The year ahead: Juggling IT risks, opportunities

In 2007, IT executives will need to clearly evaluate risk as they weigh sometimes opposing proposals to bolster security, increase wireless connectivity, extend more business processes over the Internet and address regulatory requirements.

If that's not enough, some say the adoption of VoIP technology, which is subject to denial-of-service and stolen capacity, may lead to disruptions in traditional circuit-switched telephony as well.

"More trouble is yet to come in VoIP, and hackers are going to gain complete control over your VoIP network," says Rohit Dhamankar, senior security manager at 3Com.

Trends for '07For 2007, technologies such as standards-based IP PBX systems and Web-based applications are waxing, while others are waning.
What's hotWhat's not
Initiation Session Protocol-based standards for IP PBX systemsProprietary VoIP protocols
TelepresenceVideoconferencing
Custom Trojan attacksTraditional antivirus defenses
Dual-mode cellular and WiFi devicesSingle-function devices
Software-as-a-serviceMonolithic application platforms
Enterprise service busesEnterprise application integration

Because VoIP servers "are interfacing with traditional ‘old phone' networks," he points out, hackers are likely to launch attacks through VoIP that will seriously affect the telecom infrastructure, such as Signaling System 7 for call setup. The result: downtime and criminal exploitation of the circuit-switched phone system through VoIP.

Other trends, says Friedrichs, can be traced to Web 2.0 technologies, such as AJAX, which support very flexible access to server resources behind the corporate firewall. This very flexibility appears likely to facilitate a new genre of exploits that will be difficult to detect and analyze, he notes.

Meanwhile, with Microsoft's Vista was expected to begin to gain a footprint in the enterprise and on consumer desktops in 2007, all eyes will be watching how well it holds up without patching. So far, some are at least optimistic. "Microsoft has made significant improvements in the core operating system," Friedrichs says.

Wireless demands

While it may be tempting to batten down corporate systems as these new threats emerge, IT departments in 2007 will find it nearly impossible to ignore the scads of employees, business partners and customers clamoring for greater mobility and wireless access to systems.

"For most enterprises, CIOs see mobility as absolutely essential," says Stan Schatt, vice president with ABI Research. "They are getting so much pressure from their internal customers for this. IT is being forced to acquiesce" in the mobility quest.

Fortunately, as user demands escalate, wireless networks -- both wireless WLANs and cellular data networks -- are poised to get a lot more effective in the coming year.

Draft 2 of the IEEE 802.11n WLAN standard is expected to become final in February or March, and the Wi-Fi Alliance is expected to launch its certification testing for draft 2 products by about May. Products based on the draft standard are expected to start appearing by midyear and could have a major impact on enterprise backbone networks. These products, with throughput of 100M to 300Mbps, will be aimed first at the residential, home office and small-business markets, which already have been snapping up so-called pre-11n gear that began shipping in 2006.

The year ahead

Here's a collection of key industry events happening or expected to take place in 2007.

January

Microsoft ships Vista and Office to consumers.
The AT&T and BellSouth merger is finalized.
Cisco's $31 million acquisition of Orative maker of VoIP and cell phone software is expected to close.

February

Cisco will replace eight single-topic Sevice Provider CCIE exams with a single written test.
Sprint Nextel is expected to turn on its EV-DO, Rev A service. The higher-speed wireless data service promises upload speeds of 300K to 400Kbps and download speeds of 450K to 800Kbps.
IEEE set to approve 802.11n, Draft 2 of the 100+Mbps WLAN standard.
Feb. 14-15: LinuxWorld New York.
Feb. 5-9: RSA Conference 2007, San Francisco.

March

Intel by now is expected to introduce two more quad-core processors, bringing the total number of quad-core offerings to four.
Sun by now is expected to integrate the open source Xen virtualization technology into Solaris.
The last call process concludes for the GNU General Public License, Version 3. The Free Software Foundation is expected to adopt the new GPL formally no later than March.
Cisco 1700, 2600 and 3700 routers, last day of sale: March 27.
Cisco IOS software, Release 12.3, last day of sale: March 15.
March 27-29: CTIA Wireless 2007, Orlando.

April

Microsoft jumps into VoIP game with expected shipment of Office Communications Server 2007 sometime between April and June.

May

Wi-Fi Alliance expected to begin certification testing of 11n Draft 2-compliant access points and adapters.
May 20-25: Interop Las Vegas.

June

AMD expected to introduce quad-core Opteron processors.
Only one year after going it alone, the Telecommunications Industry Association (TIA) and the United States Telecom Association (USTA) are joining trade show forces again and are holding the inaugural NXTcomm in Chicago. 

July

Release of Microsoft’s Longhorn Server expected in second half of 2007.

Bill Gates begins last year as full-time Microsoft employee.

CiscoWorks for Windows, last day of technical support: July 28.

August

Aug. 6-9: LinuxWorld Conference & Expo, San Francisco.

September

802.11r expected to be finalized, to create a standard for fast roaming between WLAN access points, a key step for predictable, interoperable, wireless VoIP.

October

Oct. 22-Nov. 16: World Radiocommunication Conference in Geneva. Every four years the world’s nations debate rearranging the use of spectrum.
Oct. 22-26: Interop New York.

November

Markets in Financial Instruments Directive: European Union implements rules for financial institutions that set out basic, high-level provisions governing organization and conduct.

Cisco Content Service Switch (CSS) 11850, last day of technical support: Nov. 1.

