Today, security breaches are motivated less by fame and notoriety and more by a desire to profit from criminal activity, and new attack vectors, combined with an increased sophistication of malicious individuals, create an omnipresent threat. At the same time, heightened regulatory scrutiny and increased financial liability raises the costs for failing to protect the computing infrastructure.
With security now a pressing concern for every organization, it is not surprising that everyone from system administrators to Board members now assume an active role in protecting the organization. But even with the increased level of awareness at all levels, it is CIOs who are often in the “hot seat.” For CIOs, fully understanding best practices and being aware of new security options under development are pivotal factors in delivering system-wide protection.
To be sure, absolute security is an elusive myth. In much the same manner as governments try to provide a level of security for entire nations, comprehensive IT security demands a layered approach. Security experts refer to this methodology as “rings of protections.”
To help CIOs devise a deliberate and comprehensive security plan, the following roadmap divides assets and products into three logical and concentric rings that together provide organizations with protection against current and future threats.
Phase 1: Guarding the Transportation NetworksInitial security efforts focused principally upon perimeter protection. These technologies mirror their analogs in the physical world and serve to protect our electronic equivalents to airports, docks and rail systems. Firewalls restrict access to resources just as countries limit access at their borders. Virtual private networks grant entry to authorized users, and intrusion detection systems monitor traffic to warn of potentially illegal activity.
While network protection is central to any well-designed security strategy, this outermost ring guarantees only minimal levels of protection. First-generation companies in network security witnessed industry consolidation, and Cisco and Juniper dominate today’s market.
Recent startups in network security focus higher in the application stack. Deep packet inspection firewalls, often referred to as intrusion prevention systems, examine individual data flows to detect malicious activity. Other innovative startups are also working on XML firewalls, voice-over-IP border gateways, in-line appliances to protect against denial of service and wireless security.
Protecting network “transportation systems” is the first step in a cohesive security plan.
Phase 2: Securing Critical InfrastructureDemand for greater access by end users and business partners alike has resulted in increasingly porous networks inadequately protected against new threats. Moreover, today’s most insidious attacks circumvent traditional network security products. As a consequence, individual assets within the organization must be secured as well. This is again analogous to the safeguards put in place by agencies within the Department of Homeland Security to protect resources such as our nation’s telecommunications, energy, banking and finance systems.
The most important step to securing critical infrastructure is evaluating the organization’s risk. Defining this middle ring requires identifying systems most vulnerable to attack, assessing the potential losses associated with a compromise or failed audit and weighing the costs to adequately secure each resource. Many organizations conclude they need increased security around Web servers, application servers, mail servers and databases.
CIOs tackle these risks by protecting individual assets. Advanced network products, such as those noted previously, mitigate some risk. More often than not, however, host-based products are necessary complements to adequately protect the most critical elements of the infrastructure.
Leading-edge startups are essential to meeting these security needs. Patch management, available from vendors such as Big Fix, Shavlik and Patchlink, is a logical starting point, since these products protect against known attacks. Vulnerability protection from a company such as Determina*, picks up where these products leave off by stopping targeted attacks and providing zero-day protection against unknown threats. Identity management solutions allow organizations to better restrict access to resources. Centrify*, for instance, extends Microsoft Active Directory to provide access and policy management to UNIX-based systems.
Desktops require protection as well. Anti-virus solutions from Symantec and McAfee offer a base layer of protection. Increasingly, organizations augment these products with other security solutions. Anti-spyware from Webroot* remediates and protects against the growing threat of malware. Personal firewalls from Check Point and ISS block worms and other network-based attacks. Host intrusion protection products further limit malicious activity. Taken together, these solutions protect individual computers within the organization.
Innovation in each of these areas continues. Many of the exciting new startups coming to market bring increased security to key infrastructure assets. Much of our attention in the venture capital community over the last two years has focused on this important category of companies.
Phase 3: Protecting and Monitoring DataThe third and emerging frontier of security is characterized by solutions that protect and monitor the most sensitive information within the organization: individual applications and data. Driven in part by fear of identity theft, this era of “information security” will deliver a new class of network and host-based products aimed at further protecting this innermost ring. Much like the physical security world, this requires classifying information, establishing organizational policies and enforcing these requirements. The Department of Homeland Security coordinates such efforts for the United States; the CIO must assume the same heroic task within their company.
Information security products span audit, control, encryption and authorization. The diverse technologies share the common trait of focusing on actual data rather than protecting arbitrary networks and systems.
For example, Elemental Security* reports on the state of systems within the company and allows administrators to express and enforce policies. Vulnerability scanning tools from leading companies such as Qualys offer visibility and tracking of exposed systems. Still other companies focus on protecting and monitoring particular types of data, whether structured and stored within databases or unstructured and residing on file servers. A final class of companies protects content transmitted by specific applications, such as e-mail and instant messaging.
Many of the most advanced network and host-based products focus on servicing this new need around information security. Companies such as Vontu and PortAuthority, for instance, examine outbound content to prohibit transmission of proprietary information. Moreover, the sharp contrast distinguishing network and host security will continue blurring. Security, networking, systems management and even storage will ultimately evolve to address the demands of information security.
This category remains ripe for innovation. New generations of exciting startups pushing the boundaries of information security are expected.
Conclusions about Information SecuritySecurity is an ever-moving target and the increasing severity of attacks, combined with a greater emphasis on ensuring protection, are definitive catalysts for action. Every CIO must remain current on the arsenal of security products available.
Existing perimeter products from established vendors address necessary and fundamental functions, but are insufficient for complete coverage. These solutions guard only the basic network transportation system. Securing critical infrastructure requires products that protect individual servers and desktops from targeted attacks. Looking ahead, products that protect and monitor applications and data promise to secure the most vital assets within our computing systems.
Best practices demand CIOs develop a security strategy that combines network, host and information protection. As venture capitalists, we are continually watching for exciting new companies that address these needs.
* a Mayfield Fund investment
Robin Vasan and Tom Fountain are venture capital investors focused on security and infrastructure software with the early-stage venture capital firm Mayfield Fund. Robin can be reached at firstname.lastname@example.org. Tom can be reached at email@example.com.