Security gurus converged on San Francisco this week to discuss
pressing information security problems at the annual RSA Conference. A
key issue: how to leverage relatively flat IT security budgets as
systems are besieged by threats. And as enterprises adopt
virtualization, cloud computing and Web 2.0 applications galore, the
challenges are mounting.
Unlike most subgroups within IT departments, information security tends
not to face imminent budget cuts. However, most security budgets aren't
growing either. And given that threats continue to increase, that puts
tremendous pressure on security personnel, says Andreas Antonopoulos,
analyst with Nemertes Research.
“Given the increased threats and pressures on security, flat budgets
with increased threats equals a cut budget,” Antonopoulos says.
“Effectively, we are trying to do a lot more with the same amounts of
money. So this is a difficult time.”
Antonopoulos believes that IT's push to virtualize its infrastructure
in recent years has thrown a lot of security folks for a loop. Many
security departments are trying to get a handle on the dynamic nature
of virtualization. The physical separation of resources through network
architecture using firewalls and other devices used to be the preferred
approach, but virtualization smashes those conventions, Antonopoulos
says.
“It creates highly dynamic systems which are flexible, which move
around,” he says. “A lot of the static approaches we take to security
no longer affect it. Of course, this isn’t the fault of
virtualization. We must make sure not to shoot the messenger,
(because) virtualization is a great technology.”
In addition to virtualization, the other current major challenge is
adapting to technology changes made by end users. Enterprises face a
convergence of technologies that comprise what Forrester likes to call
the 'consumerization of IT.' Line-of-business leaders and users are
clamoring for the flexibility of cloud services, Web 2.0 applications
and other technologies initially developed for consumers. As IT is
forced to adapt and adopt these within the enterprise, they often leave
an organization vulnerable, says Chenxi Wang, analyst for Forrester.
“The impact of using consumer technologies within enterprises is huge.
A lot of consumer technologies carry a higher level of security risk,”
Wang says. “Some of them due to the fundamental technology that
underlines these applications and others due to the way the application
technologies are managed. We also see increasing evidence of attackers
targeting these newer types of consumer applications.”
According to Forrester, approximately 63 percent of all companies will
respond to the demands of consumer technologies in 2009. This
metamorphosis is attracting the interest of hackers—according to Wang,
more than 75 percent of today's attacks are targeting application layer
vulnerabilities. And yet, due to economic pressures, organizations are
actually starting to spend a little less on application security.
“Back in early 2008, we actually saw a lot of the interest in
companies, in our client companies who want information and application
security programs. But today we are seeing a less and less with the
economic downturn,” Wang says.
Forrester suggests that investing in application development
security best practices is the main way organizations can mitigate
risks associated with consumer technology within the enterprise.
“We are urging companies that are thinking about using consumer
technologies today are thinking about moving to opening up their
company boundaries to include a more collaboration oriented
technologies really have to think about what the application security
measures are within their enterprise,” Wang says.
/ 3 
