Network security has improved greatly in recent years. But these improvements have been matched by a huge increase in exposure, the number and range of attacks, and the level of risk.
Today, it is accepted that networks must be partially open – businesses must give customers and partners access to parts of their network. The methods of access have also increased. Remote workers use public networks and virtual private networks to access core systems, customers make voice-over-IP (VoIP) calls, and staff pick up private email over wireless connections, often using devices that others can access.
Web services, which can involve one company's systems integrating automatically with another over the Internet, add yet another layer of complexity and risk.
And today, because almost all of an organisation's mission-critical systems are accessible from the outside, the consequences of security breaches are far higher.
It is unsurprising, then, that IT buyers are spending more on security than ever before, and that security is usually identified as the number one concern in IT management. In the third quarter of 2004, European companies spent E420 million on security, according to analyst Canalys.
But in spite of this, there is a strong perception among many experts that new approaches are needed. It is not necessarily that these technologies do not work, but rather that they hamper business flexibility by imposing rules and restrictions at every turn. Leading security officers at organisations such as the Royal Mail, ICI and the Post Office have recently formed The Jericho Forum, which advocates a move away from the idea of a secure network looking like a castle with thick, strong walls.
Meta Group analyst Tom Scholtz explains: "Access mechanisms are proliferating and the result is the traditional network perimeter is being punched full of holes."
Also losing favour is the idea of a demilitarised zone (DMZ) – effectively a ‘room' at the edge of the virtual castle where a subset of data and applications can be viewed by visitors. The idea is that if something goes wrong in the DMZ then the rest of the castle is still protected. Yet companies tend to fill the DMZ with the sort of data and applications they are supposed to be protecting, because customers or staff demand access.
Many organisations are now exploring a more nuanced and segmented approach to security. Instead of defending just at the perimeter, the argument goes that companies need defence in depth, with protection at the network level of the operating system, the database and the application.
Firewalls and switches segment the network, access controls and encryption are used to protect applications and data, and antivirus protection and vulnerability scanning is also available. "The older model of a demilitarised zone is being replaced at some organisations with a domain-based approach, creating logically different zones for different business needs," says Scholtz.
This new model of network security looks more like a hotel than a castle. Just like hotel guests, a company's partners, customers or staff check in (are authenticated by the network), can roam around public areas, but have to produce a key (authorisation) to access secured areas like bedrooms.
This model is already used for distributing antivirus software through the network, and some analysts argue that, if done properly, this strategy is more scalable and cheaper than previous models, because complicated and expensive perimeter defences can be replaced with lightweight, manageable devices spread throughout the network.
Big networking players such as Cisco, Juniper and 3Com are looking to capitalise on these changes by building security capabilities into their equipment.
This is needed, they argue, because high bandwidth voice and video applications must be checked very fast, and traditional firewalls are not up to the task. These vendors are also looking to offer a suite of network security, built into switches and security appliances.
Recent vendor activity demonstrates that more security will find its way into the network. Router maker Juniper, for example, acquired security company NetScreen for $4 billion in April 2004, while 3Com is buying TippingPoint Technologies, which has technology for securing VoIP, for $430 million.
Meanwhile Cisco is developing its ‘self-defending network' strategy, working with Microsoft on compatibility between Cisco Network Admissions Control and Microsoft Network Access Protection security systems. One aim is to stop infected or unpatched machines gaining access to a network.
There is not one single product that can make a network safe, argues Paul King, chief security architect at Cisco Systems UK, but by integrating security into the network, it is possible to make different security measures talk to each other.
"We are trying to give customers an intelligent information network and the whole thing falls apart if it is not secure. So we have [to provide security]. We can't rely on niche security vendors. The big change is that you don't buy these things as point products: it is integrated security," he says. But not all security can be squeezed into the switch – at least not yet – and many organisations still prefer security appliances with firewall and intrusion protection to increase their layers of protection.
The sales figures demonstrate this. According to IDC, in the third quarter of 2004, $155 million in factory revenues was generated in Europe from security appliance sales, an increase of 54% over the same period in 2003.
Sales of new security appliance categories, for intrusion detection and prevention and unified threat management, are on the rise.
Rachel Power of communications analysts Canalys expects more acquisitions as some security technologies head towards being a commodity. But because the security threats are always shifting, there is still room for new players. "The security market is in constant evolution. You will always have specialist security companies," she says.
Authentication is one likely area of continued growth, with vendors such as RSA and Netegrity (now part of Computer Associates) arguing the case for businesses to move from a network infrastructure to an identity infrastructure, where individuals are given access to applications and data based on their role. And with an increased focus on compliance, data protection technologies will also find favour.
For IT and security managers, there is no sign yet of a clear architectural consensus. It is clear that, for those trying to marry strong security with business flexibility, being king of the castle is no longer enough.