Docstoc

Security Vital Signs

Document Sample
Security Vital Signs Powered By Docstoc
					               Security and Risk Management Strategies
                                            In-Depth Research Overview




          VantagePoint 2008: Security Vital Signs
          Version: 1.0, Apr 10, 2008


          AUTHOR(S):
           Trent Henry
           (thenry@burtongroup.com)


          Additional Input:
           Eric Maiwald, Dan Blum, Pete Lindstrom, Bob Blakley, Randall Gamby

          TECHNOLOGY THREAD:

           VantagePoint

          Conclusion
           Information security is evolving in 2008 in response to disruptive changes. Economic
           uncertainty, intensely collaborative styles of work, virtualization, increased outsourcing, and
           ongoing compliance pressures require careful consideration and adaptation. The vital signs of
           the market are relatively strong, with continued focus on information-centric controls, healthy
           debate about balancing endpoint and network protections, and a drive toward improved
           enterprise/business risk management. Vital signs within protection programs require work,
           however. Useful metrics programs are rare, despite their importance to governance activity.
           Learning what to measure, and sharing the results, will be important to individual organizations
           and the security industry at large.




103022

Page: 1
Publishing Information
Burton Group is a research and consulting firm specializing in network and applications infrastructure technologies.
Burton works to catalyze change and progress in the network computing industry through interaction with leading
vendors and users. Publication headquarters, marketing, and sales offices are located at:

Burton Group
7090 Union Park Center, Suite 200
Midvale, Utah USA 84047-4169
Phone: +1.801.566.2880
Fax: +1.801.566.3611
Toll free in the USA: 800.824.9924
Internet: info@burtongroup.com; www.burtongroup.com

Copyright 2007 Burton Group. ISSN 1048-4620. All rights reserved. All product, technology and service names are
trademarks or service marks of their respective owners.

Terms of Use: Burton customers can freely copy and print this document for their internal use. Customers can also
excerpt material from this document provided that they label the document as Proprietary and Confidential and add
the following notice in the document: Copyright © 2007 Burton Group. Used with the permission of the copyright
holder. Contains previously developed intellectual property and methodologies to which Burton Group retains
rights. For internal customer use only.

Requests from non-clients of Burton for permission to reprint or distribute should be addressed to the Client
Services Department at +1.801.304.8174.

Burton Group's Security and Risk Management Strategies service provides objective analysis of networking
technology, market trends, vendor strategies, and related products. The information in Burton Group's Security and
Risk Management Strategies service is gathered from reliable sources and is prepared by experienced analysts, but it
cannot be considered infallible. The opinions expressed are based on judgments made at the time, and are subject to
change. Burton offers no warranty, either expressed or implied, on the information in Burton Group's Security and
Risk Management Strategies service, and accepts no responsibility for errors resulting from its use.



