META Trend Update: The Shifting Sands of Network Security

www.metagroup.com

2000/01 META Trend: Proliferating requirements for remote access (2000/01) and business-to-business extranets (2001-03) will drive dissolution of the network perimeter. Tiered access will be controlled by a policy-oriented identity/rights infrastructure (directory with Web single sign-on now, PKI during 2001-03) and enforced by an increasingly distributed web of security devices (firewalls, VPNs).

2001/02 META Trend: Strengthening and centralizing authentication/authorization services are becoming top security concerns as organizations bolster e-business (external) security architectures and rationalize with internal solutions (2001-03). Traditional boundaries will melt as security functions are increasingly embedded in infrastructure components during 2002-04.

META Group’s 2000/01 META Trend focused on the requirements for third-party access driving the need for policy-oriented access control and increasingly distributed security enforcement points. A year later, META Group’s projections are holding true, with e-business remaining the primary impetus. Indeed, META Group’s 2001/02 META Trend reiterates these concepts and expands to also capture some newly emerging aspects.

In particular, META Group expects traditional token schemes (e.g., SecurID) to meet the need for stronger user authentication in the near term (2001). Ultimately, widespread use of smart cards and biometrics (both used in conjunction with digital certificates) will be used for user authentication as these technologies mature, drop in price, and become embedded in common computing platforms (2002/03). The need to match authentication methods to users based on differentiated services provided (for economic reasons), along with the need to address overall scalability demands, will further emphasize the need for a robust identity and privilege management infrastructure. In addition, by 2002/03, a goal for leading organizations will be to have this infrastructure also apply to internal users.

META Group also expects an increasingly distributed and mobile workforce to cause dramatic similarities between how external parties and employees interact with an enterprise. This mobile workforce, along with a converged identity infrastructure, will form a solid base to evolve a more comprehensive security strategy that must be promulgated – one that further dissolves the differences between external parties and employees, thereby inherently addressing the internal threat to information resources (2004/05). The continued proliferation of appliance-style security devices and the increasing “embeddedness” of security functions at all layers will help this cause by enabling security enforcement points to become pervasive (2002-04).

Who Are You – And Why Do We Care?

Most organizations still rely heavily on relatively weak username/password methods for user authentication – even for external parties accessing e-business applications. However, maintaining this approach while increasing the value/functionality of externalized services (to remain competitive) creates an imbalance in the associated risk model. Thus, companies are forced to either adopt stronger means of assuring user identity or accept this greater risk as a cost of doing business. Unfortunately, acknowledged methods for strong authentication suffer from various shortcomings. Proven token schemes (e.g., SecurID) would be ideal except for their high costs and management/scalability challenges – yet they still represent the best tactical solution.

Practical use of alternative methods, such as smart cards and biometrics, remains two to three years ahead and depends on both pervasive availability of components directly embedded in computing platforms and maturation of operational models.

Until a ubiquitous, inexpensive, strong authentication method does emerge, organizations should control costs and management challenges by segmenting their user population according to who they are, where they are, and what data they are accessing. This segmentation facilitates limiting deployment of strong authentication to only the most critical user subsets (e.g., executives, network administrators, “gold-level” customers). Also noteworthy is the need to support multiple authentication mechanisms that enhance the value proposition of a unified identity and privilege management infrastructure. Taking such an infrastructural approach eases management in general and (importantly) also enables easy shifting between existing and new authentication mechanisms without a need to modify applications.

From the Outside Looking In?

Once an identity infrastructure has been established to support revenue-generating e-business objectives, companies will then begin to leverage it across internal users to gain additional operational efficiencies. A somewhat coincident occurrence is the increasing externalization of internal users, in terms of traditional remote access paradigms and emerging pervasive computing options (e.g., wireless handhelds). The relationship between these trends is that they represent two substantial aspects of the computing experience where internal users will be treated similarly to external users (as opposed to having separate infrastructure and methods). This is important because such an approach is a critical component/tenet of a security solution that addresses threats from the “inside” – the often acknowledged, but rarely addressed source of greater than 50% of all security breaches.

To avoid any confusion, organizations should not turn their networks inside out, particularly because most systems are still incapable of self-protection; rather, organizations should consider a configuration where the internal users are not “among” the back-end resources, but instead have to traverse demilitarized zones and associated security mechanisms just like external users do. Despite the apparent security benefits, relatively few organizations will embrace this approach before 2003/04, citing an inability to spare resources from the external, e-business front. This is unfortunate, however, because costs would be more than offset by savings achieved by reusing some infrastructure and reducing losses due to internally spawned security breaches. Fortunately, in the meantime, security functions will increasingly be embedded in network, operating system, and application layer components, thereby enabling administrators to implement security solutions more cheaply, as well as more thoroughly.