Security gurus converged on San Francisco this week to discuss pressing information security problems at the annual RSA Conference. A key issue: how to leverage relatively flat IT security budgets as systems are besieged by threats. And as enterprises adopt virtualization, cloud computing and Web 2.0 applications galore, the challenges are mounting.
Unlike most subgroups within IT departments, information security tends not to face imminent budget cuts. However, most security budgets aren't growing either. And given that threats continue to increase, that puts tremendous pressure on security personnel, says Andreas Antonopoulos, analyst with Nemertes Research.
"Given the increased threats and pressures on security, flat budgets with increased threats equals a cut budget," Antonopoulos says. "Effectively, we are trying to do a lot more with the same amounts of money. So this is a difficult time."
Antonopoulos believes that IT's push to virtualize its infrastructure in recent years has thrown a lot of security folks for a loop. Many security departments are trying to get a handle on the dynamic nature of virtualization. The physical separation of resources through network architecture using firewalls and other devices used to be the preferred approach, but virtualization smashes those conventions, Antonopoulos says.
"It creates highly dynamic systems which are flexible, which move around," he says. "A lot of the static approaches we take to security no longer affect it. Of course, this isn't the fault of virtualization. We must make sure not to shoot the messenger, (because) virtualization is a great technology."
In addition to virtualization, the other current major challenge is adapting to technology changes made by end users. Enterprises face a convergence of technologies that comprise what Forrester likes to call the 'consumerization of IT.' Line-of-business leaders and users are clamoring for the flexibility of cloud services, Web 2.0 applications and other technologies initially developed for consumers. As IT is forced to adapt and adopt these within the enterprise, they often leave an organization vulnerable, says Chenxi Wang, analyst for Forrester.
"The impact of using consumer technologies within enterprises is huge. A lot of consumer technologies carry a higher level of security risk," Wang says. "Some of them due to the fundamental technology that underlines these applications and others due to the way the application technologies are managed. We also see increasing evidence of attackers targeting these newer types of consumer applications."
According to Forrester, approximately 63 percent of all companies will respond to the demands of consumer technologies in 2009. This metamorphosis is attracting the interest of hackers--according to Wang, more than 75 percent of today's attacks are targeting application layer vulnerabilities. And yet, due to economic pressures, organizations are actually starting to spend a little less on application security.
"Back in early 2008, we actually saw a lot of the interest in companies, in our client companies who want information and application security programs. But today we are seeing a less and less with the economic downturn," Wang says.
Forrester suggests that investing in application development security best practices is the main way organizations can mitigate risks associated with consumer technology within the enterprise.
"We are urging companies that are thinking about using consumer technologies today are thinking about moving to opening up their company boundaries to include a more collaboration oriented technologies really have to think about what the application security measures are within their enterprise," Wang says.