If you do not have a license to Burton Group's Security and Risk Management Strategies service and are interested
in receiving information about becoming a subscriber, please contact Burton Group.
Table Of Contents
Synopsis.......................................................................................................................................................................... 4
Analysis...........................................................................................................................................................................5
  Security Mega Trends................................................................................................................................................. 5
     Market Dynamics.................................................................................................................................................... 6
        Economic Environment.......................................................................................................................................6
        Offshoring and Outsourcing................................................................................................................................7
        SaaS and Security as a Service........................................................................................................................... 7
        Quieter Threats: The Web as the Premiere Attack Platform...............................................................................7
        Risk Management............................................................................................................................................... 8
     Technology Dynamics............................................................................................................................................ 8
        Virtualization...................................................................................................................................................... 9
        Network-Centric Security................................................................................................................................. 10
        Applications Driving New Ways to Work........................................................................................................ 10
        Windows Server 2008: Let the Planning Begin................................................................................................11
        A Changing Information Landscape................................................................................................................. 11
  2007 in Review......................................................................................................................................................... 11
     Proactive Security................................................................................................................................................. 12
     De-Perimeterization.............................................................................................................................................. 12
     OS Security........................................................................................................................................................... 13
     Information-Centric Security................................................................................................................................ 13
     Compliance........................................................................................................................................................... 13
     Vendor Activities.................................................................................................................................................. 14
  Metrics for Evidence-Based Security....................................................................................................................... 15
     Quantifying Risk and Controls............................................................................................................................. 16
     What to Count for Security Management............................................................................................................. 17
     Objections to Metrics............................................................................................................................................ 17
     The Road Ahead....................................................................................................................................................18
  Evolving the Role of Network Controls................................................................................................................... 18
     Changing Drivers for Network Control................................................................................................................ 19
     Options for Implementation: Overlap and Confusion...........................................................................................19
     Measuring Vital Signs...........................................................................................................................................20
     Changing Network Controls: Broad Impact......................................................................................................... 20
  Data Security.............................................................................................................................................................20
     Technology Trends............................................................................................................................................... 22
     Evolution of Network, Application, and Data Security Controls......................................................................... 22
     Organizational Issues............................................................................................................................................ 23
  Governance, Risk Management, and Compliance.................................................................................................... 24
     The Real Goals and Value of G, R, and C............................................................................................................ 25
     Evolving the Role of Risk Management............................................................................................................... 26
     Appropriately Governing Compliance..................................................................................................................26
  Going Global.............................................................................................................................................................26
     Have Policy, Will Travel...................................................................................................................................... 27
     Worldwide Web of Compliance........................................................................................................................... 28
     Third-Party Access: Continuing Challenge.......................................................................................................... 28
  Final Word................................................................................................................................................................ 28
The Details.................................................................................................................................................................... 30
Conclusion.................................................................................................................................................................... 31
Related Research and Recommended Reading.............................................................................................................32
Author Bio ....................................................................................................................................................................33




                                                                                                                                                                                  3
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
Synopsis
  The theme for this Security and Risk Management Strategies VantagePoint 2008 overview is security vital signs.
  This includes vital signs of the information security marketplace—common trends, vendor activities, challenges
  and opportunities, technology forces, and likely pain points—and vital signs within information protection
  programs. The latter include establishing strategic security metrics, collecting information used to support
  governance and compliance activities, and generally creating evidence that helps security teams and managers
  alike make good decisions.
  High-level megatrends in the security market landscape are dominated by economic considerations and
  outsourcing. With an economic downturn increasingly likely (and, possibly, underway), information security
  teams must be strategic in project selection and execution. They must also be attuned to the increased use of
  software as a service (SaaS), third-party providers, and other forms of outsourcing that distribute control and
  potentially undermine information protection. Although this is taking place in a quieter attack environment—in
  which malicious software and other exploits are targeted to individual organizations rather than via Internet-
  blasting worms—technical countermeasures are still essential. These must evolve in a changing work
  environment, where new styles of interaction see collaboration, Web 2.0, and information-sharing tools deployed
  extensively. In addition, increased virtualization and dynamic computing/network environments require a shift
  from coarse-grained network-centric controls to finer-grained application and data protection controls.
  Although security continues to be handled as an art, senior management and compliance requirements demand a
  more scientific approach. Enter strategic security metrics. In concert with the notion of “aligning IT with
  business,” the ability to speak concretely and numerically about information protection will make a security group
  much more appreciated in a business—and, as a result, more persuasive in its requests to senior staff. Taking a
  cue from health science, security metrics programs should measure the incidence and prevalence of transactions
  and failures and evaluate performance statistics to arrive at industry-wide comparables, such as “number of
  controls per transaction” or “cost of control per unit revenue.”
  Security as science will unfold in a market landscape that touts commingling of governance, risk management,
  and compliance (“GRC”) functions. Although all three tasks are essential and inform one another, no unified
  “GRC solution” exists. The function of governance is roundtrip management: pushing down senior-staff policies
  for implementation and receiving feedback up to validate execution and make course corrections as needed.
  Within a global, culturally diverse enterprise, governance—and its regulatory compliance counterpart—must be
  hierarchical. A meaningful market of tools is evolving to support these diverse functions, but it's still immature.




