As Quocirca discusses in its freely available report “Content Security for the next decade”, policies that define the way data must be handled are fundamental to good e-security practice, but where do you store the associated e-security policies? A written set of policies for handling data should be the starting point and such a document should be readily available to all employees and, where relevant, external data users for a given organisation. But policy can be enforced through a range of security tools in various parts of the IT infrastructure and this can lead to policy needing to be defined in several places.

For example, a policy may say that those in the financial department can share their spreadsheets with others in the same department but no one else. To enforce such a policy means that data in transit needs to be checked to see who is sending spreadsheets to whom, that on their PCs accountants must be prevented from copying spreadsheets to USB memory sticks and sending them to printers, and that such spreadsheets should only be stored in encrypted format – this requires one simple policy that can be enforced through technology, but probably only be defining it in three places.

Organisations can identify their users by getting them to authenticate against directories. User directories are generally accessed via a standard called LDAP (lightweight directory access protocol), and most security tools link to such directories to understand who users are and what groups they belong to. A well organised IT department may have just one user directory. But when it comes to policy, it usually needs to be defined time and again as there are no real standards and few generic repositories for policy that can be shared by multiple security tools.

IBM's initiatives this year around data security underline the problem. IBM can enforce encryption by defining policies in Tivoli Storage Manager, but to boost its offerings it has formed two new partnerships:  Verdasys for the management of end points and Fidelis Security Systems for monitoring data in use. The problem is that both the new partners' products have policy engines too – so three in total; plenty of scope for duplication and inconsistency.

IBM is not alone. Other security vendors have addressed data security through multiple product lines developed in-house, acquired or via partnership. For example Symantec bought Sygate for end point security (now Symantec End Point Protection or SEP V11) and Vontu for data leak prevention or DLP (now Symantec DLP V9), both of which had their own policy engines.

CA, EMC/RSA, Trend Micro and Websense have all made acquisitions in the DLP and end point areas and face similar problems with co-ordinating policy. McAfee has one of the most centralised approaches. Its ePolicy Orchestrator (ePO) was developed in-house and is core to its security suite. All its acquired technology is integrated with ePO as well as with 50-plus partner products, all done using McAfee's own proprietary software development kit – so still not standards based. Meanwhile Microsoft has made some moves in this direction with the beta release of its new security management tools code named “Stirling”.

Well defined and managed policy is essential to achieving and being seen to achieve good security practice. The industry needs a more co-ordinated approach on how policy is defined and shared across multiple products; it is possible for the management of people’s identities through the use of directories and there are standards for access to these – what is needed now is to make it easier to find out what they are allowed to do.

A few years ago Quocirca reviewed the deployment of Microsoft ISA server by The Kensington and Chelsea NHS Trust in all its remote surgeries and clinics. Microsoft was keen to promote the fact that ISA Server (ISA stands for Internet Security and Acceleration) had won over specialist appliance based offerings for network acceleration.

One of the main reasons that the Trust went the Microsoft route was the need to implement other services on the same device as the network acceleration software. Alongside ISA Server this included having a local copy of Microsoft Active Directory, the ability to store syslogs and to add security software at some stage. To implement this, the Trust’s implementation partner, Hytec Information Security, package all the software on to a standard x86 based server running Windows Server 2003 and delivered it just like a pre-configured appliance to each remote location.

Were the same choice be being made today Hytec might be able to make do with a single web acceleration appliance from the self proclaimed market leader – Riverbed.

Riverbed’s network acceleration appliances, which it calls Steelheads, run its own proprietary operating system, RiOS. But, earlier in 2009 Riverbed added what it calls the “RiOS Server Platform” (RSP) to all its Steelhead appliances. RSP is VMware deployment on RiOS that enables Microsoft Windows Server 2003 or 2008 to be installed and run local services such as Active Directory. It costs extra to switch RSP on, but when done the Steelhead becomes more than an appliance – it’s a server.

Quocirca believes that this a good move by Riverbed – it avoids getting caught up in a proprietary system that needs to be kept competitive against all the other vendors and allows customer to benefit from existing Microsoft skills to add functionality to their Steelheads.  The move also opens up the unified services appliance market for Riverbed allowing it to extend its offering in all sorts of ways through OEM agreements with other software vendors.

IT security supplier Trend Micro has admitted that some of its products are not 100 per cent effective. In fairness, it is making this claim about the whole IT security industry, including itself. Trend's admission comes after it carried out 130 free "on-site security threat assessments" across a range of organisations with an average of 7,484 employees. The sample included a minority of Trend's customers.

