IT managers must press for security standards on several fronts.
IT managers face daunting challenges next year: stopping spam, keeping systems up-to-date and tracking user identity. To surmount these obstacles, eWEEK Labs believes IT managers must become more assertive in getting executive managements buy-in for more personnel along with new technology purchases.
For IT managers grappling with business data security, the first major event of 2005 will be the RSA Security Conference in early February in San Francisco. This conference is among the must-attend educational security events for both IT practitioners and senior-level executives.
In the meantime, IT managers should demand guidelines from vendors on how IT products ranging from operating systems and applications to specialized appliances, including firewalls and VPNs, can be locked down.
To read eWEEK Labs recommendations for best practices, tools and strategies, click here.
And then theres spam. Industry sources have found that spam now accounts for 60 to 80 percent of the total volume of e-mail worldwide. And with spammers motivating virus writers, the stage is set for even bigger problems.
For IT managers, this means two things. First, now is the time to start preparing reports for other senior managers about current anti-spam tools. Executives must understand anti-spam technology, or they will not have the context necessary to understand the coming wave of bulk junk mail.
Given the enormous amount of junk mail hitting the Internet, even the best anti-spam systems will appear to fail over time. Therefore, along with explaining their anti-spam efforts, IT managers should prepare, in three to six months, to tell their superiors why anti-spam tools seem to be breaking.
This is why it is also important for IT managers to press messaging vendors to fix the e-mail protocol in the near term by developing a sender authentication system. Strong authentication wont end spam, but it will enable two important anti-spam techniques. The first is the positive identification of good senders. False positives, desirable e-mail mistakenly being marked as junk, would be reduced if desirable senders could be positively identified.
The IETF recently shut down a group that was working to develop an authentication standard. Click here to read more.
Second, valid authentication will enable reputation services to vouch for unknown senders trying to reach users. Establishing reputation will become a commercial activity requiring that IT managers be savvy in buying any e-mail system.
Small conferences, such as Inbox,
will set the pace for showcasing e-mail security technologies, especially those designed to counter phishing.
IT managers must put the requirement for a locked-down configuration in the RFP (request for proposal) and specify written directions and an automated tool for making applications and operating systems secure.
Developments in the coming year should ease configuration management. First, heated competition is driving the rapid development of ever-better intrusion prevention systems. Second is work on network admission control systems, which could go a long way toward re-establishing the boundary between the inside and outside world of a company. IT managers should see products that facilitate keeping road warriors laptops isolated from the production network until these laptops are guaranteed to be clean.
Configuration management will require more IT resources, including more staff and more money for tools. IT managers can control costs by looking for management tools that assist staff in keeping machines current, but that likely wont be enough to stop strongly motivated hackers. IT staff must be bolstered now to ensure that at least as much brainpower is devoted to protecting business-critical systems as is being expended to compromise them.
In the long term, all these security concerns, if addressed, should also have a positive impact on businesses. Streamlined configurations, available applications and protected data arent just security concerns, but only secure systems make this state of affairs possible.
Technical Director Cameron Sturdevant can be reached at firstname.lastname@example.org.
Check out eWEEK.coms Security Center
for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
Be sure to add our eWEEK.com Security news feed to your RSS newsreader or My Yahoo page