                                                                                                                         4
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
Analysis
  As measurements of human health, vital signs include blood pressure, temperature, pulse rate, and so forth. Each
  time we visit a doctor, our vital signs are measured and noted. They are essential indicators of our constitution and
  can be reliable signs of possible problems: failing health, the beginning of an illness, or a lingering injury. When
  applied to a broader population, vital signs show common health trends for a group: Are people generally taking
  care of themselves? Is society improving or declining in overall health? What are typical vital signs for different
  types of people? Do broader steps need to be taken in order to foster healthy lives?
  The field of information protection has vital signs as well—of the security marketplace and within enterprise
  protection programs. Burton Group's Security and Risk Management Strategies team examines both in this
  “VantagePoint 2008.”
  The first vital signs to be considered here are those of the information protection marketplace. These include the
  activities of vendors, innovation throughout the field, and general pursuits that are common to the enterprise
  clients we talked to in 2007 and will continue to survey into 2008 and beyond. The goal is to identify major trends
  and offer recommendations.
  Second are the vital signs within enterprise protection programs themselves. What should we be measuring? How
  should we be counting? What are the critical metrics that give us indications of health, and how do we relate one
  enterprise's vital signs to industry norms? Furthermore, how do we supply evidence for the notions of risk in our
  environment and subsequent protection decisions? The problem, of course, is that such vital signs are not well
  defined—certainly not in the way they are in the field of health. Our goal is to change that and to provide insight
  into strategic metrics that serve both individual enterprises and the industry at large. In short, we need to define
  and measure the pulse of protection.
  These dual notions of vital signs—across the market and within enterprise protection programs—has driven the
  Security and Risk Management Strategies team to adopt a number of organizing themes for the year. Although the
  year's field of research and VantagePoint observations will be broader than just these, the team is particularly
  focused on the following critical trends:
   • Metrics for evidence-based security: As mentioned in the previous paragraph, the question is what
     measurements and metrics are critical for enterprise security and the industry as a whole? What should we be
     counting to create proper evidence for evaluating security and communicating to senior management?

   • Network controls: As a security team thinks about some of the controls that provide vital protection within its
     organization, what is the role of the network? How are endpoints playing a role, where should host software
     act, and to what degree should controls be baked into the network infrastructure?

   • Protecting information at the source: With the move away from and beyond simple network controls, how is
     information protected at its source? To what extent has 2007's theme of information-centric security taken
     hold? How are enterprises and vendors pushing forward protection of critical data?

   • “GRC” (from a three-legged race to the three pillars of an organization): The Security and Risk
     Management Strategies team intends to examine organizational issues as well, not just technical ones. A key
     theme is to help an enterprise understand the processes of governance, risk management, and compliance. They
     need to be realistically juxtaposed to a heavily used market buzzword for now and the near future, “GRC.”

   • Going global (adapting to enterprise climate change): Enterprises are expanding as they conduct business
     globally, which is inciting a climate change (and not one related to temperature). Rather, security teams—and
     their risk and compliance management counterparts—must operate in a greater number of jurisdictions, a wider
     number of geographies, and in environments where they possibly have less control than in the past. This
     requires new security management models and new ways of handling technology.


Security Mega Trends
                                                                                                                         5
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
  Significant trends in 2008 span both the general market (and its economic environment) and technologies.


Market Dynamics
  Figure 1 shows an at-a-glance radar screen of significant trends for the security industry. Arrows pointing toward
  the center are active, approaching, and strengthening. Their distance from the center shows whether they are near-
  term or long-term issues. Outward-facing arrows indicate weakening trends: They represent issues that the
  Security and Risk Management Strategies team has observed in the past and whose impact is beginning to wane.
  (Versions of each of these graphics can also be found in slides accompanying the Security and Risk Management
  Strategies TeleBriefing “Security and Risk Management Strategies VantagePoint 2008: Security Vital Signs.”)