All the organisations assessed had active malware of some sort on their systems. Some 80 per cent had malware that originated from web-related activities. This included 72 per cetn with internet relay chat (IRC) bots—software agents that facilitate some sort of external communication to the web. IRC bots are often doing no particular harm and are not always in themselves malware, but the channels they keep open can be exploited by malware writers and they can generate unwanted network traffic. Information-stealing malware was found in 56 per cent of organisations and network worms in 42 per cent—both definitely bad.

Nearly all the organisations assessed had security software in place including firewalls, host-based malware detection and some sort of content filtering. So how is the malware getting through? The truth is that these security tools, taken together, do keep the majority of malware at bay, but the aim of the bad guys is to evolve their malware to keep ahead of security technology—and they often succeed. Why else would they keep going?

The situation is exacerbated by two other factors. First, the increasing mobility of the workforce; often user devices are used on networks beyond the control of a given organisation's IT security staff and become infected while connected to such networks. Although end-point security can help with this, many organisations do not use it comprehensively.

Second, malware is increasingly delivered via the web, rather than email. Most organisations have email filtering in place, but many have not addressed the more varied web traffic which encompasses a wide range of communications tools. There are now many tools and services available to control web traffic, but a threshold always needs to be set between controlling user activity and allowing the freedom to use the web productively—in other words 100 per cent mitigation of the web threat is just not possible other than by stopping its use altogether.

So why does Trend, which sells products and services to do most of the above, want to highlight some of its imperfections? Well, there is, of course, some self interest—Trend has developed a new offering that it wants customers, and those of its competitors, to buy, to protect them from this background threat.

Trend has launched what it calls "Trend Micro Threat Management Services". There are three components:

1. Threat Discovery Services: this goes beyond a free initial assessment to provide continual monitoring for new threats and regular reporting.
2. Threat Remediation Services: cleans up existing problems and put in place tools to make sure they do not happen again. This goes beyond standard host-based malware protection as it can seek out and prevent activity than spans multiple devices, for example a user requesting an image file from a web site, but being sent an executable file (includes Threat Discovery).
3. Threat Lifecycle Management Services: ongoing advice and planning for better network management with regard to security (includes Threat Discovery and Remediation).

All well and good, but will customers buy it on top of all their existing security investments?

The services are aimed at enterprises (750 users and above). A free assessment can be applied for at www.trendmicro.co.uk/thinkagain. Beyond this, the Discovery Service starts at ,000, while the full Lifecycle Management Service has an entry level price of ,000. Time will tell if organisations are prepared to fork out for yet another layer of security or just accept the background threat. As is often the case, they will probably live with the latter, until a breach occurs that is so costly, it makes the Trend price for stopping it seem cheap.

Two acquisitions announced in the last week underline the battle to gain market share and technical superiority in the web security market and continue the debate about how content security is best delivered—at the edge of the network or in the cloud using the software-as-a-service (SaaS) model.

First, on 28 October, Cisco announced it was buying ScanSafe, a UK company that had established a strong position in SaaS-based web security, and today, M86 Security (formerly Marshal) announced it was buying the Israeli firm Finjan, a specialist in real-time web threat analysis.

These acquisitions are the latest in a continuum of such deals, marking the near end of consolidation of the web security sector that has taken place over the last few years, as there are few small specialists left. Most are now part of the broad portfolios of large security vendors, which is, in Quocirca's view, no bad thing as it stabilises the market and provides new sales channels for the strongest products. The same sort of consolidation happened at an earlier stage in the email security market.

For example, the overall leader in web security, Websense, shook the market in 2007 when it bought one of its main rivals, SurfControl. This strengthened its market share, but was also part of a broader strategy to widen its portfolio, as SurfControl had other assets including email security. Websense had already acquired Port Authority—a data loss prevention vendor—and has since acquired Defensio to strengthen its spam filtering.

McAfee followed with the purchase of Secure Computing in late 2008. Its rivals Symantec and Trend Micro are also in the web security market—the former through its 2008 MessageLabs acquisition (this SaaS-based email security vendor was already developing web security technology) and the latter through a couple of technology acquisitions as long ago as 2005, and in-house development.

When considering which approach to take for web security—network-edge or SaaS—latency is often of primary concern—more so than with email security—as any security technology that slows down web access frustrates users and damages productivity. Network edge vendors claim a performance advantage, but there are two factors that further complicate issues.

