Back to the future

The security arena has transformed in the region over the last year, and promises to become an increasing area of interest in the year to come.
Back to the future
By Sathya Mithra Ashok
Wed 03 Dec 2008 04:00 AM

The security arena has transformed in the region over the last year, and promises to become an increasing area of interest in the year to come.

It is extremely difficult, if not entirely impossible, to find an area of IT that is as dynamic as security. The division of information technology, which deals with protecting an organisation from digital threats, can appear to be a constant cat and mouse game, as enterprises struggle to keep two steps ahead of individuals with malicious intent.

Over the last twelve months, the security market in the Middle East has grown exponentially on the back of the economic boom, which fuelled higher investments in infrastructure and related solutions. And with this spend has emerged distinct trends, in both the threat landscape, as well as how enterprises tend to deal with it.

There is a big evolution where we see delivery of security as a service, or software as a service, in the cloud. This is becoming more and more popular. So going forward, these delivery methods and other elements will affect the software and appliance market.

"Symantec's Internet Security Threat Report XIII issued in April this year shows a strong trend towards attackers compromising reputable websites with embedded malicious code that infects computers and sets them up as bots or zombies. Blended threats are also prevalent, integrating multiple attack methods such as worms, Trojan horses, and zero-day threats to obtain sensitive information. Many of these sophisticated threats can evade traditional security solutions, leaving organisations vulnerable to data theft and manipulation, disruption of business-critical services, and damage to corporate brand and reputation. To stay ahead of this emerging breed of stealthy and resilient security threats, the security industry has shifted its focus to infrastructure endpoint protection, which includes proactive security measures that can protect against zero-day attacks and unknown threats," says Bulent Teksoz, manager of systems engineering at Symantec in the region.

Greg Day, EMEA security analyst at McAfee Avert Labs says: "There has been a key focus on data breaches occurring around the globe and how businesses manage the issue.  This has been a focal point for many businesses as they look to understand their legal liabilities, as well as start to understand what and how they use data so they can define policies and implement effective controls to mitigate data breaches."

He believes that optimisation has been another key focus in 2008. As the scope of solutions required continues to expand businesses have been looking for operational efficiencies and integration points between the solutions they use, to both reduce costs and bring continuity to their particular security approach.

According to Day, IPS and data control tools were solution sets that many customers bought in 2008.

"Mainly there are two areas that have seen significant development in the last two years, the first being identity and access management, and the other DLP (data leakage prevention). There is a clear pattern emerging from the recent security incidents, that these incidents are aimed at committing financial fraud, unlike before. Industry has come to realise that there are mainly two areas which require maximum protection - user identities and data. Corporations today can utilise identity management technologies to cost-effectively manage and control the identity lifecycle, and demonstrate compliance more efficiently," says Sheik Abideen, business development manager at Paramount.

He adds that although DLP solutions were the most hyped in 2008, a lot more clarity was being seen in the space now. Apart from identity management and DLP, Abideen states that NAC, web application firewalls, IPS and encryption solutions invited a lot of investment in 2008. Changing mindsets

With the threat landscape becoming increasingly more complex, even more enterprises have been turning their protection strategies towards the internal framework, rather than choosing to address external threats directly.

Though a few technologies became more popular in 2008, there is a single thread linking almost all of them - the consistent move among enterprises from endpoint or perimeter security, to information-centric defence methods.

Tough times lead to unhappy and disgruntled customers and employees, to mergers and acquisitions, to higher levels of unemployment, to a greater focus on cost efficiency and project alignment. In these conditions, we must ensure that we’re optimising not only our security spending but also prioritising it.

"For me, one of the biggest revelations this year has been the broad based shift in understanding that information security strategy must now evolve to a position of supporting the business objectives, as opposed to just being considered a ‘tax'.  There has been a clear transition from a perimeter-centric to information-centric approach to securing information," states Andrew Maloney, security strategist at RSA.

"The battleground for security no longer revolves around the infrastructure. It now revolves around information, which is unquestionably our most important asset.

Today, IT organisations are dealing with petabytes of data - and, the amount is growing exponentially every year. It's a wide, open world, and confidential information is everywhere. As many as one out of every two USB drives contains confidential information, and as much as 75% of corporate intellectual property is accessible either directly or indirectly via e-mail and many other messaging applications," says Teksoz.

He adds: "Information-centric security is about taking a risk-based approach to protecting confidential information. With the amount of stored data growing 50% a year, trying to protect it all is both inefficient and costly. Instead, it's about securing the most critical information - from source code to customer information to employee data. It's about protecting data at rest, data in motion, and data in use."

Ruggero Contu, principal analyst for security markets worldwide, technology and service provider research at Gartner, agrees: "Enterprises realised the value of information and data on their systems. The threat landscape has changed and become much more targeted, and more often attacks are meant to get information - personal or intellectual property oriented - from the organisation. With all this, the area of data security has become extremely important for most organisations."

With the tide turning towards information-centric security, the market saw the rise in popularity of security services being delivered in the cloud.

"We can call it delivery of security functionalities. There is a big evolution where we see delivery of security as a service, or software as a service, in the cloud. This is becoming more and more popular. So going forward, these delivery methods and other elements will affect the software and appliance  market," says Contu.Globally, more enterprises have been spending many of their IT dollars on managed security services (MSS), in a bid to protect information in the most cost-effective, as well as efficient manner.

