Can You Afford Security?

Security gurus converged on San Francisco this week to discusspressing information security problems at the annual RSA Conference. Akey issue: how to leverage relatively flat IT security budgets assystems are besieged by threats. And as enterprises adoptvirtualization, cloud computing and Web 2.0 applications galore, thechallenges are mounting.

Unlike most subgroups within IT departments, information security tendsnot to face imminent budget cuts. However, most security budgets aren’tgrowing either. And given that threats continue to increase, that putstremendous pressure on security personnel, says Andreas Antonopoulos,analyst with Nemertes Research.

?Given the increased threats and pressures on security, flat budgetswith increased threats equals a cut budget,? Antonopoulos says.?Effectively, we are trying to do a lot more with the same amounts ofmoney. So this is a difficult time.?

Antonopoulos believes that IT’s push to virtualize its infrastructurein recent years has thrown a lot of security folks for a loop. Manysecurity departments are trying to get a handle on the dynamic natureof virtualization. The physical separation of resources through networkarchitecture using firewalls and other devices used to be the preferredapproach, but virtualization smashes those conventions, Antonopoulossays.

?It creates highly dynamic systems which are flexible, which movearound,? he says.  ?A lot of the static approaches we take to securityno longer affect it.  Of course, this isn?t the fault ofvirtualization.  We must make sure not to shoot the messenger,(because) virtualization is a great technology.?

In addition to virtualization, the other current major challenge isadapting to technology changes made by end users. Enterprises face aconvergence of technologies that comprise what Forrester likes to callthe ‘consumerization of IT.’  Line-of-business leaders and users areclamoring for the flexibility of cloud services, Web 2.0 applicationsand other technologies initially developed for consumers. As IT isforced to adapt and adopt these within the enterprise, they often leavean organization vulnerable, says Chenxi Wang, analyst for Forrester.

?The impact of using consumer technologies within enterprises is huge.A lot of consumer technologies carry a higher level of security risk,?Wang says. ?Some of them due to the fundamental technology thatunderlines these applications and others due to the way the applicationtechnologies are managed. We also see increasing evidence of attackerstargeting these newer types of consumer applications.?

According to Forrester, approximately 63 percent of all companies willrespond to the demands of consumer technologies in 2009.  Thismetamorphosis is attracting the interest of hackers?according to Wang,more than 75 percent of today’s attacks are targeting application layervulnerabilities.  And yet, due to economic pressures, organizations areactually starting to spend a little less on application security.

?Back in early 2008, we actually saw a lot of the interest incompanies, in our client companies who want information and applicationsecurity programs.  But today we are seeing a less and less with theeconomic downturn,? Wang says.

Forrester suggests that  investing in application developmentsecurity best practices is the main way organizations can mitigaterisks associated with consumer technology within the enterprise.

?We are urging companies that are thinking about using consumertechnologies today are thinking about moving to opening up theircompany boundaries to include a more collaboration orientedtechnologies really have to think about what the application securitymeasures are within their enterprise,? Wang says.