Network and security devices age just like any other IT equipment. As the IT industry moves toward 100 gigabit/second Ethernet and 100 megabit/second broadband connections, many existing devices will no longer cope with traffic volumes. The need to replace routers, firewalls, load-balancers, content filtering devices etc. is an on-going process.
 
Some devices may be reusable by smaller organisations and have a second-hand value; others may just be fit for the dump; when the latter is the case they must be disposed of in-line with environment regulations such as the UK Environment Agency’s waste electrical and electronic equipment (WEEE) directive.
 
Either way, such devices will end up in the hands of third-parties, and their eventual destination will not be guaranteed. These devices have all sorts of confidential data and settings stored on them, such as user details and network access settings. In the wrong hands these could be used to gain access to private networks, and anyway, the leaking of such data may constitute a data privacy breach. If is therefore necessary to ensure all such data is securely deleted before devices are disposed of.
 
It varies by industry, but a recent Quocirca research report shows that around 40% of all organisations said they were not confident all such data was safely removed prior to device deposal. Quocirca suspects that even those who claim to have done so have not actually shredded data but just “deleted” it, and a determined hacker may still be able to retrieve it. Only audited disk shredding or secure reformatting tools, carried out by screened staff, can ensure such devices are completely safe to dispose of.
 
To see the full research behind this and get a free copy of Quocirca’s report – “Conquering the sys-admin challenge” – click here.
 

Bob Tarzey, Analyst and Director, Quocirca
 

People of a certain age often enjoy recalling for younger folk the size of the early mobile phones that were lugged around in the mid-1980s, whilst marvelling at the latest smartphones. These brick-sized devices could not even send text (SMS) messages (the first of which was sent in 1992); they were good for voice only. But, what would it have taken almost three decades ago to have had all the capabilities of a 2011 smartphone based on the available technology of the day?
 
This was one of the subjects covered in a recent New Scientist article titled “They said it couldn't be done: 7 impossible inventions”. To quote the article:
 
“The components for the iPhone à la 1985 we've listed so far would fill a large wheelbarrow. But we have left out something important.
 
“The processor at the heart of the iPhone 4 can perform up to a billion operations per second (the new iPhone 4S is even zippier). You might have matched that in the mid-80s if you had bought the Cray X-MP, then the world's most powerful supercomputer. But the Cray would have filled an office cubicle and also required an industrial-strength refrigerator to remove the waste heat. So cancel the wheelbarrow. To haul the 1985 iPhone around, we're going to need a truck.”
 
Interesting stuff, which underlines why the consumerisation of IT has become such a big issue. When I left the academic world for the commercial one in 1986, for the first time in my life, on my desk at work, I had dedicated access to a computer (albeit a text-only dumb terminal) which was linked to a network providing me with any information my employer had stored that it felt would be useful to do my job. I also now had a telephone with its own number; my friends and family could now contact me when I was at work (before that hand-written letters had been the main method).
 
The new entrant to the workplace now has all this and much, much more in their pocket. This is the issue driving IT consumerisation. Employers can no longer impress new recruits with technology and connectivity, they are more likely to disappoint. Competitive employers today are those that allow their employees to use the advanced technology they have become used to at home in the workplace.
 
Consumerisation does of course throw up many challenges, not least how data security, contracts and billing are handled. These issues were discussed in a recent free Quocirca report “Carrying the can” sponsored by ttMobiles and the subject of a recent conference organised by the Wireless Improvement Group (WIG). Quocirca’s presentation given at the conference can be downloaded here.

Bob Tarzey, Analyst and Director, Quocirca

A recent Quocirca blog post pointed out there were good business reasons for disclosing data breaches as well as an increasing number of regulatory ones. For those organisations not convinced by these arguments and still intent on attempting to brush leaks under the carpet, there is new evidence that consumers think they should come clean too.

New research commissioned by LogRhythm, a vendor of SIEM (security information and event management) tools, surveyed 2,000 UK consumers and concludes that they are “losing patience with organisations that endanger their customers’ data”. Some 80% were “concerned” about trusting organisation to keep their data safe from hackers, up 17% from a similar survey in 2010. Some 26% assert they would “definitely” not transact with the affected organisation again, with a further 61% saying they would try to avoid future interactions.

Of course, for many, their bark will be louder than their bite; it is often said that a man is more likely to change his wife than his bank. However, what the research does show is that all the recent press coverage of data leaks has not gone unnoticed. There is widespread awareness among consumers of the issues and the responsibilities of organisation to whom they entrust their data and the importance of disclosure.

"It is not good enough for an affected organisation to lazily
issue a blanket warning to all customers, instead they should
be in a position to inform those (and only those) whose data has definitely been compromised"

SIEM tools help in two ways. First, they can monitor network traffic and help spot unusual activity, providing a feed to intrusion prevention systems (IPS) and data loss prevention (DLP) tools to block attempted data thefts. Second, they help clear up afterwards, enabling affected organisations to rapidly gather the information about what data has been lost and who has been affected. It is not good enough for an affected organisation to lazily issue a blanket warning to all customers, instead they should be in a position to inform those (and only those) whose data has definitely been compromised.

