Security and management come together

Recently in this newsletter we speculated that 2004 might be the breakthrough year for security management. This week we are at RSA, the annual IT security event in San Francisco, taking a look at how that effort is taking shape. So far, we have not been disappointed.

The run-up to RSA is typically peppered with vendor announcements of security initiatives – and management, coupled with a higher degree of integration, has been the clear focus of many. In addition, we have seen a pair of recent acquisitions by HP not immediately relevant to security, but which could have a significant impact regardless.

The recent acquisition of NetScreen by Juniper Networks illustrates how network vendors are increasingly recognizing that security needs to be something more integral to architecture than just an add-on to other offerings. Sun’s plan to release a hardened version of Solaris and enter into a managed security services partnership with VeriSign accentuates the same awareness of security integration.

The announcement that IBM will partner with Cisco to bring its Tivoli expertise to network security efforts illustrates the fundamental involvement of management in an integrated security architecture. While the range of cooperation between Cisco and IBM will be broad – across identity management, secure connectivity, policy and services – the thrust of greatest near-term interest will be joint efforts related to Cisco’s Network Admission Control (NAC) initiative.

NAC is one of several innovative entrants, each with its own compelling differentiators, in this still-emerging field that we here at Enterprise Management Associates are calling “endpoint configuration enforcement,” or ECE.

In summary, ECE is the ability to enforce a policy on clients, requiring a specific configuration as well as authentication before they are permitted to connect to a network. Initially, such a policy would typically require anti-virus (including verification that the client is infection-free), client firewalling, and a specified patch level, all up to date and configured correctly. Non-compliant computers are either denied access to the network or redirected to a site where remediation can be applied. Networks that detect enforcement breaches through the spread of an attack would be enabled to isolate threatening traffic. In addition to promising better control of fast-spreading attacks, ECE will also become important in enabling wireless in the enterprise. Eventually, such a process would become fully automated – if truly trustworthy.

The management focus of ECE leads us to wonder how HP may be able to leverage its recent acquisitions of Novadigm and Consera in this area. HP has thus far been something of a stealth player in security management per se – yet it is patiently assembling a framework that could make its presence substantial. Examples include acquisitions such as SelectAccess identity management and Talking Blocks for applications, and partnerships as diverse as security console developer ArcSight and federation start-up Ping Identity. Should it choose to strengthen its definition of security management, these alignments could enable HP to be competitive with security lines from IBM and Computer Associates.

ECE is the first real glimmer of hope that zero-day attacks and similar threats may finally be brought under control. It is also the initial effort in what will become a broader emphasis on assuring that all network points are secure and compliant. The fact that management is the focus of many of these initiatives says a great deal about what IT security will look like in coming months and years, as integration and uptake accelerate.