The past year brought many new security problems for IT directors, and 2004 promises to be even more challenging.

Emerging threats and rapidly evolving technologies mean companies must invest in security infrastructure, identity and access management and web services.

The worm and virus outbreaks that made headlines in 2003, many of them bypassing perimeter defences to infect companies via PCs and laptops connected to local area networks (Lans), will continue this year.

For this reason, scan-and-block technologies such as down-level patches, or antivirus signature levels that scan all network-connected devices and block the connection if they identify a security exposure, will become a standard component of Lan management.

Multi-headed worms and Trojans that can't be stopped by signature-based antivirus tools will continue to appear. IT directors will look to personal firewalls that detect and block unusual network behaviour as a defence.

Standard perimeter firewalls continue to offer businesses effective protection at the network level. However, attackers can take advantage of open HTTP connections that expose internal servers. The weakness of traditional network intrusion detection systems is that they can only report these attacks after the event.

However, intrusion prevention technologies that use deep-packet inspection can block malicious traffic at all open systems interconnection levels.

These tools are new, but already mature enough for initial product deployments, and will ultimately replace firewalls and network intrusion detection systems.

The investments being made in intrusion detection systems would be better spent on vulnerability management processes that can cut the number of successful attacks.

These replace periodic assessments and occasional follow-ups with a near-continuous cycle of assessment and mitigation. Vulnerabilities are prioritised and passed to a mitigation process, which involves all infrastructure support areas with some form of interim shielding.

These changes in technologies and needs mean that managed security service providers must offer more than just the ability to recognise intrusions and alert the company. In 2004, these providers will develop the ability to recognise vulnerabilities, block attempts to exploit them, and offer additional services based on these capabilities.

Businesses are increasingly aware that a large proportion of threats are internal. IT directors must address the serious internal challenges of administration, authentication and authorisation in heterogeneous environments for a broad range of users: employees, customers, partners and supply chain participants.

They must invest in identity and access management products to manage these issues, focusing on user provisioning and web access management products.

Cost containment and improved service levels are the biggest drivers of these products, but there will be increasing emphasis on better risk management, especially in highly-regulated industries.

Large, heterogeneous companies that can't completely centralise will employ federated identity technologies, likely to be based on open standards such as Security Assertion Markup Language and Security Provisioning Markup Language, rather than proprietary approaches, to automate identity and access management processes across their businesses.

Web services, like any new technology, bring new security challenges. The majority of web services implementations in 2004 will require only the most basic and stable web services security standards, primarily WS-Security and SAML. However, mature security standards alone won't ensure secure web services.

New security exposures will certainly be discovered in web services applications and in newly network-enabled applications originally designed for internal access. Most vendors haven't yet achieved the sophistication necessary to address these exposures.

Anthony Allan is research director at Gartner.