In 1999, security management will take center stage in most every IT organization. What about the Year 2000 problem, you ask? For many organizations, the Y2K bug will soon be a problem of the past. (In fact, if you’re not compliant yet, you might want to brush up your résumé.) In coming months, organizations will begin to redirect resources previously earmarked for the millennium bug to the challenge of building a secure "virtual organization."

Success in 1999 will be a measure of how well companies leverage electronic business applications to differentiate themselves from their competition. During this process, organizations of all shapes and sizes will need to adjust to fundamental changes in their approach to and management of IT services. These changes will affect both the macro- and micro-levels of the enterprise, including virtually all areas of information security—access control, secure communications, data and information integrity, resource management, perimeter protection…the list goes on. In short, get ready for a wild ride.

1. Applications Will Have Millions of Moving Parts

Over the next 12 months, new business applications will be developed with separate components for each major area of the enterprise’s functionality. At any time, millions of application components will be constantly moving around the corporate network, from application servers to users’ desktops—both inside and outside the company’s walls.

In a company’s accounting application, for example, the order-entry function will be a separate component, deployed in the form of an applet that can be easily downloaded through a Web browser. With the appropriate security measures in place, customers will be able to enter orders by accessing the order-entry component through a company’s firewall. To say the least, discerning who is doing what will be a challenge, and ensuring round-the-clock security will be difficult. But the rewards of a well-secured "virtual enterprise" are clear: efficiency, reduced overhead and increased sales.

2. Companies Will Establish Numerous Security Perimeters

The only plausible course of action in securing this fluid computing environment will be to step back and retrench. Companies will establish software security perimeters at numerous levels of the computing infrastructure. Network security perimeters will maintain the integrity of certain areas of the corporate network. Server security perimeters will be built around the OS on each server and around the desktop computers of the most influential users. Application security perimeters will limit and control access to each business application. Database security perimeters will solidify the protection of the corporation’s business information—its most valuable asset. Even individual user’s accounts will be fortified with security perimeters.

This "divide-and-conquer" approach to security may be the only manageable response to the growing number of security threats facing the enterprise. Why? Because more and more security break-ins are being perpetrated across country borders, and there is very little in the way of legal precedent or international law that enables government intervention.

3. Firewalls Will Become More Adaptive

Most every corporation views the firewall as the foundation for their network security perimeter. The easiest type of firewall to deploy is a packet filter, but such firewalls are easily circumvented by an attacker masquerading as an IP address that is

allowed through the firewall. A number of companies have migrated to proxy server firewalls, which have a separate proxy for every application that is accessible from outside the company’s perimeter.

The downside to proxy servers is that the overhead required to run an application proxy is considerably higher than that for a packet filter. Consequently, the transition has been a painful experience for companies that cannot afford to have their network traffic slowed down substantially. In 1998, a few vendors (such as Check Point and Network Associates) began manufacturing "hybrid firewalls" to address this problem. As their name suggests, hybrid firewalls combine the best of both worlds: the speed of a packet filter and the stringent security features of an application proxy. As traffic accelerates during peak hours, packet filtering is used as the default function. But if there is a perceived threat to the firewall, the application proxies take over. In many cases, once a connection has been established through a proxy, all subsequent traffic is simply filtered, thereby balancing speed with security. As the need for security increases, expect to see more hybrid firewalls released in 1999.

4. Personal Firewalls Will Take Off

The ’99 market for firewalls will expand in other significant ways as well. Growing concerns about electronic privacy and increasing media coverage of cracking exploits will prompt many home PC users to seek out personal firewalls. Such firewalls will not only inhibit external attempts to attack the home PC, but also prohibit the PC from accessing inappropriate Internet material and services—exactly the solution many parents are calling for today.

5. Securing Business Partner Access Will Become Easier

Perhaps the single biggest reason for building application-specific proxies is to allow your remote business partners to gain access to your internal business applications. The problem is, the traffic flowing between partners’ firewalls remains unprotected, which has prompted many companies to deploy two primary techniques for protecting their communications:

Encryption. Many companies now encrypt and decrypt e-mail text and any attachments sent between two parties. The drawback to this approach is two-fold: First, the sender must manually invoke the encryption product; and second, the receiver must have the same encryption product as the sender in order to decrypt the transmission. Over the coming year, there will be broader acceptance of products that are compliant with S/MIME (Secure Multipurpose Internet Mail Extension), an e-mail standard that makes this type of communication secure and transparent to the user.

