hype Cycle
Visibility
Managed Security Service Providers
Reduced Sign-On
Public-Key Operations
Compliance Tools
Maturity
13
Mythbuster No. 5 Regulations Really Dont Matter
Graham-Leach-Bliley
Sarbanes-Oxley
HIPAA
European Union Privacy Directive
California Database Security Breach Notification
Act
Family Educational Rights and Privacy Act
You gotta do security anyway!
14
Internet Security Life Cycle
Enterprise Investment and Deployment

• Containment/Migration
• Stand-alone IDS
• ACL silos
• 3DES

Strategic Mainstream

• Enterprise directory
• Identity management
• Smart cards
• Selective outsource
• AES

• Over the Horizon
• Secure objects
• Biometrics

• Retirement
• OS accounts
• DES/WEP
• 40-bit crypto.

Tactical Mainstream

• Vulnerability management
• Deep inspection firewalls
• Secure Sockets Layer

• Emerging
• PKI/PK operations (again)
• Security service level
• Web services security

Tactical Deployment
Strategic Foundations
Baseline
zero to six months
six months to two years
three to five years
Technology Adoption Five-Year Planning Period
(2004 to 2009)
15
Firewalls Need to Be Replaced byBetter Firewalls
Commodity Stateful Network Inspection
16
Best of Breed Come Together on Host-Based
Security Platforms
Best of Breed, 3rd Party
Firewalls
Security Platform
It Came With the Platform
IDS
Unified Management
Behavior Blocking
Built Into the OS
Antivirus
17
Shielding Scan and Block Overview
Corporate Laptop
Policy Server
VPN
Switch
Radius Server
DHCP Server
Contractor Laptop
Home PC
18
Mythbuster No. 6 Business Units Really Do Care
About SecurityWalk the Security Walk, but Talk
the Business Talk
Uh-oh, the Flubber ordering system could go down
and cost millions.
People
Business Processes
Business-Focused
Transactions
The Demilitarized Zone
Applications
Were vulnerable to an RPC-based
denial-of-service attack.
IT-Focused
IT Infrastructure
Security Devices
19
Security Technologies You Dont/Will Need
Probably Dont Need
Do Need

• Host-Based IPS
• 802.1x
• Quarantine/Containment
• Security Audit Capabilities
• Vulnerability Management
• Advanced Encryption Standard
• Identity Management
• Automated Password Management
• SSL/TLS
• Gateway Spam/Antivirus Scanning
• Business Continuity Plan

• Personal Digital Signatures
• Quantum Key Exchange
• Passive Intrusion Detection
• Biometrics (Outside of User-Held Templates)
• Tempest Shielding
• Enterprise Digital Rights Management Outside of
  Workgroups
• 500-Page Security Policies
• Security Awareness Posters
• Default Passwords

20
Recommendations

• Buy the most-secure products.
• Hire people you can trust.
• Stop counting attacks and start closing holes.
• Force new security investments to displace older,
  less-efficient security solutions.
• Protect your customers, and they will protect
  your business.
• 2005 will be the year of reckoning for security
  spending.

21
Gartner Security Capabilities

• Gartner offers a wide-range of IT Security
  products and services to help you with your most
  critical security issues.
• IT Security Directors Membership Program offers a
  comprehensive suite of products and services to
  help IT security leaders address business and
  technology issues.
• Measurement tools help you to make informed
  decisions about security vendors and to gain a
  better understanding and control of the factors
  that drive cost and service levels for IT
  security initiatives.
• IT Security Engagements offer in-depth view into
  your security issues. Topics covered include
  Disaster Recover/Business Continuity Planning,
  Sarbanes-Oxley Compliance, and Security
  Assessment and Planning.