Network security over hyped, over complex and over sold

Enterprise managers look for value in low-cost security alternatives

Network security solutions are over hyped, over complex and over sold according to security professionals, whilst enterprises see managed security solutions as too much of a threat to network performance.

Richard Cross, corporate security officer at Toyota Motors Europe, stressed the value of flexible, low-cost security solutions that do not need too much time, effort and money spent on their configuration and management.

"Vendors are over selling security but businesses get what they deserve. People want a panacea but they need to understand the problems they have in the sphere of providing IT services," said Cross. “It is important to plan properly and right-size security; Toyota is not a bank, and it doesn't spend as much on security as a bank would. Cost management is very important.”

Ovum analyst Graham Titterington agreed that many network security products are often too complex and not very user-friendly. But manufacturers are attempting to solve this problem with unified threat management (UTM) appliances that combine anti-virus, anti-spyware, anti-phishing, firewalls, virtual private networks and other security functions into one centrally managed device.

“The level of security needed depends on the configuration and the risk profile; every company is getting attacks, but the amount of money they need to spend on security varies according to the size and topography of the network.” said Titterington.

Toyota recently installed a Tipping Point intrusion prevention system (IPS) appliance to safeguard its Supply Chain Management (SCM) and other parts of the network from Denial of Service (DOS) attacks, worms, spyware, Trojans, and viruses. Cross stressed that, to Toyota at least, ease of use and management were equally as important as effective network protection.

“We left the IPS to its default configuration and did not use it to control different segments or for highly focussed policies. There are dangers there and the costs of managing it would outweigh the security advantages it provides.” he said. Both men underlined the need for detailed risk analysis to avoid putting the wrong security solutions in place.

“Organisations don’t need everything, but they must do a proper risk analysis because the security requirement will vary not only from company to company but also from different divisions, like finance and marketing, with the same company.” said Titterington.

Cross also believes that large enterprises see managed security services as a big threat to both network performance and business operations; ISPs can provide a top down view of attacks, but enterprises need to keep hold of granular security controls themselves.

"There would be too many opportunities [for ISPs] to break stuff. The more stringent the security is, the more likely you are to have customers ringing up with a complaint about something that doesn't work." he said.

Whilst security vendors are aiming to take the complication out of their products, the Department of Trade and Industry (DTI) has approved the formation of a professional body that will put computer security experts’ professionalism on a par with doctors and lawyers. The newly formed Institute for Information Security Professionals (IISP) will accredit security professionals and bind them to a code of conduct.