First, web security policies that control the web use inside the firewall need to be extended to those working remotely; this is more easily achieved with a SaaS-based service. Second, web-based business processes often span multiple organisations, making the network edge much vaguer than it used to be and content security policy often needs to be extended to external users.

It is interesting that Cisco bought ScanSafe, a pioneer in the delivery of SaaS-based web security. In the past Cisco has stuck to hardware appliances to be deployed at the network edge for security, for example IronPort, which it acquired in 2007 for email security. Perhaps Cisco is recognising that the only way to control disparate web users is with a SaaS-based system, giving customers confidence to use the web for communication and collaboration wherever they are, including the use of web-based voice, video and web conferencing tools. Cisco's only other foray into SaaS so far was its 2008 acquisition of web conferencing vendor WebEx.

M86 Security's acquisition of Finjan tackles the latency issue. M86 Security was already in the web security market with its WebMarshal software aimed at small businesses and its 8e6 appliance for URL filtering that became part of its portfolio when it merged with 8e6 Technologies—leading to the new name. The Finjan acquisition adds real-time web threat monitoring, ensuring all web traffic is inspected for malware with minimal degradation of performance. It also adds some SaaS capability as Finjan was already in the process of extending its gateway-based web security to the cloud.

There are still plenty of choices even though consolidation has meant web security is now mainly in the realm of broad-based one-stop-shop security suppliers. Vendors are increasingly offering both network edge and cloud-based offerings, in some cases a hybrid of both, allowing customers to achieve a balance between performance and reach. Some buyers still regard cloud-based offerings with suspicion, especially when it comes to security, but such offerings are performing better and better, so many are accepting that outsourcing security to experts makes sense.

The web is an essential tool for all businesses. Making its use as safe as possible while ensuring users remain focused on the benefits it brings, knowledge acquisition and communication, while avoiding its many distractions, is the aim of all these products. With the right tools it is possible to ensure the web is a largely safe and productive environment. Happy surfing.

Standards exist to provide reassurance when buying products and services. For example the Kitemark standard, owned awarded by the British Standards Institute (BSI), provides reassurance about the quality and safety of a wide range of products and services.

Attaining a Kitemark often requires that another more specific standard has already been reached. If you crash your car and take it to a repair shop displaying the Kitemark logo, the service provider is required to have achieved the technical specification PAS-125 (another BSI standard). On the BSI web site, it says that "repairers will be able to secure their future business by being able to independently prove to insurers and the motorist that their vehicle body repair service meets all the required safety criteria of PAS 125 and the Kitemark scheme".

The "all" is emphasised here because not all standards require that all their criteria are met. The ISO27001 IT security standard (specified by the American National Standards Institute—ANSI) provides reassurance about the security controls in place for IT deployments. In Quocirca's freely available report, Managed Hosting in Europe, published in June 2009 and sponsored by NTT Europe Online, the status of ISO27001 compliance was listed as a measure of the reassurance around the security of services on offer. For some vendors it was reported as being "in progress".

It may surprise some that "in progress" is a valid status for any organisation claiming it is ISO27001 compliant. The standard itself provides guidelines on deploying an Information Security Management System, or ISMS, and states in section 1.1 (April 2006 publication) that the ISMS is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties. In short, the security controls specified in ISO27001 are optional, dependent on the needs of the supplier and its customers.

Quocirca is not suggesting any shortfall in those controls but merely reminding buyers of ISO27001 compliant services of the precise question they must ask. It is not "is your service ISO27001 compliant?", but "have you adopted ISO27001 and, if yes, which controls have you adopted and which ones have you not?"

This is the likely explanation for the finding in a recent survey into privileged users, carried out by Quocirca and sponsored by CA, that many organisations which claim ISO27001 compliance do not carry out the good practices with regards to privileged user management that are described in the standard.

Interestingly, the BSI also offers advice on its web site with regard to ISO27001; here it says "once the assessment has been successfully completed, we'll issue a certificate of registration, clearly explaining the scope of your certification"—no sign of the word "all" there, and buyers should assess vendors the scope accordingly.