LogRhythm claims to be the biggest independent vendor of SIEM tools. This follows a recent round of acquisitions of its rivals by larger vendors. In 2010, HP acquired ArcSight, and this month two more intended acquisitions were announced; IBM targeting Q1 Labs while Nitro Security was approached by McAfee. There is no shortage of other vendors; for example, Symantec has its Security Information Manager and EMC/RSA has tools based around the acquisitions of Network Intelligence and enVision. However, this has not put off new entrants, such as Red Lambda, a high-end data processing vendor attempting to re-position itself in the network security market by treating it as a “big data” problem.

Businesses rightly expect consumers to be careful with their confidential information, account details, login credentials and so on. In return, consumers should expect business to take good care of the same data and come clean when it is stolen or they have screwed up and leaked it to the public domain.

Bob Tarzey, Analyst and Director, Quocirca

During the first week of June 2011, Quocirca attended the IT Security Analysts Forum in London which was organised by Eskenzi PR.

This is now an established annual event, having run every year since 2007, and it attracts a surprising number of US-based IT security analysts as well as many of the high-profile European ones.

That seems to be down to its unique (as far as Quocirca is aware) format, which involves two formal sessions over two days with plenty of networking in between.

Day 1 is a kind of speed dating for security vendors with analyst firms. The challenge for the analyst is to take on so much in one go from as many as ten individual vendor meetings.

For the vendor reps, the challenge is to tell their story ten times over without getting bored – something they seem to achieve admirably: most of them are still smiling at the final meetings scheduled to end at 18:00.

The event attracts a wide range of vendors, from the largest – HP eager to talk about its recent acquisitions that have seen it re-enter the IT security market – to the smallest – Iddapcom wanting to raise the profile of its software for testing firewall configurations. Perhaps the main reminder for Quocirca after such an intense session is that there is always more than one way to skin the IT security cat.

For example, a pressing issue is the protection of data. You can move it about on encrypted memory sticks (Kingston Technology), encrypt data on end points and during transmission (SafeNet), locate and make safe/wipe lost devices (Absolute Software), restrict access to data (Varonis), or stop it leaving the organisation in the first place (M86). Few organisations need all of this protection, but a wise selection will go a long way towards providing the protection needed.

Day 2 is chance to meet the real-world practitioners of IT security: the CISOs (chief information security officers). The event is now attracting some of the top UK-based CISOs. The Chatham House rules under which the event is run prevent Quocirca from reporting the names of the companies or individuals represented, but some of the biggest banks, oil companies, pharmaceutical manufacturers and media organisations were there.

Many of the topics discussed were raised by the CISOs themselves. Perhaps the most interesting thing was an issue not raised explicitly by the CISOs: cloud computing.

Although it has hard to avoid the topic in any discussion about IT these days, the old questions – "should we", "shouldn't we", "can if ever be secure" – have disappeared with an implicit acceptance that the cloud is now an integral part of the delivery of IT. As one participant said: "Well-run public cloud infrastructure can be indistinguishable from internal IT infrastructure."

It was agreed that getting the contracts right was as important as security when engaging with cloud providers. Some complained there was not enough choice. Others stated that due diligence was needed when dealing with smaller providers to ensure SLAs would be delivered on.

Having said that, some complained that standards of service may drop off when a small cloud provider is acquired by a larger established IT vendor. It was also noted that regulators do not really understand the public cloud.

With that in mind, the CISOs raised plenty of concerns about business risk and governance – for example, how to determine the impact of managing data across different environments and how to quantify and assess the impact of IT security failures. One priority here was to ensure a media strategy was in place for when the inevitable occurs, and this strategy must include new media.

Another issue accepted as a reality was the rising tide of IT consumerisation. First, this includes the acceptance and control of consumer-based cloud services such as Facebook and Twitter. Most CISOs accept the use of these as inevitable and now govern their usage thorough a mix of HR policy and technology.

Second, it covers the use of personal devices to access IT. The rise of the iPad, the iPhone and the Android smartphone were accepted, and most CISOs seek to enable their use (or, in some cases, saw no way of easily preventing it).

There was a discussion about working with auditors: are they friends or foes? Most agreed that, however you view of them, it is better to work with auditors, rather than against them, and that they could also be a source of free advice, with useful experience from a range of industries. Some CISOs said their agenda was largely driven by auditors.

And there is demand for all those vendors with products to help securing the use of data. Most CISOs said they enforce encryption, at least on Windows notebook PCs. Nearly all the CISOs said they had a policy for using secure USB drives ("if laptops are encrypted, why would you not enforce it on USBs too?").