VPNs. As with personal encryption tools, establishing a virtual private network (VPN) traditionally required homogeneous implementation across all parties wanting to use the secure connection. While most VPN solutions can interoperate, the standard for automatically negotiating encryption key exchanges—IPSec— is still not fully developed. In 1999, more VPN products will support the IPSec standard, providing for interoperability across heterogeneous VPNs and making key exchanges automatic. This, in turn, will enable multiple companies to establish VPNs without compromising the integrity of their respective network perimeters.

6. Viruses Will Take on New Life Forms

Even with a healthy network security perimeter, a company’s computer systems will be under attack from viruses and malicious mobile code. Since inbound viruses can still slip through many firewalls as e-mail attachments, companies have started to implement "virus walls" on their firewalls to detect and remove them. Nevertheless, viruses are still getting through as encrypted or compressed attachments, which the virus wall cannot detect. Similarly, virus walls usually can’t detect viruses sent through a VPN connection, which also encrypts traffic. To address these problems, more and more organizations will move the virus wall inside the termination points of a VPN, allowing it to read attachments after they have been decrypted.

Macro viruses are quickly going out of date. Sure, they are still "breeding in the wild," automatically generating children viruses with new signatures. But in ’99, a far more serious threat will come from hostile mobile code, which is downloaded transparently from Web sites on the Internet. The code takes the form of a Java applet or browser plug-in, and is extremely easy to develop. While it does not behave like a typical virus, replicating itself at will, mobile code can have a more devastating effect than many viruses.

Hostile code can be simply annoying, causing a Web browser, for instance, to continuously bark like a dog. But it can also be malicious, sending damaging e-mails from an unsuspecting user’s mail client. The problem is getting so bad that as many as two-thirds of corporations have disabled the ability for users to download Java applets, according to a recent survey by Hurwitz Group. A few security vendors, including Finjan and Security-7, are working on addressing this serious and growing security problem.

7. Detecting Intruders Will Become Almost Impossible

With new technologies being introduced almost daily into the enterprise’s computing systems, it is increasingly difficult to guard all the doors. The network and OS alone yield hundreds of potential points of attack. As new applications, databases and middleware technologies are installed in ’99, hundreds of additional access points will open up.

A network probe used to be sufficient for monitoring intrusion attempts. But the proliferation of access points into each organization will make it necessary to deploy intelligent agents on every critical application server. These agents will not so much replace the IDS at the network level as monitor for intrusion into the operating systems, databases, middleware and business applications themselves. Over the coming 12 months, IDS software will increasingly offer the combined capability of network probes and intelligent agents in a single solution.

8. New Technologies Will Open More Security Holes

The plethora of new doors into each computer system will also need to be addressed by new risk/vulnerability assessment products. Early assessment tools used a network probe to penetrate a system and document its vulnerabilities. In 1998, the technologies matured to a point where a network probe could use information taken from one computer to break into another computer. And like IDS products, risk assessment tools have evolved to include intelligent agents. The agents on the market today already provide robust security checks that look for virtually every way to break into a computer. Over the coming year, these products will evolve even further, to the point where they can detect risks in layered databases, middleware and even applications.

The network probes and intelligent agents that provide risk assessments will be combined into a single product offering by many vendors in this market space. Moreover, because the functions of risk assessment tools and IDS products frequently overlap, several vendors (e.g., Centrax, ISS and Network Associates) will combine their two product lines in these areas into a single comprehensive solution. These solutions will provide internal and external intrusion detection and risk assessment, all manageable from a single unified, central management interface.

9. Companies Will Emphasize Legal Evidence of Break-ins

Centralized auditing is one area of security that remains largely overlooked—that is, until the company experiences a security breach. Corporations are taking breaches far more seriously these days, and they are far more inclined to prosecute trespassers (provided they can catch them). But without a credible body of legal evidence that a crime has been committed, there is no hope of getting any prosecutor (federal, state or local) to take the case to court. The problem revolves around audit logs, which are left on the computers that generate them, offering an easy target for intruders once the host has been breached.

