The future of IT security seems like a straightforward discussion ­ – focused, straight and to the point.

Nothing, however, could be further from the truth. Businesses need to understand the risks and implement mitigating strategies if they want to keep ahead of the bad guys.

There are three types of organisation: those who get security and have ongoing risk management activities in place; those that understand security but struggle to implement appropriate measures; and those who think that e-crime will pass them by if they just keep their heads down.

For most, the future of IT security will be much like the present. There will always be people who spend most of their waking hours decoding encryption algorithms and looking for back doors into telephone networks.

But there is also an evolving economy built around the market value of credit card details and the ability to launch denial of service attacks from unsuspecting ­ – and generally poorly configured ­– home computers.

And IT leaders also need to consider risks caused by their own employees, be they through malice or stupidity. Internal workers have always posed the biggest threat to computer systems ­ – even before product categories, such as data leakage prevention, were posited.

So, what does the future of IT security include? As a starting point, it is worth reflecting on the wider long-term development of technology. There are a number of trends driving how organisations deploy and operate their IT systems ­ – and these threats will have a direct impact on a broad range of areas.

Outsourcing and offshoring

The offshore resourcing market continues to develop, with Indian companies such as Wipro setting up in the UK and other local companies expanding their offshore operations.

Security risks range from the difficulties associated with vetting offshore staff, to the challenge of maintaining business information at offshore locat ions.

Hosting and software as a service (SaaS)

We are not yet seeing wholesale mass adoption of the SaaS model, mainly because the technology is still maturing across areas such as data integration. The risks are similar to the information integrity concerns associated with outsourcing.

Service-oriented architectures and Web 2.0

Both of these topic areas share the risks of using distributed system architectures that may extend beyond the corporate firewall. As well as being open to confidentiality breaches and denial of service attacks, there are also threats surrounding the publishing of interfaces onto corporate systems. In some instances, the interface itself may be confined to company use.

Virtualisation and datacentre automation

Virtualisation offers a quick win for many organisations, helping IT leaders to consolidate applications onto a reduced set of physical servers. The centralised control of preconfigured virtual servers can reduce security risks. But there is also the issue of virtual server proliferation and the potential for mismanagement, which could potentially leave virtual servers open to breach.

Mobility and unified communications (UC)

Suppliers are working hard to deliver on the concept of enabling users to communicate with each other as simply and seamlessly as possible. But UC also presents a two-edged sword, and IT managers need to be prepared for exploitation problems, particularly around spam calls.

Social networking

We are already seeing some of the security challenges that social networking can pose in terms of privacy and identity issues, for example. There are other risks that, to our knowledge, no one has exploited, such as pulling together composite identities of individuals across social networking sites.

Social networking presents a range of personal security issues, but corporate implications across duty of care also create concerns.

The above list of potential risks demonstrates that continued vigilance is only part of the answer. Risk management processes and policies are also crucial, and should be a fundamental part of any organisation’s security strategy.

Moreover, all of the above risks share one important element: they affect all parts of the IT architecture. Such risks cannot be mitigated by tactically acquiring a specialist appliance and implementing it in the server room.

If IT security is to be characterised by having a far-reaching impact, so we need to consider how the roles responsible for IT security have a similarly far-reaching remit.

We are already seeing some organisations ­ – HSBC, for example ­ – combining their IT security function with a business fraud function, enabling the institution to deal with business and IT issues from the same point.

I have often characterised IT as a fire extinguisher industry, an analogy that makes sense if all people are doing is fighting fires. Challenges, such as the security issues listed above, will require us to move towards a prevention-based approach rather than a series of poorly-funded coping strategies.

And frankly, given that the trends are happening whether organisations want them to or not, the sooner we can get there the better.

Jon Collins is service director at analyst Freeform Dynamics.

The topic of media and digital content came up at a recent analyst briefing from Cisco on European and emerging markets. It wasn’t really surprising, considering that this truly is the hot new vertical, driven primarily by consumer markets and the entertainment industry, but with interesting possibilities for corporate computing as well. For its part, Cisco sees media and digital content as an opportunity, which is only to be expected when considered in light of its Linksys division and last year’s purchase of Scientific Atlanta.   

Because Cisco sits in the network, it equates the growth of digital media with growth for the network and for the products and services it offers to both consumers and companies. What made Cisco interesting is that it sees this change as an opportunity for consumers as well as for business. You could argue that other vendors also see digital and media content as an opportunity, but do they really? To me it seems that Cisco is more excited – and correctly so - by the possibilities of digital content for the infrastructure gains than by either the issues around the actual content itself or for the entertainment industry.  Sadly, that’s the trap many vendors fall into – and so far Cisco seems to be avoiding it.

So much of what we see as analysts is all about how to monitor, protect, police, and manage content. Granted security is an important issue and one that will never be solved in a changing digital world.  We accept that, but so often it seems that discussions we have with vendors all lead back to resurrecting the age old philosophical argument – is man basically good or is man basically evil, in the context of digital rights and stealing content.  Either people assume that content will be stolen no matter what we do, or they believe that people would not steal content if only there was a reasonable way to purchase and use it.

In reality, it is a tiresome set of arguments because there’s not a lot that we can do about it from a technology viewpoint beyond building better digital rights management (DRM) mousetraps and then smarter mice to get around them.  The problems are not technological, they are sociological and cultural. This means that social technology neither creates nor resolves the problem, although it can push some issues to the fore.

Rather than giving us self-righteous drivel about how Cisco really is looking out for the customer by hobbling software or enforcing questionable DRM by default, we had an interesting albeit short presentation about what a technology provider can realistically do or not do in that realm.  This isn’t to say that Cisco is not respectful of content rights or management. To the contrary, it has focused a lot on network security, how that extends to applications, and identity management – all important aspects in the overall picture.  What Cisco has done now is to focus on infrastructure enablement and get out of the way of how users create, post, or alter their content.

