Conference targets management and mobility

"Management" and "mobility" were the concerns of many attendees at this year's InfoSecurity 2003 Conference and Exhibition in New...

"Management" and "mobility" were the concerns of many attendees at this year's InfoSecurity 2003 Conference and Exhibition in New York, as leading security technology companies displayed products for managing security devices, combating spam and securing mobile devices.

Frustration with difficulty managing security devices and security risks posed by mobile devices such as personal digital assistants and cellular telephones is driving demand for new products and features bolstering traditional protections such as firewalls and intrusion detection systems.

A number of companies displayed technology for managing data produced by increasing numbers of security products deployed on corporate networks.

Securing mobile users was also a major concern of both attendees and exhibitors as corporations are equipping more employees with laptop computers, BlackBerry pagers and smart phones that give them constant access to network resources.

Increasingly, those devices are serving as entry points for worms and viruses, said David Mortman, director of global security at Siebel Systems.

"Seventy per cent of our workforce has laptops and is mobile, and laptops break the [network} perimeter," he said.

After a recent outbreak of the Blaster worm, Siebel was forced to protect its network from infection by stopping mobile workers as they came to work and requiring them to run a scanning program to detect copies of the worm on their laptops. Siebel stopped about 30 or 40 instances of Blaster from reaching the corporate network.

But companies are looking for more automated ways to deal with threats posed by mobile workers, according to Gerhard Eschelbeck of Qualys.

To meet those needs, companies are investing in new kinds of remote access technology. Nokia used InfoSecurity to display Secure Access System, a VPN product based on Secure Sockets Layer that lets companies set up access policies that take into account the mobile user's identity, location and type of device used for network access, said Steve Schall, director of security application product management at Nokia.

Companies can use a client integrity scanner component of the Secure Access System to determine whether a mobile user's operating system is adequately patched and whether antivirus definitions are up to date. Lower levels of network privileges can then be assigned to users who do not satisfy those criteria, Schall said.

InfoExpress showcased similar technology in its CyberGatekeeper product, a server that sits between VPN users and a corporate network and enforces security policies such as antivirus updates and configuration on remote clients.

Control Break displayed technology for protecting data on remote devices. The company's SafeBoot uses two-factor authentication and proprietary technology to validate a user's identity before allowing the SafeBoot-protected device to start.

The focus on securing mobile devices points to larger security problems posed by the use of embedded operating systems on a wide range of devices, from mobile phones to ATMs and SCADA systems that control critical infrastructure, said Pete Lindstrom of Spire Security.

"The idea is becoming apparent that embedded operating systems need to be evaluated and understood and profiled," he said.

Such devices are often not connected to the internet directly, but to enterprise networks, creating a "leaky network" that can allow viruses and worms in, as happened in August when ATMs at two customers of cash machine manufacturer Diebold were infected with the Welchia worm, Lindstrom said.

The sheer number of new security products and mobile computing devices that companies are deploying is forcing changes in the way network security administrators manage security, said Lance Braunstein, chief information security officer at Morgan Stanley Dean Whitter.

Administrators are, increasingly, looking to automate manual processes and invest more money in workflow and policy management technologies, he said. The interest he saw in technology such as software patch management systems highlights the desire for products that will reduce the administrative overhead associated with securing systems.

The proliferation of specialised security devices is also forcing a reconsideration of the long-accepted notion of buying "best in breed" technology to solve network security problems, Braunstein said. Companies such as Morgan Stanley are, increasingly, willing to settle for technology that is not "best of breed" if it offers seamless integration with other security functions, he said. 

Lindstrom agreed, saying that network security is fast evolving from an arcane practice to a science, and that security administrators are being held to account for costs associated with it.

"We're seeing a move from security being a black hole of lost dollars to it being a cost-benefit risk assessment in the enterprise," he said.

Paul Roberts writes for IDG News Service

Read more on IT strategy