To provide the type of evidence needed for prosecution, it is necessary to capture, in real-time, the audit records of the OS, databases, middleware and applications and send them to a central location for safekeeping. Today, a number of companies perform this function using event management tools such as BMC’s Patrol, HP’s OpenView and IBM/Tivoli’s TME10. Once stored in a central location, the challenge is to format each audit log entry into a uniform structure, with a normalized timestamp, so that an accurate chronology of events can be reconstructed across the entire computing architecture. As more companies discover that they cannot prosecute intruders without sufficient evidence, the market for centralized auditing tools will accelerate quickly.

10. User Communities Will Grow Into the Millions

The wave of corporate mergers in 1998 caused user communities in hundreds of U.S. companies to double or even triple overnight. The swelling ranks of end-users places a heavy burden on IT staff, who are forced to manage more user account information with often the same computing resources. On top of this, the deployment of electronic business applications requires IT staff to manage external users’ accounts as well, which may number in the millions. The directory products on the market today have tremendous difficulty in supporting environments of this scale.

In 1999, every company with a user base (internal and external) in excess of

2 million will have to adopt an LDAP directory strategy to regulate any IT purchases that contain divergent directory services. Companies will begin to roll out architectures that employ federated directories—directories that are hierarchically segmented across the enterprise, yet fully interoperable.

Microsoft, Netscape, Novell and Sun Microsystems all have aspirations of dominating the directory market in ’99; once a vendor "owns" a company’s user accounts, that company usually will stick with that supplier through thick and thin. This in turn enables the vendor to control spending on other security products. So choose your federated directory vendor wisely.

11. The Corporate Walls Will Come Tumbling Down

1999 will be the year the traditional corporate walls crumble. To remain competitive, companies will need to have the ability to do business electronically with partners, remote employees and customers. With all these users entering the enterprise from different points of entry, it will be nearly impossible to determine where one company ends and the next begins.

The more virtual a corporation becomes, the greater its chances are of responding to market demands and succeeding competitively. The risk, of course, is that a virtual corporation will be dangerously insecure.

To become more nimble, corporations are replacing legacy applications with packaged applications, such as SAP R/3. They are also developing e-business applications that

extend their ability to do business. The figure above illustrates the relationships between the 10 major departmental areas of any corporation. The image shows the various types of packaged applications being aggressively deployed in each area of the business.

For example, enterprise resource planning (ERP) applications (such as SAP R/3 and PeopleSoft) are being implemented across the four traditional corporate resource departments: IT (information), human resources (people), finance (money) and facilities (physical assets). Similarly, other packaged applications are being implemented in each of the six traditional production line departments. The Sales group is implementing sales force automation (SFA) applications, while Professional Services is rolling out project management (PM) applications. Customer Support is concentrating on customer relationship management (CRM), and Marketing is deploying enterprise marketing automation (EMA) applications. Engineering is rolling out product development management (PDM) software, while manufacturing has been attempting (for what seems like a decade) to deploy material resource planning (MRP) applications.

Layered on top of each department in the production line are the six types of e-business applications that will dominate the market over the coming year. E-marketing applications are the basic Web identity sites that every company is implementing today. From there, most companies make the foray into an e-sales application, through which they hope to sell their products and services over the Internet. To further differentiate their offerings from their competition’s, many companies then venture into providing e-service applications (like Amazon.com’s cross-referencing of buyers’ interests in other books) and e-support applications (like Federal Express’ Web site, which allows real-time tracking of shipped packages). Many companies are even looking to develop e-supply applications, through which they can build an integrated supply chain with their suppliers and customers. And some have gone as far as to build e-engineering applications, which allow collaborative product development between corporate engineering organizations across their respective firewalls.

The hidden reality here is that these electronic business applications provide external access deep within a company’s computing infrastructure. This type of access is unprecedented in the industry and is becoming the major driving factor of the security market.

© 1998 Hurwitz Group Inc.

12. Single Sign-On Will Move Into the Mainstream

One result of the growth in the size of user communities is an increase in the number of users forgetting their passwords. A recent Hurwitz Group study reveals that some 61 percent of all helpdesk calls are related to forgotten passwords. While handling these requests in a productive manner continues to be a challenge for corporate IT, a far more serious threat to business productivity comes from customers who have forgotten their passwords to an e-commerce application. For example, if a customer forgets his password into Charles Schwab’s e-Schwab application, he can’t make stock trades, resulting in a revenue loss for Charles Schwab.1999 will bring increased appreciation for the value of single sign-on (SSO) solutions, which effectively reduce the number of logon IDs and passwords that users have to remember. In the short term, companies will turn to script-based SSO solutions, which learn and automatically apply the logon processes for all existing applications—without modifying any of them. While a script-based technique will satisfy the SSO needs for internal users, it is not sufficient to meet the needs of external users, such as customers and business partners. As the year progresses, there will be a migration toward broker-based SSO, which employs certificate authorities and digital certificates that are trusted across multiple corporations.