One of the other analysts attending the event, James Governor of Redmonk, wanted to know if Cisco was going to be an enabler of content, and Dan Scheinman, the senior vice president for Cisco's media solutions group responded that he just wants to enable customers to do whatever they want.  Although there was a lot of room for discussion around both the question and the answer, I think that was the right response. I cannot and will not imagine Cisco focusing on content creation or ownership.  It shouldn’t.  And it feels as though too many companies who want to be involved in the technology around media and digital content have a hard time understanding the line between enabling customers, enabling content, and becoming responsible for that content throughout its lifecycle.

There is a slippery slope in the industry right now as too many diverse issues are being drawn together by common, affordable technologies. Music rights, performance rights, film rights, image rights, international rights, licensing, and fair use are among the various complex issues that are being unfortunately lumped together. Vendors cannot solve these problems with their technology; they must be solved within countries and between countries. Technology should be used to make it easier to work within the laws and customs agreed upon and without causing further problems, obfuscation, and limits.  That’s going to take a long time to sort out as most of the players seem to be avoiding courts of law to settle these issues. 

In the meantime, I wish more companies took Cisco’s approach.

By Joyce Tompsett Becknell

In the world of IT, we are constantly debating the latest trends and developments. Usually, although granted unsurprisingly, these deliberations revolve almost exclusively around the features of a particular technology, more often than not taking the form of “is technology / solution XYZ ready for adoption by mainstream customers or is it a bleeding-edge solution that is likely to appeal only those in desperate need of its features?” Too rarely it seems do things get turned around to consider whether “ordinary” customers are ready to exploit the solution. 

Consider for example the solution currently described by the acronym SaaS - software as a service. At its base SaaS consists of users sitting at a screen with essentially no special software running on their local device being able to access and run an application. Nothing new here as back in the mists of time this was the method by which all IT services were delivered. Over time things changed and for a period many systems were deployed using some variant on the client-server theme whereby the local access device had to have specialist software for each business application to be run.

This model has now begun to be replaced as it has been found wanting in the areas of cost and flexibility; it takes time and resources to keep distributed software up to date and today very many business applications now utilise the common-or-garden web browser as their front end leaving the bulk of the application code hosted on a server somewhere in the ever expanding "network”. Clearly today in most enterprises, large and small, it is the case that these central servers are located within the business, but given that IT departments are increasingly thinking in terms of service delivery, it is fair to ask whether any application using a web browser as its front end should be classified as being examples of SaaS?

A quick investigation shows that SaaS, both delivered from servers located inside and outside the enterprise, has now matured technically. Base connectivity, Wan optimisation, solution architecture maturity, application availability, web browser acceptance, the ability of servers to deliver sophisticated content to modern browsers using plug-ins, have all developed to a stage whereby their utilisation has almost become invisible.

However, as stated at the beginning of the article it is worthwhile spending a little time pondering the social and business issues that have developed alongside the maturation of SaaS-enabling technologies. The cost of delivering IT services has never been more visible whilst the pressure to reduce such costs has never been greater. A quick scan around any office or place of work (including the desk at home, kitchen table, internet café or WiFi hotspot) illustrates the fact that people, and thus in turn their business, want to access business applications wherever they happen to be located. Thus is born acceptance of SaaS as a delivery mechanism. In this respect, at least, it is more than apparent that the mainstream has already adopted the fundamental mechanics that underpin SaaS, but probably subconsciously given the wider definition of SaaS.

This therefore really only leaves the question of whether mainstream businesses, that is, everyone out there, is ready to utilise as part of their daily operations “archetypal” SaaS services, namely those provided by service providers outside the enterprise. The sophistication of solutions directly offered by suppliers of hosted email systems and application providers such as Salesforce.com, Oracle, SAP and a host of others has certainly reached a level whereby technically they are suitable for use by very many businesses.

One might still question whether the cost models are pitched at quite the right level, especially as most organisations may not be ready, willing or able, to eliminate or even significantly reduce their internal, frequently invisible, IT support costs.  Whilst use of external SaaS offerings is clearly growing rapidly, it is from a very small base. However with all of the major software providers apparently ready to back SaaS, it is certain that the numbers using SaaS will continue to increase. Indeed, the movement of the likes of Google and Yahoo to offer web desktop tools is likely to hasten user acceptance of SaaS.

By and large it is fair to say that users really do not care what model is used to give them access to their applications as long as it works when they want it. Business managers of course have other concerns but these should focus around levels and cost of service along, perhaps, with questions of security. They, like the users, should not have to concern themselves with questions of IT service delivery architecture. Perhaps the question of whether the Mainstream IS ready for SaaS should really now target the IT support community. SaaS may not be appropriate everywhere, but the solution delivery mechanism is not going to go away.

Thus far SaaS has had many of its greatest successes in smaller businesses where dedicated IT skills are notoriously rare, along with individual departments or functions in larger enterprises who make their own arrangements independently, often to overcome the perceived drag of central IT. Either way, SaaS has tended to be a business rather than IT-driven phenomenon. Like PCs when they first entered business use, SaaS is easy for individuals and groups to bring into the organisation without the blessing or even the knowledge of corporate IT. 

In terms of simplicity and usability the SaaS model for delivering IT services is here and it has been accepted by the mainstream user base. IT departments need to recognise this and work out, logically and transparently what place it holds today in their operations and where it will be utilised tomorrow, for services hosted inside the company and for those that can / should / should not be hosted outside it. The mainstream is more than ready for SaaS.

By Tony Lock