Call me Jack
One thing we learn very early on in the security space is that we need to be a "jack of all trades" type. We must be able to identify the weakest or weaker links, and understand how they impact the security of our environment. That means knowing a little about a lot of things - networks, operating systems, databases, applications, etc.
In some respects, then, it is understandable that new technology tends to make us bristle a bit. Any introduction of new technology forces us to revisit our existing security posture to identify chinks in the armor. In these days of "high worker productivity," which is another way of measuring utilization of "person bandwidth" (and an indicator that we are all being worked to the bone), it is far easier to just say no. But we, as security professionals have said no for far too long and often get bypassed by the users in the pursuit of new technology within an organization.
This is the case with three new technologies (at least new from a business value perspective) - the ubiquitous Web services, wireless LANs, and instant messaging. All three of these technologies come with a message - security is an extremely important consideration.
THE HURWITZ TAKE: The good news is that with technology like this, security can be seen as enabling. Of course, it isn't enabling if we ban these technologies outright, as some companies have taken to doing. Much more important is the assessment of business value to the enterprise. If these technologies are truly beneficial - and I can easily come up with a number of scenarios that demonstrate benefit - then we need to figure out how to control them and minimize the risk. Of course, we can't eliminate risk and haven't eliminated it from our existing environments. We just need to reduce it to the extent that the value is greater.
With respect to our three new technologies, there are a few companies that are worth mentioning. These companies are at the forefront of securing these environments and show promise of being able to provide the control necessary to properly deploy them in the enterprise.
Web services is over-hyped, they say, but I say the productivity argument is a strong one. With these "floating database records" immediately recognized by disparate platforms, the value is clear - real-time, dynamic information exchange. There is nary a vendor out there that isn't adding Web services to their list of supported technologies. Forum Systems (www.forumsys.com) has a security appliance to control the transfer of information - the transaction - by providing encryption and digital signature capabilities to provide confidentiality, integrity, and authenticity over the transaction. It delivers this solution in an appliance, complete with policy and audit capabilities.
Wireless LANs are already pervasive and their power is obvious to anyone who has ever deployed one, then picked up their laptop and moved from desk to table, or down the hall to a coworker. AirDefense (www.airdefense.net) has a unique approach to securing wireless networks - by creating a "forcefield" of wireless sensors that can be deployed around the perimeter of a building, for example, or paired with known wireless routers. The AirDefense solution provides discovery scanning, vulnerability assessment, intrusion detection, and management capabilities to a tough-to-manage technology.
Instant messaging is an immediate communication vehicle. As important as email was (and still is), we are getting swamped with emails from everywhere, including the now-ubiquitous spam. Instant messaging is useful for folks who need a quick answer and want to carry on a two-way conversation. Look for an announcement next week from a company that has created an instant messaging proxy-like solution that is designed to address other rogue protocols as well. It monitors usage of the major instant messaging platforms - AOL, Yahoo, and MSN - and can detect viruses, track conversations, provide auditing, and filter content, among other things.
Security professionals must be willing to take reasonable risks in the ongoing challenges of new technology. These companies provide the tools to keep the risk manageable.
Copyright 2002 Hurwitz Group Inc. This article is excerpted from TrendWatch, a weekly publication of Hurwitz Group Inc. - an analyst, research, and consulting firm. To register for a free email subscription, click here.
For More Information:
- For insightful opinion and commentary, read our Guest Commentary columns.
- Tired of technospeak? The Web Services Advisor column provides a clear understanding of Web services.
- Looking for shortcuts and helpful developer tips? Visit our Tip Exchange for time-saving XML and .NET tips.
- Visit our huge Best Web Links for Web Services for hand-picked resources by our editors.
- Discuss this article, voice your opinion or talk with your peers in our Discussion Forums.
- Visit Ask the Experts for Web services, SOAP, WSDL, XML, .NET, Java and EAI answers.