In 2007, IT executives will need to clearly evaluate risk as they weigh sometimes opposing proposals to bolster security, increase wireless connectivity, extend more business processes over the Internet and address regulatory requirements.
If that's not enough, some say the adoption of VoIP technology, which is subject to denial-of-service and stolen capacity, may lead to disruptions in traditional circuit-switched telephony as well.
"More trouble is yet to come in VoIP, and hackers are going to gain complete control over your VoIP network," says Rohit Dhamankar, senior security manager at 3Com.
|
Because VoIP servers "are interfacing with traditional ‘old phone' networks," he points out, hackers are likely to launch attacks through VoIP that will seriously affect the telecom infrastructure, such as Signaling System 7 for call setup. The result: downtime and criminal exploitation of the circuit-switched phone system through VoIP.
Other trends, says Friedrichs, can be traced to Web 2.0 technologies, such as AJAX, which support very flexible access to server resources behind the corporate firewall. This very flexibility appears likely to facilitate a new genre of exploits that will be difficult to detect and analyze, he notes.
Meanwhile, with Microsoft's Vista was expected to begin to gain a footprint in the enterprise and on consumer desktops in 2007, all eyes will be watching how well it holds up without patching. So far, some are at least optimistic. "Microsoft has made significant improvements in the core operating system," Friedrichs says.
Wireless demands
While it may be tempting to batten down corporate systems as these new threats emerge, IT departments in 2007 will find it nearly impossible to ignore the scads of employees, business partners and customers clamoring for greater mobility and wireless access to systems.
"For most enterprises, CIOs see mobility as absolutely essential," says Stan Schatt, vice president with ABI Research. "They are getting so much pressure from their internal customers for this. IT is being forced to acquiesce" in the mobility quest.
Fortunately, as user demands escalate, wireless networks -- both wireless WLANs and cellular data networks -- are poised to get a lot more effective in the coming year.
Draft 2 of the IEEE WLAN standard is expected to become final in February or March, and the Wi-Fi Alliance is expected to launch its certification testing for draft 2 products by about May. Products based on the draft standard are expected to start appearing by midyear and could have a major impact on enterprise backbone networks. These products, with throughput of 100M to 300Mbps, will be aimed first at the residential, home office and small-business markets, which already have been snapping up so-called pre-11n gear that began shipping in 2006.
The year ahead Here's a collection of key industry events happening or expected to take place in 2007. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Because 802.11n won't be formally approved until early 2008, it's unlikely that companies will adopt these prestandard products. But they will be evaluating them and their possible impact on the existing wired infrastructure. "The effective data rate from an .11n access point could be well over 100Mbps," says Craig Mathias, principle with Farpoint Group, a wireless consultancy. "It will swamp [some] existing switches. Gigabit Ethernet is something you sort of need to have [for .11n]."
Additional 802.11 standards coming in 2007 will make enterprise WLANs more consistent, more manageable and better performing, says Paul DeBeasi, a Burton Group senior analyst. In the third quarter, the completion of the standard will create a standard method for very fast roaming between access points, seen as critical for good wireless VoIP calls.
The standard for radio resource management specifies what management data can be collected from WLAN clients, not just access points. This will be combined with the 11v standard, which will give the WLAN infrastructure greater control over client devices, creating a more predictable, consistent WLAN.
Meanwhile, cellular data services will continue to improve dramatically in 2007. Subscribers will see two-way throughput in the 400K-to-700Kbps range, and much lower latency, based on standards such as Revision A and HSDPA/HSUPA. Carriers are aggressively expanding the footprint for such services, making pervasive mobile computing more feasible than ever.
With both WLANs and cellular data networks more capable, expect to see an explosion in so-called dual-mode smart phones, which can operate on either network.
Finally, increased mobility will highlight new security problems -- not in the wireless networks but in the client devices that use them. The spread of mobility in 2007 will force enterprises to be more systematic about securing client devices, protecting the corporate data on them, and protecting the corporate networks they access.
Compliance quagmire
Just as there will be no letup from security threats in 2007, users won't find much relief from regulatory requirements either.
Laws in effect this year portend more of the same: They expand requirements to retain e-mail and other documents and encrypt confidential consumer data being stored. New rules on the evidentiary discovery of clients' electronically stored information, international banking rules and more detailed interpretations of the Health Insurance Portability and Accounting Act will spur customers to put mechanisms in place to more quickly discover and retrieve archived data.
Changes to laws protecting the privacy of customer's confidential information also are on tap for 2007. Following California's lead, about 30 states have imposed rules that require organizations to disclose when data leaks have occurred. A ruling under consideration in the federal government right now – the Notification of Risk to Personal Data Act – requires federal agencies and companies engaged in interstate commerce and in possession of data containing personal information to disclose any unauthorized breach or loss of such information.
In the financial services and banking industries, two international laws will affect how organizations retain, recover and report on data. BASEL II, which took effect Jan. 1, requires the worldwide banking community to uniformly capture data to allow operational risk factors to be identified and analyzed. The Markets in Financial Instruments Directive, which requires compliance by next Nov. 1, is the European Union's rule that sets out basic high-level provisions governing how business should be conducted.
Compliance with these rules will be a tricky matter for multinational companies, because they can differ from rules imposed in the United States. "Privacy policies in Europe and discovery policies in the U.S. are very different," says Francis Lambert, senior compliance adviser to Zantaz, an e-mail and archiving vendor. "There is no international body that is going to solve this for [companies]."
The compliance quagmire also may change depending on how the incoming Democratic Congress views it. "In the past several years there has not been a focus on enforcement," Lambert says. But enforcement could increase with the Democratic Congress, he suggests.
NAC matures
While lawmakers are busy detailing rules about how data should be stored, technology vendors are equally busy devising ways to protect enterprise resources from harm while complying with all the government rules. One technology that will continue to generate buzz in 2007 is network access control (NAC).
This year NAC is going to become more mature, and some long-talked-about contributions to the technology finally will be available.
The three major spheres of influence within the NAC universe -- Cisco, Microsoft and Trusted Computing Group (TCG) -- each envision a method of checking whether devices that are trying to access networks hold a security posture that is in line with policies set by the corporation. If not, the NAC system will deny that device access or limit it to a quarantined area of the network.
These big names in NAC will reach milestones this year. For example, sometime after June, Microsoft says it will release its Longhorn server, which is an essential component of its NAC scheme known as Network Access Protection (NAP).
In addition, Microsoft Vista, which is being released to consumers in January, includes client software necessary to support NAC. This is key to some other vendors, including Cisco, whose NAC architectures are receptive to Vista's NAC support, because it means customers won't have to add one more thing to their desktops and laptops if they want to deploy NAC. Similarly, the release of Longhorn in the second half of 2007 is important to Cisco, because it will include the Microsoft NAP agent.
For its part, TCG is publishing standards for NAC components that will lead toward vendor interoperability.
The IETF also has jumped into the game, establishing a working group to develop NAC standards. That effort is behind the curve, because the group was just set up in November and won't meet again until March. But every step it takes will be significant in that key vendors participate in the group and typically implement technology based on the best current working version of developing standards.
Outside the three main NAC camps, smaller vendors will make headway among budget-conscious customers in 2007, industry watchers predict. Vendors such as ConSentry, Nevis and Vernier make appliances and switches that can enforce policies and keep a lookout for misbehaving machines. Customers who are in need of NAC but don't want to invest yet in networkwide upgrades will increasingly buy these devices in 2007, says Zeus Kerravala, a Yankee Group analyst.