Claiming that the events of Sept. 11 are irrelevant to an IT
strategy, Gartner security analyst John Pescatore, who recently
grabbed the spotlight by blacklisting Microsoft's Internet Information
Server, said that the outcome of that tragic day was "simply
a validation of what we already know."
Hinting that many companies have long overlooked the importance
of security as a part of their strategies, Pescatore suggested
that corporate security specialists should seize the opportunity
that the heightened sensitivity presents to gain more leverage
in their organizations in their efforts to protect digital assets.
Citing a range of transgressions, from improperly configured
servers to ignorance of well-known security practices, Pescatore
said he has seen the enemy and "the enemy is us."
Citing that security is sometimes an afterthought of many efforts,
Pescatore said, "Security must come first" and lead
the away, ahead of processes like development. Companies that
heed Pescatore's recommendation will need to undergo a cultural
shift before the discipline is universally accepted and deployed.
It was the second such cultural shift in the development cycle
that Gartner has recommended at this year's Symposium. The first
was presented earlier in the day by Gartner analyst David Smith
who said that for companies to successfully deploy Web services,
their developers will need to undergo a shift towards more of
a component re-use culture that includes developing software
as a service. Smith called the concept SODA, or Service Oriented
Development of Applications.
During the conference, Pescatore has been defending his widely
covered recommendation that companies dump Microsoft's Internet
Information Server. According to Pescatore, the recommendation
was not necessarily based on IIS deficiencies. Pointing a finger
at Internet server managers, he was quick to note that 75 percent
of exploited server vulnerabilities came at the expense of servers
that were either misconfigured or not patched on a timely basis.
While crediting Microsoft for making patches available before
strikes such as Code Red and Nimda occurred, Pescatore said
intruders wait for patches like that so that they know what
exploit to try next.
Attendees had mixed feelings about Pescatore's remarks. Some
referred to IIS customizations they had in place, such as active
server pages (ASPs), that could not easily be ported to an alternative.
The more security savvy attendees boasted of airtight security
procedures that resulted in immediately patched servers and
attacks that were repelled. Still, others were waiting to see
if Microsoft CEO Steve Ballmer, scheduled to speak later during
the conference, would respond to Pescatore's blacklisting.
Pescatore went on to define five priorities for any company
interested in building a security foundation that can enable
business. "The first priority is availability," said
Pescatore. "Availability means: Can you do what you need
to, when you want to?" The second and third priorities,
ranked equally in importance, are authentication and authorization.
"Authentication," said Pescatore "is the 'who
are you' question while authorization answers the question of
'what you're allowed to do.'"
Pescatore's equally ranked fourth and fifth priorities are
privacy and non-repudiation. "Can we protect your data,
and can you prove it" according to Pescatore.
In addition to the many current challenges confronting security
specialists, Pescatore expects the environment to get worse
before it gets better. "For example," he said, "Web
services are just the application guys poking another hole in
your firewall." Although relatively new, the Web services
sector is expected to explode with activity in the coming years.
All these challenges have security managers wishing for the
ever elusive--and mythic--"security dashboard" said
Pescatore. "Today, there are monitoring solutions that
allow us to retrieve data from various devices, but we still
can't manage them." Pescatore expects that to change, but
not in the immediate future.
In the meantime, Pescatore is recommending new security measures.
For companies with employees on laptops, he is strongly recommending
personal firewalls. He also suggested encrypting data that resides
in servers. "We're really good at encrypting data on the
move, such as email, but now we need to start thinking about
encrypting data at rest to prevent tampering."