"The realisation of the value that MSS can provide has improved worldwide. There were a lot more companies that were actually encouraged and invested in the delivery of these functionalities. There is a realisation that, particularly when you have no skills, you can outsource management services to an organisation that can provide the expertise that you may not have in-house. In terms of cost as well, MSS could provide a significant rationalisation of spend," points out Contu.

As businesses look to take a more intrinsic business risk based view, data protection and controls have become a high priority on most agendas. Additionally, regionally these changes have been reflected in a welcome desire by most end-user organisations to put in place strong, fundamental processes that will help secure their critical information.

"Though compliance is not mandatory in the Middle East, companies have started implementing technologies and processes to comply with standards such ISO2001, COBIT, SOX etc. Organisations are taking much more informed decisions when investing in information security. During the last two years we have helped more than 60 organisations in the Middle East in assessing their IT infrastructure," says Paramount's Abideen. The year ahead

As an economic downturn comes visiting, the region is likely to see some of its security initiatives affected, though Contu states that the security percentage will be less affected in the overall IT budget, since it is critical to the organisation.

"Within security where there are cuts, I would expect them to be more on personnel; in staff more than in software or hardware, technology and services," he states.

Crisis or no crisis, some experts believe that certain technology trends will become more apparent, or well established, in the year to come.

"Virtualisation will be a major disruptive technology in 2009. Today's problems of securing virtualised environments are more operational and managerial than technical. Many, if not most, of the security issues faced by IT around physical and virtual environments are the same. In addition, the majority of attacks today are people-based. These attacks will be successful no matter if someone is running in a VM or natively on the machine.  And there are various solutions designed to operate seamlessly across virtual and physical environments, automate the processes involved in security, availability and maintenance, and centralise management for security policy configuration, deployment and maintenance," says Symantec's Teksoz.

Abideen agrees: "Virtualisation and web 2.0 are going to change the way we look at security technologies. Traditional security  technologies are insufficient to protect the virtualised and web 2.0 environment. Governance, risk and compliance (GRC) is another area that is seeing traction. GRC initiatives are in the priority list of many large organisations in the Middle East."

"Following in the steps of the US, we are seeing more controls being applied in businesses around the global.  Businesses are looking for ways to reduce the costs and efforts involved in achieving security.  Several global initiatives aim to allow businesses to check  and cross reference the results against different compliance requirements. We will see more security technologies adopting such compliance open standards," says McAfee's Day.

"Obviously, we are going to have more and more people relying on the internet. More activity will be conducted online, and this will mean that the online medium will become more critical and there will be more attention paid to security on that medium. There will be more threats aimed at public and private information. We have already seen a lot of private information being made available online or over the interent, and this is going to increase. With this, security and privacy issues will become bigger concerns in the years to come. Authentication, secure communication and secure transaction will gain even more importance going forward," believes Contu. The final call

There is no doubt that the next year could prove to be a tough one, not just in terms of shrinking investment patterns, but also the increasing need to keep on your toes with security. In this scenario, enterprises need to watch their step and spend with care.

"Tough times lead to unhappy and disgruntled customers and employees, to mergers and acquisitions, to higher levels of unemployment, to a greater focus on cost efficiency and project alignment, leading to a heightened degree of uncertainty overall. In these conditions we must ensure that we're optimsing not only our security spending, but also prioritising it in the places that will accelerate the business and also protect us from these hightened threat levels," points out Ahmed Abdella, regional manager of RSA.

"One of the biggest mindset issues that enterprises have is that they believe investing in technology will solve the problem automatically. Technology is only an aid to a security strategy. You need processes and policies, which are the core of the strategy, and technology is an aid. If you think that technology will solve the problem then you are wrong, and organisations need to keep this in mind," warns Contu.

"As we have seen, security is an ongoing activity, that does not stay still with strategy or practical investment. We need to keep up with the major changes in the threat landscape, and also the changes in business and IT. There can be innumerable changes that occur in the business, and with each of these changes there will be new vulnerabilities. Bottomline, enterprises need to be aware and flexible in order to keep up with these changes and be truly secure," Contu concludes.

Security recommendations

These were key findings and recommendations made by Gartner in a predictive study on major market shifts in infrastructure protection that were expected for 2008. The study was published in late 2007.

Key Findings

• Market factors - notably the increasing integration of security into software life cycle (SLC) platforms and the maturation of open-source technologies - will result in sharp price decreases for application security testing technologies.

• In-the-cloud (ITC) and security-as-a-service offerings will take up a significantly larger part of enterprises' security spending, especially in managed security services.

• Enterprises increasingly recognise, and are addressing, the need to implement authentication for all forms of network access.

Recommendations

• Enterprises should take a strategic approach to application security in general, but a tactical approach to application-security-testing and vendor selection.

• Due-diligence criteria and work-around/continuity plans should be established as part of the selection process for security-as-a-service providers.

• The starting point for any device-based or identity-based network access control (NAC) system should be a network authentication solution that can evolve into a more sophisticated policy-based NAC system.

For all the latest tech news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.

Subscribe to our Newsletter

Subscribe to Arabian Business' newsletter to receive the latest breaking news and business stories in Dubai,the UAE and the GCC straight to your inbox.