[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Security survey finds 'best of breed' software works best
From:       mea culpa <jericho () dimensional ! com>
Date:       1998-12-27 20:05:03
[Download RAW message or body]


Forwarded From: darek milewski <darekm@cmeasures.com>

http://www.zdnet.com/pcweek/stories/news/0,4153,380464,00.html
Security survey finds 'best of breed' software works best
By Jim Kerstetter, PC Week Online
December 23, 1998 9:00 AM ET

It's a debate reminiscent of the early days of enterprise resource
planning applications: best of breed or packaged suites? Which is best for
your company? 

Security software is no different. A recently published report by
Forrester Research Inc., in Cambridge, Mass., says best of breed, at least
for now, is the best way for your company to go because one company may
not be best at all aspects of security. The maker of a good firewall, for
example, may not know what to do with digital certificates. 

Forrester interviewed security managers at 50 Fortune 1000 companies and
talked with executives at more than a dozen security companies, ranging
from IBM to Netegrity Inc.  The conclusion among many of those security
managers was twofold: First, security suites have so far been products
picked up in the acquisition process and are weakly integrated;  second,
companies tend to buy security products one at a time, as needs arise, and
aren't likely to have a suite strategy. 

A security administrator at an East Coast utility backed up Forrester's
contentions, saying that buying into a security suite strategy doesn't fit
his company--yet. "We don't have that kind of need because we're buying
things one at a time," said the administrator, who requested anonymity.
"It's hard for us to plan for a suite when, really, we're just looking to
solve our next problem." 

"Suites aren't a solution to users' security problems. And the way that
[users] can rise to the security selection and implementation challenge is
by dividing and conquering," said analyst Ted Julian, the report's
co-author. 

Julian divided the market into four major areas for products and
responsibilities inside a corporation: infrastructure access, content
integrity, application user and operational compliance. 

Infrastructure security systems control network and system access and
protect against denial-of-service attacks, Julian said.  Those systems are
the domain of a network administrator, who must handle a variety of
systems, such as firewalls, routers and remote access servers, and work
with protocols such as IP Security as well as authentication services
including hardware tokens and digital certificates. 

On another level, an IS administrator should be focused on content
integrity, which means looking for malicious content in viruses, Java and
ActiveX code and office suite macro viruses. 

In turn, application security middleware controls access to enterprise
applications by adding security to software that doesn't already have it. 
Application developers with skills in Component Object Model, Common
Object Request Broker Architecture, C++ and Common Gateway Interface
should be assigned to these tasks, Julian said. 

Finally, operational security--the true domain of security
administrators--detects security breaches in progress and discovers
systems that are not in compliance with security policy. 


-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

[prev in list] [next in list] [prev in thread] [next in thread]