However, it was agreed that more than encryption is needed, including controls to keep sensitive data of the network wherever it is possible to install them. Perhaps the most interesting admission was that, in the age of WikiLeaks, one of the best strategies was to be more transparent and publish data more widely, only protecting the data that really needs to be protected: "If only we could persuade users to classify it in the first place."

One CISO bemoaned the numerous sales calls he received and advised vendors to wait for him to call. This advice is unlikely to be heeded; the sales process will go on. One day he will be sitting a draft living room aghast at the size of the heating bill and a double glazing sales rep will happen to ring with a special offer: "How fortunate!" he will think.

The CISOs also had some advice for us analysts. Make it clear when personal opinion is being provided as opposed to opinion gathered through research. Don't just say what is happening today; say what is coming down the line. And keep reports short; there's no time to read long ones. Time to polish the crystal ball, and this article has probably gone on long enough already.

Bob Tarzey, analyst and director, Quocirca

Symantec revealed a new internal structure and new messaging to analysts at its recent worldwide analyst conference in New York.  The company is now structured along the lines of consumer/soho, SMB and enterprise lines, building from what it is terming the “three megatrends” of virtualisation, cloud and data growth.  This, in itself, is a move in the right direction, giving levels of consistency and commonality across a company that has often, in the past, looked more like a collection of independent fiefdoms with barely interconnected technologies.

However, the biggest change is in Symantec’s messaging.  Out goes the deep technical portfolio sell, and in comes a set of high level messages aimed at demonstrating what Symantec can do for the business.  The message is strongly focused on information – not on devices.

It seems that Symantec has realised that the devices, while requiring a level of security to be applied, are no longer a key business asset, and are actually reducing in value as the consumerisation of IT passes this value to the individual.  The real value is in the data and information, and if Symantec can provide the means of securing this, then the business will listen.

While Symantec still talks about what it can do for end-point management through its Altiris acquisition, and how its tools such as Backup Exec (BE) and Enterprise Vault (EV) (via its Veritas acquisition) can perform at a  technical level, it is now leading with messages around how tools such as data leak prevention, e-discovery (a new acquisition via a much talked-about Clearwell Systems), encryption (via its PGP acquisition) and identity management (via its Verisign acquisition) can maintain the fidelity and security of information at rest and on the move – and along the value network of mobile users, temporary workers, suppliers and customers.

Symantec is also “cloudifying” its entire portfolio in a step by step manner.  Using its MessageLabs acquisition as a base, along with the on-line backup services it bought via the SwapDrive acquisition, SaaS-based services such as EV.cloud, BE.cloud and storage.cloud are being rolled out.  The platform also holds the promise of being able to support other functions; whether Symantec goes for an Amazon AWS or salesforce.com Appexchange model of allowing third parties to host applications on the Symantec cloud will have to be seen.

This is very different for Symantec – but is a very sensible step. The technical sell is not the right one for a post-recession market.  Businesses need to be able to understand exactly what they are getting out of their IT investments – or will look to outside providers in the cloud to remove the complexities and problems of on-premise solutions.  Symantec now has the capability to cover all bases – on-premise, in the cloud or hybrid.

But, it may not be all plain sailing for Symantec.  Such a bold move puts it into competition with companies that may previously have seen Symantec as a partner or at least not as competition. Now, Symantec is going head-to-head with the likes of Amazon, as well as those in the information management space, such as Autonomy and with cloud storage providers such as Asigra as well as a host of others.

The acquisitive nature of Symantec will also be raising concerns at some of Symantec’s partners – for example Kayesa should be a little worried as Symantec gets closer to being able to provide more of what it offers.  Dell, although not being threatened by Symantec in its heartland hardware business, should still look to some of the appliances that Symantec has been bringing to market and ensure that it manages to deal with Symantec where competition occurs.

The biggest issue for Symantec, however, could well be the channel.  It has over 50,000 channel partners worldwide – many of which are archetypal “yellow box shifters”, selling copies of Symantec’s software in a very simple reseller model.

The new messaging does not fit this model well, and Symantec needs to be able to identify the 1-2% top performers who can fit into the new model and concentrate on getting them up to speed.  It should then be able to take the resulting model and cascade this down to maybe a further 5,000 partners.  Decisions may have to be made as to how much of the 40,000+ partners left over should remain – and where culling should be applied.

Although Symantec is trying to make its offerings available as both on-premise and cloud-based services, it will need to work with the channel on this as well.  A subscription-based model does not fit well with many sales people, as the compensation models tend to differ.  Where subscriptions can be annualised, there will be less problem, but in the SMB market where monthly subscriptions may be more of the norm, some financial help (as well as education of the channel in how subscription portfolio management can be done in a way that suits sales people) should be considered.

Overall, the messaging looks strong – and the acquisitions Symantec has made over the past few years are now looking very well positioned for the future.  The devil will be in the detail, however – and Symantec will need to keep a careful eye on those partners which are not happy with the direction of the new Symantec, and on the channel which may well struggle to deal with the new offerings.

Clive Longbottom, Service Director, Business Process Analysis, Quocirca