Will 2010 be the year that platform-as-a-service (PaaS) comes of age? Amazon's Web Services (AWS) keep cropping up in conversations Quocirca has with independent software vendors (ISV); Salesforce.com's force.com platform is attracting more and more ISVs (last week at Cloudforce2 in London it proudly presented one of the latest applications to be ported BMC Service Desk Express), Microsoft's Azure platform is due to go live in early 2010 and Google's App Engine should come out of beta some time in 2010. Add to this PaaS offerings from various managed hosting providers (free report from Quocirca here), for example Rackspace's CLOUD Servers/Sites/Files, and one thing is for sure, for those that are up for it there is no shortage of PaaS choice.

All these services differ in the amount of infrastructure they include. The most complete stack is force.com, where applications are built using a proprietary set of tools on a highly proprietary multi-tenancy platform. At the other extreme is Amazon's Elastic Compute Cloud (EC2), which is basically a hypervisor on which its customers provision their own virtual machines. Either way, one of the overriding concerns of those planning to use these platforms is security. Roughly speaking, the thicker the stack the more onus there is on the PaaS provider to guarantee security levels in their SLA. So, for those considering Amazon's thin stack, two announcements this week will be of interest.

First, Trend Micro spent much of its EMEA analyst conference this week talking about cloud security. One initiative is a version of its Indentum encryption product (acquired in 2008) that allows storage volumes created on Amazon's EC2 to be encrypted. As Trend Micro pointed out, this is not just about the privacy of stored data, but ensuring that even when a virtual machine is de-provisioned from EC2, any data left behind remains unreadable. This is a more likely scenario than you might expect, as common use cases for EC2 are for providing peak load resources and application testing.

An alternative approach is available thanks to an announcement made by Symantec this week. It is making available through agreement with Amazon its End Point Protection and Storage Foundation products for securing EC2 deployments. The former ensures limits are applied to the use of VMs whilst the latter provides management tools for data volumes created; one feature of Storage Foundation is data shredding, ensuring all data is destroyed when VMs are de-provisioned.

The availability of these security tools should help overcome the doubts some harbour with regard to PaaS and encourage more uptake. The various providers will have high hopes for 2010 as the world continues to struggle with its economic woes; they will present PaaS as the cheap, flexible choice. By the end of the year it should be clear if their potential customers agree and the investments made in PaaS have all been worthwhile.

The recent theft of emails from the University of East Anglia Climate Research Unit (UEA CRU) has proved embarrassing, but the incident does not change any of the facts regarding global warming. New Scientist (9th Dec 2009) summaries it well:

"The emails suggest some of the scientists may have tried to shut out critics, which, if true, goes against advancing knowledge through open debate. On the other hand, the aim of peer review is to prevent substandard research from being published, so you could argue that the scientists were just doing their job because they felt the papers in question were not scientifically rigorous."

The full article is viewable here.As a research company, albeit looking into matters not quite so prescient for the future of life on Earth, Quocirca can sympathise with New Scientist's view. Should our own email server be hacked, you would find discussions along the lines of "how can we present this in the best light?", "this research seems to contradict previous research, how do we explain that?" and so on. This does not represent any attempt to falsify the findings, but just ensuring a reasoned interpretation provides an understanding of how, in the complex markets Quocirca covers, contradictions occur and what they mean. Once work is published findings have to be explained, justified and defended.

However, one thing most people will agree on is that emails that were meant to be private are best kept that way. The Norfolk Police are investigating the crime that led to all this, but it seems that the UEA CRU was targeted by persons unknown with the specific aim of undermining the Dec 2009 Copenhagen Climate conference. For an outsider with malicious intent to gain access to private email servers suggest poor security somewhere along the line, perhaps finding a privileged back door, which can be all too easy (see Quocirca free report, Privileged User Management, Nov 2009). However the theft was perpetrated, it should have been preventable.

Of course, it may be that someone chose to leak the email. The volume involved (thousands of emails and other documents) would have shown up as anomalous behaviour had data loss prevention (DLP) software been in place (see Quocirca free report, Content security for the next decade, Nov 2008). Only about 25 per cent of organisations have such tools in place, as a new Quocirca report on DLP, to be published in early 2010, will show, and public sector organisations like the UEA CRU lag other industries in deploying it.

Government sponsored research units have an important job to do and, in some cases where their work may get in the way of others, they may become targets of criminal activity. While it is understandable that scientists are focused on their day-to-day work it's unacceptable when they are let down by poor IT security that, in this case, has been exploited to try and undermine the efforts of thousands of politicians trying to grapple with global society's most pressing problem. In this case, it looks like the attempt has failed, on another day it might not.