13. Certificate-Based Authentication Will Move Up

Certificate authorities (CAs) and digital certificates are quickly gaining momentum as the preferred method for authenticating users. Currently, the prevailing standard for digital certificates is X.509, though a working group of the Internet Engineering Task Force (IETF) is working on a standard called PKIX (PKI for X.509). The promise of these standards has helped vendors such as GTE’s CyberTrust, Baltimore Tech., Entrust and VeriSign establish large certificate bases in several Fortune 500 companies, such as FedEx and Salomon Smith Barney.

In ’99, the growing popularity of digital certificates and soft tokens will continue to erode interest in hardware-based authentication solutions (e.g., token cards and smart cards). However, smart cards will find a niche in multiuser network OS environments and business-to-business e-commerce applications. Moreover, existing digital certificate technologies still face significant scalability challenges. For instance, the largest CAs running in production sites today can handle no more than 250,000 certificates, with each user possessing no more than one certificate. As a result, companies are deploying multiple CAs internally to support a greater number of certificates. 1999 will bring linear improvements in the scalability of CAs, to the point that an individual CA will be able to support as many as 500,000 certificates.

Over the next 12 months, certificate-based authentication vendors will need to address the issue of re-certification. If a company believes its master CA has been compromised, all outstanding certificates immediately become invalid, and all business processing that requires user authentication comes to a screeching halt. For users to continue work, certificates must be reissued—a process that can take days in a large environment. A few vendors, such as Diversinet, claim to eliminate this requirement, but they are fighting an uphill battle against the bigger, more entrenched vendors.

14. Integrated Security Strategies Will Gain Popularity

Confidentiality Encryption

Application Integrity Access Control Authorization

User Integrity User/Group SSO Authentication

System Integrity Virus Prevention Intrusion Detection Risk Assessment Auditing

Network Integrity Firewalls Communication Security

© 1998 Hurwitz Group Inc.

The figure above illustrates an approach to an overall security strategy used by many large corporations. In this strategy, all security requirements are divided into 12 interrelated areas. Corporations methodically tackle each area using separate products and services, ensuring that all the relevant requirements in one area are sufficiently addressed before moving on to the next.

In 1999, corporate security strategies will involve a fair amount of integration between these product areas. Companies will require such integrated security solutions to actively and automatically respond to security problems. For example, if an intrusion attempt is detected by the intrusion detection system (IDS), a firewall will be notified and automatically configured to shut down inbound traffic from the network address perpetrating the intrusion attempt. Absent integrated security solutions capable of responding to this type of situation, IT organizations will find themselves building their own integration across platforms and security products.

In the lower left corner of the image are the areas with the most mature security technologies. These areas have been, and will continue to be, the first to be addressed by most companies. The last areas to be addressed are those in the upper right corner. Security markets such as encryption and authorization have been the slowest security technologies to be adopted and, as a result, have not matured as quickly as the other markets.

This chronological process of deploying security is dictated by two driving factors. First, unlike the security requirements in the top right of the figure, those in the lower left are easily understood by senior management, and therefore more likely to be funded. Second, the security products in the lower left are easily implemented and do not require significant changes to the existing IT infrastructure. By comparison, the products that apply to the requirements in the upper right corner are invasive, requiring substantial changes to the infrastructure to work properly.

Those market areas that fall along the skewed line from the upper left corner down to the lower right corner are the hottest security markets at the moment. Most any Request for Information (RFI) put out by a corporate IT organization today will clearly identify

requirements for security management products that address the areas of user/group

administration, SSO, intrusion detection and communication/network security. It is these areas that will experience the fastest revenue growth over the coming 12 months.

15. Operating Systems Will Be Hardened

As user accounts are afforded a greater degree of protection, corporations will turn their attention to protecting their applications—on both desktops and servers—inside and outside the corporate walls. For external servers (such as Web servers), companies will control access by hardening the environment in which the application resides.