  Figure 1: Security Market and General Industry Trends


Economic Environment
  Anyone who picked up a newspaper or listened to the radio in the first part of 2008 knows that the “big R” is on
  everyone's mind: Recession. At the very least, mortgage investment crises and the credit crunch are likely to
  result in an economic slowdown. Investment banking firms such as Goldman Sachs made the first
  pronouncements in the early part of the year. Q1 job cuts and market indicators provided further evidence. The
  failure and bailout of Bear Sterns similarly supports a tenuous economic environment.
  The Security and Risk Management Strategies team has discussed this trend with Burton Group's Executive
  Advisory Program team. (It's worth noting that all Security and Risk Management Strategies clients have access
  to Executive Advisory Program content, which is available at www.burtongroup.com.) The Executive Advisory
  Program team helps give us and our clients a much deeper understanding of what information technology (IT)
  leaders, chief information officers (CIOs), and other executives are looking for and what they need to know in
  terms of trends and issues. Each month, the Executive Advisory Program team prepares a timely “Executive
  Brief.” They also provide high-level perspectives on important topics, such as the impact of virtualization, unified
  communications, security market dynamics, and what to do about “too much information.” The Executive
  Advisory Program team's economic assessment is that, amid turbulent times, CIOs must realize the continued
  strategic importance of IT. Rough times determine whether IT leadership simply serve as operational hatchet
  carriers (to execute staff and expenditure cuts), or as business innovators.




                                                                                                                         6
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
  That said, typically a slowdown in the economy—and hence the environment for information protection and other
  IT—causes a big change in the way organizations approach projects. This will be a key theme for security teams
  in 2008. It's going to take considerably more time working with executives to justify the types of projects that
  need to push forward throughout the year. It's also likely that large, possibly multiyear or multiquarter strategic
  projects may get put on hold; executives are inclined to put the brakes on them unless staff can offer extremely
  good justification. Instead, tactical automation or smaller projects may be able to move forward. Favoring small
  over large projects may be at odds with other groups in the organization who can press projects to lower costs. A
  case in point is data center colleagues, whose strategic virtualization efforts are funded while security teams'
  projects languish. This is detailed in the Data Center Strategies overview “Let's Get Virtual: A Look at Today's
  Server Virtualization Architectures.” (Some security projects may be insulated, as well. For example, identity
  provisioning solutions that are funded due to a cost reduction in helpdesk resources will likely still push forward.
  See more on this in the Identity and Privacy Strategies Methodologies and Best Practices document “Building the
  Business Case for Identity Management Investment.”)
  Generally, however, security teams need to think heavily about what types of automation and information security
  tools they plan to deploy later in the year. Particularly in the face of possible staff reductions—and the need to
  stretch use of existing staff—some projects may need to be fast-tracked in order to avoid the personnel burnout
  sometimes seen during down years. It will also be necessary to put in place critical controls and automation that
  otherwise might get delayed. No regulator is inclined to say, “We understand it's an economically challenging
  time, so we'll reduce your audit burden.”


Offshoring and Outsourcing
  Security teams also have to be mindful that senior managers are very keen to reduce labor costs through
  outsourcing. It turns out the dynamic is a little different this year because of the status of the U.S. dollar compared
  to some other currencies. But even so, outsourcing does tend to be a bit of a knee jerk response during a
  slowdown; managers think about how to tap possibly lower-cost providers for non-core competencies.
  A security team might not outsource its specific functions (e.g., monitoring and perimeter defense), but the staff
  will be on the hook to ensure that controls—whether they're technical, managerial, contractual, or so on—are
  properly executed. The implication is that a business loses direct control of certain resources and processes; the
  tradeoff is efficiencies or labor cost reductions that provide overall value. However, security and audit groups
  must ensure that harm doesn't befall an enterprise through failures caused by outsourcing. Therefore, ongoing
  assessment is an important part of the equation.