December

NIST expected to update Security Controls for Federal Information Systems, Electronic Mail Security, Secure Web Services recommendations.
Smaller public companies must provide a management assessment of their internal controls over financial reporting in annual reports for fiscal years ending Dec. 15 or later. In 2006 SMBs were given a one-year extension to comply with the financial reporting requirements set by the Sarbanes-Oxley Act of 2002.

Because 802.11n won't be formally approved until early 2008, it's unlikely that companies will adopt these prestandard products. But they will be evaluating them and their possible impact on the existing wired infrastructure. "The effective data rate from an .11n access point could be well over 100Mbps," says Craig Mathias, principle with Farpoint Group, a wireless consultancy. "It will swamp [some] existing switches. Gigabit Ethernet is something you sort of need to have [for .11n]."

Additional 802.11 standards coming in 2007 will make enterprise WLANs more consistent, more manageable and better performing, says Paul DeBeasi, a Burton Group senior analyst. In the third quarter, the completion of the 802.11r standard will create a standard method for very fast roaming between access points, seen as critical for good wireless VoIP calls.

The 802.11k standard for radio resource management specifies what management data can be collected from WLAN clients, not just access points. This will be combined with the 11v standard, which will give the WLAN infrastructure greater control over client devices, creating a more predictable, consistent WLAN.

Meanwhile, cellular data services will continue to improve dramatically in 2007. Subscribers will see two-way throughput in the 400K-to-700Kbps range, and much lower latency, based on standards such as EV-DO Revision A and HSDPA/HSUPA. Carriers are aggressively expanding the footprint for such services, making pervasive mobile computing more feasible than ever.

With both WLANs and cellular data networks more capable, expect to see an explosion in so-called dual-mode smart phones, which can operate on either network.

Finally, increased mobility will highlight new security problems -- not in the wireless networks but in the client devices that use them. The spread of mobility in 2007 will force enterprises to be more systematic about securing client devices, protecting the corporate data on them, and protecting the corporate networks they access.

Compliance quagmire

Just as there will be no letup from security threats in 2007, users won't find much relief from regulatory requirements either.

Laws in effect this year portend more of the same: They expand requirements to retain e-mail and other documents and encrypt confidential consumer data being stored. New rules on the evidentiary discovery of clients' electronically stored information, international banking rules and more detailed interpretations of the Health Insurance Portability and Accounting Act will spur customers to put mechanisms in place to more quickly discover and retrieve archived data.

Changes to laws protecting the privacy of customer's confidential information also are on tap for 2007. Following California's lead, about 30 states have imposed rules that require organizations to disclose when data leaks have occurred. A ruling under consideration in the federal government right now – the Notification of Risk to Personal Data Act – requires federal agencies and companies engaged in interstate commerce and in possession of data containing personal information to disclose any unauthorized breach or loss of such information.

In the financial services and banking industries, two international laws will affect how organizations retain, recover and report on data. BASEL II, which took effect Jan. 1, requires the worldwide banking community to uniformly capture data to allow operational risk factors to be identified and analyzed. The Markets in Financial Instruments Directive, which requires compliance by next Nov. 1, is the European Union's rule that sets out basic high-level provisions governing how business should be conducted.

Compliance with these rules will be a tricky matter for multinational companies, because they can differ from rules imposed in the United States. "Privacy policies in Europe and discovery policies in the U.S. are very different," says Francis Lambert, senior compliance adviser to Zantaz, an e-mail and archiving vendor. "There is no international body that is going to solve this for [companies]."

The compliance quagmire also may change depending on how the incoming Democratic Congress views it. "In the past several years there has not been a focus on enforcement," Lambert says. But enforcement could increase with the Democratic Congress, he suggests.

NAC matures

While lawmakers are busy detailing rules about how data should be stored, technology vendors are equally busy devising ways to protect enterprise resources from harm while complying with all the government rules. One technology that will continue to generate buzz in 2007 is network access control (NAC).

This year NAC is going to become more mature, and some long-talked-about contributions to the technology finally will be available.

The three major spheres of influence within the NAC universe -- Cisco, Microsoft and Trusted Computing Group (TCG) -- each envision a method of checking whether devices that are trying to access networks hold a security posture that is in line with policies set by the corporation. If not, the NAC system will deny that device access or limit it to a quarantined area of the network.

These big names in NAC will reach milestones this year. For example, sometime after June, Microsoft says it will release its Longhorn server, which is an essential component of its NAC scheme known as Network Access Protection (NAP).

In addition, Microsoft Vista, which is being released to consumers in January, includes client software necessary to support NAC. This is key to some other vendors, including Cisco, whose NAC architectures are receptive to Vista's NAC support, because it means customers won't have to add one more thing to their desktops and laptops if they want to deploy NAC. Similarly, the release of Longhorn in the second half of 2007 is important to Cisco, because it will include the Microsoft NAP agent.

For its part, TCG is publishing standards for NAC components that will lead toward vendor interoperability.

The IETF also has jumped into the game, establishing a working group to develop NAC standards. That effort is behind the curve, because the group was just set up in November and won't meet again until March. But every step it takes will be significant in that key vendors participate in the group and typically implement technology based on the best current working version of developing standards.

Outside the three main NAC camps, smaller vendors will make headway among budget-conscious customers in 2007, industry watchers predict. Vendors such as ConSentry, Nevis and Vernier make appliances and switches that can enforce policies and keep a lookout for misbehaving machines. Customers who are in need of NAC but don't want to invest yet in networkwide upgrades will increasingly buy these devices in 2007, says Zeus Kerravala, a Yankee Group analyst.

1 2 Page 1
Page 1 of 2
SD-WAN buyers guide: Key questions to ask vendors (and yourself)