Inside the corporate walls, companies will mitigate the risk of a compromise on any application server by compartmentalizing administrative access privileges. That way, if an administrative account is compromised, the potential for damage and business disruption is limited. Products like SeOS from Memco Software (now a subsidiary of Platinum Technology) provide this type of functionality.

The threat of attacks via hostile mobile code will cause many IT departments to deploy access control software to protect applications installed on users’ desktops. Limiting the user’s ability to modify their desktop and application configurations will substantially reduce the potential for downtime due to user modifications or security attacks from viruses and hostile code. One vendor introducing interesting technology in this area is WinVista, with their WinVista Pro product.

16. Granular Authorization Will Continue to Lag

Another approach to restricting access is to authorize access privileges to application objects and functions at a granular level. By definition, technologies in this market require major modifications to existing applications, and therefore are considerably more difficult to implement in larger organizations. Historically, this security area has been the slowest to materialize, and 1999 will be no different. But the need for authorizing granular privileges in Web-based applications has put greater pressure on IT departments to find a solution. Product offerings from HP, Gradient, enCommerce and Internet Dynamics show promise in this area and will gain market momentum in ’99.

17. Real-Time Cryptography Will Arrive

All security management solutions fundamentally depend on cryptographic algorithms for privacy and confidentiality. In the past, government restrictions on the exportation of cryptography (primarily in the United States) have inhibited the deployment of the strongest encryption products. While the Clinton administration recently relaxed restrictions on exporting 56-bit keys, the strongest crypto algorithms must still get special export waivers.

The overhead required for encryption and decryption processing has also inhibited full-scale deployment of cryptography across the enterprise. To address this problem, in 1999 consumers of security will begin to use more intelligent combinations of cryptographic techniques. Public-key encryption will be used to create digital certificates, while symmetric-key encryption will be used for encrypting bulk data. Elliptic curve cryptography (ECC) will gain further credibility thanks to its promise of improved speed and efficiency. Finally, real-time applications will begin to implement cryptography, with vendors such as Certicom and TriStrata poised to take advantage of this market opportunity.

18. Security Will Eclipse the Y2K Bug

In 1999, security will supplant the Y2K bug as the number one concern of most IT departments. The sheer scope of this article underscores just how challenging infosecurity in the new millennium will be. Companies will have to address these issues by establishing a comprehensive security strategy that enables them to deploy electronic business applications that are safely integrated with the enterprise’s packaged applications. It won’t be easy. Hold on for a wild ride. And protect yourself, because no one else will.

19. Change Will Be Constant

It’s no secret that infosec is an industry of change. As organizations evolve into virtual businesses, new opportunities—and, consequently, new threats—will continue to crop up daily. The challenges of secure e-commerce will continue to test the limits of technology; remote partners will require an increasingly higher level of access to critical business applications and information; hackers will develop new tools and techniques for breaking through today’s security barriers; savvy end-users explore new ways to use (and abuse) their privileges…the list goes on.

As the challenges evolve, so will the security tools and strategies. The above predictions paint a portrait of the industry in ’99 based on research into current market directions and technology trends. But the industry could grow in any number of unexpected directions, some of which might be quite different from what’s predicted above. In any case, it’s always wise to expect the unexpected in infosecurity, because there’s never a dull moment.

Steve Foote is vice president of research strategy and director of the Systems and Applications Management service for Hurwitz Group Inc., a management consulting and software research firm in Framingham, Mass. He can be reached via sfoote@hurwitz.com.

PREDICTIONS AT-A-GLANCE

1. Applications Will Have Millions of Moving Parts

2. Companies Will Establish Numerous Security Perimeters

3. Firewalls Will Become More Adaptive

4. Personal Firewalls Will Take Off

5. Securing Business Partner Access Will Become Easier

6. Viruses Will Take on New Life Forms

7. Detecting Intruders Will Become Almost Impossible

8. New Technologies Will Open More Security Holes

9. Companies Will Emphasize Legal Evidence of Break-ins

10. User Communities Will Grow Into the Millions

11. The Corporate Walls Will Come Tumbling Down

12. Single Sign-On Will Move Into the Mainstream

13. Certificate-Based Authentication Will Move Up

14. Integrated Security Strategies Will Gain Popularity

15. Operating Systems Will Be Hardened

16. Granular Authorization Will Continue to Lag

17. Real-Time Cryptography Will Arrive

18. Security Will Eclipse the Y2K Bug

19. Change Will Be Constant