Security Issues

There is a wide range of technology in the security space; however, the industry is lacking a culture of correct utilisation. New policies need to be put in place, since most enterprises currently do not have the capability to combat security breaches.

  • E-Mail
By  Angela Prasad Published  February 28, 2005

|~||~||~|The unrelenting wave of increasingly sophisticated worms and viruses has become a security risk and costly problem for enterprises not only in the Middle East, but also around the globe. Cisco, as a network gatekeeper, believes it is in a strong position to do something about it.

In addition, security is the fastest growing part of Cisco’s business, providing the networking giant with US$1 billion worth of market opportunities. Addressing the attendees at the recent RSA conference in San Francisco, Cisco president and CEO John Chambers, announced his company’s ambitious plans to expand beyond its current core markets in order to grow.

“We intend to grow in all core markets. We will expand in service providers and advanced technologies,” Chambers says. “However, we will do this from technology and business architecture point of view. Since the network is a strategic customer asset, the protection of its business-critical applications and resources is a top priority,” he adds.

The vendor, which has announced the addition of over 10 new products, software enhancements and services across its security product portfolio, says the future of networking is at a critical juncture.

The industry can continue building specialised individual products or it can create unified networking systems that enable enterprises to increase productivity, reduce costs and gain competitive advantage.

Cisco has taken an all-encompassing approach toward security. The San Jose-based behemoth believes businesses should adopt its adaptive threat defense (ATD) strategy in order to safeguard their network. “This will minimise network security because it is designed around the evolving demands of global business — from their design and architectural needs at inception to helping protect their long-term network environments,” says Chambers.

Key components of ATD include better-coordinated threat mitigation through Anti-X defence application security and network control and containment. Cisco is convinced this is the way for maximum if not full network security, and it is spending accordingly in developing security solutions. Last year, the vendor spent US$3 billion on research and development — more than 15% of its US$18.9 billion in sales in 2003. 40% of the research &development (R&D) budget went to what the company calls advanced technologies.

So far, the vendor has targeted six such areas — security, optical, IP telephony, home networking, wireless, and storage, which now account for 15% to 20% of its revenue. Chambers believes each of those six segments could grow into a billion-dollar business on its own.

Traditional information security methods — largely based on stand-alone point products, successive operating system patching and continuous antivirus software updates, are proving insufficient to effectively address current networking security requirements, claims Jayshree Ullal, senior vice president, security technology group at Cisco Systems.

These approaches fall short because they can only protect one part of the network that is easily circumvented by new attack methods. Also, each product requires its own interface and policies, and as a result, most of these point products do not talk to one another.

“Because of these limitations, traditional networking defences are costing companies as much, if not more, in management overhead as from damages,” explains Ullal. “Network operators are now required to add an accelerating array of antivirus software updates, operating system patches and applications fixes, often absorbing IT resources that crucial projects are put on hold. Current network security defences are reliant on manual control and intervention, which has proven too slow to counter the latest crop of worms and viruses,” she adds.

According to Cisco, the fundamental technology for protecting digital information and communications infrastructure from today’s security threats already exists. The vendor is now using the infrastructure of the intelligent information network to form a layered and integrated lattice of protection that addresses the shortcomings of traditional security measures.

“An integrated system creates a coordinated, consistent and proactive environment to identify, mitigate and respond to threats,” explains Ullal.

The Middle East is the second fastest growing market for the networking giant and it is paying special attention to the region. Jeffrey Plato’n, product marketing for security at Cisco Systems, says security is no longer a technology issue, but a business issue and enterprises in the Middle East region have started to realise this and are taking actions accordingly.

“Network security is crucial to enterprises and their spending priorities for security have also evolved,” he says. “Proactive and automated security systems are required for day-zero threats. Point-products are no longer sufficient. Enterprises need system-level solutions.”

Cisco is not the only vendor wanting a slice of the IT security pie, Bill Gates also used the RSA conference to unveil a host of new technologies and features that Microsoft plans to provide for Windows. Although the Redmond-based software giant has a rather less-impressive reputation in the security community, Gates’ thoughts were well received by the CIOs and security experts present at the conference.

The new enhancements include a code-scanning feature that will be included in the next release of Visual Studio, a new Security Control Centre in Windows XP and a set of advances known collectively as Dynamic Systems Protection (DSP).
“In terms of delivering on more secure systems, I think there are three general things that we do. The first is advancing the technology. We spend over US$6 billion a year on research and development. I would say that over a third of that is directly security-focused and the other two-thirds tie in and relate to that security work,” says Gates.

The software giant is also working toward reducing spam on the internet. The vendor says it is working with major internet service providers (ISPs) to positively identify the senders of e-mail.

Furthermore, Gates says the response to Internet Explorer enhancements have been positive. However, he does concede that browsing the internet is a point of vulnerability. “Allowing people to have the richness and the extensibility, and yet be protected, that is a challenge. You do not want to lock things down so you can not ever get to rich web sites, and yet you still want to make sure this is not the path that security threats are coming in through,” he adds.

The software giant is in dialogue with the concerned parties to make sure that it understands what changes people would like to see in Internet Explorer. Its new version of Internet Explorer, the IE 7, which will be released shortly, will have a new level of security.

Furthermore, the conference also heard debates on regulating ISPs. Richard Clarke, former White House counter-terrorism chief and cyber security czar, believes it may not be a bad idea to regulate ISPs because they need to provide secure connections. “ISPs need to put firewalls in broadband connectivity,” he adds.

Regulation will no doubt stop the surge of distributed denial of service (DoS) attacks. If ISPs actively monitor their inbound connections they can quickly detect if a subscriber using broadband is behaving abnormally by consuming large amounts of bandwidth or sending a stream of packets to a large range of IP addresses.

On the other hand, regulation will be seen as the violation of rules and regulations of different countries. Many countries have freedom of speech and laws protecting this fundamental right. A globally regulated internet will remove some of these rights. Today, the internet is dynamic because it has no boundaries. If regulation and red tape control access, much of this innovation will disappear. Not only that, regulation will also increase the cost of internet access globally.

Online security and regulation have been and will continue to be open for debates. One thing the RSA conference has made it clear is that regulating the internet will be like turning back the clock, which is impossible. In addition, there can never be an ultimate network security.

IT vendors can provide security solutions to the best of their abilities hoping that it will safeguard corporate data. The only way internet can serve the purpose it was developed for is if end users stop abusing it. ||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code