SaaS and Security as a Service
  Although many security groups haven't taken the plunge to seriously outsource protection functions, 2007 market
  activity saw vendors gearing up for this very thing. More of the same is likely to occur throughout 2008 and
  beyond. The first wave of this trend is adding protection within traditional software as a service (SaaS) vendor
  portfolios. Specifically, SaaS is a major industry trend, and it's prompted interest in (or, frankly, recognition of)
  the need to enhance the controls within those environments. Verizon's acquisition of Cybertrust and Google's
  acquisition of Postini (and GreenBorder Technologies) provide evidence of this. Interest in protecting the SaaS
  environment is obvious, particularly as enterprises think about increased adoption of such tools.


Quieter Threats: The Web as the Premiere Attack Platform




                                                                                                                         7
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
  Noisy worms and viruses are a thing of the past. That is, attacks are much less likely to occur with loud fanfare.
  Malicious software (malware) creation and penetration is not about “cracker reputation” anymore; it's about the
  money. Therefore, the types of threats seen by intelligence services are well funded, motivated adversaries, such
  as organized crime and even nation states themselves. This trend is not unique to 2008—it's something observed
  over the last several years. But clients have recently reported that the degree of subtlety and viciousness of
  targeted attacks is considerably greater than the trade press writes about or is even aware of (see “Financial
  Services Roundtable Promotes Information Sharing” at srmsblog.burtongroup.com/2008/03/financial-servi.html).
  From a technology standpoint, the reality is a need for behavioral detection rather than signature-based
  mechanisms. Even better is whitelisting known-good behavior. This position is eloquently advocated by Marcus
  Ranum in the “Enumerating Badness” section of his essay “The Six Dumbest Ideas in Computer Security.”
  In concert with custom attacks as a changing attack vector, the general user-system vulnerability is unlikely to be
  exploited by an e-mail-borne program. Instead, it's likely to be compromised via the Web. Once again,
  whitelisting and behavioral techniques are worthwhile investments to protect endpoints. But many enterprises are
  refactoring their web security environments; the problem has evolved well beyond acceptable-use enforcement.
  It's now critical to protect users when they browse external sites, given the deeply embedded and virulent attacks
  found on even commonly accessed webpages. This perspective is elucidated in the Security and Risk Management
  Strategies report “Web Filtering: Completing the Evolution from Acceptable-Use to Serious Malware Defense.”
  Generally, Burton Group's advice for countering these types of things—the increasing number of incoming web-
  based attacks and quiet, targeted attacks—is to get together with local law enforcement and federal law
  enforcement. Organizations like the FBI's InfraGard were formed for this purpose; it's important to communicate
  with them about what you're seeing and to understand what information they can provide to you. The problem is
  that the Security and Risk Management Strategies team has gotten some reports that U.S. federal government
  agencies aren't always sharing with enterprises in the ways that we would hope them to. For example, the
  Department of Homeland Security's Cyber Storm exercises in 2006 and 2008 had scant private-sector
  involvement (see “The National Cyber Exercise” at srmsblog.burtongroup.com/2008/02/the-national-cy.html).
  Despite this, it's still a recommendation to engage with authorities so that such groups understand how important
  this information (and the lines of escalation) are to the whole industry. Beyond an involvement with law
  enforcement, participating in third-party groups such as the Forum of Incident Response and Security Teams (
  www.first.org) can be worthwhile.


Risk Management
  Governing an enterprise should be characterized by roundtrip management: pushing policies down from executive
  ranks and pulling feedback up from the staff. An important element of roundtrip management is understanding the
  risks that an enterprise is taking and how such risks are being managed. This broader perspective of risk isn't
  limited to IT. In addition to security domains, it includes operational domains, financial domains, manufacturing
  domains, and many others brought to an organization-wide view. Burton Group has long referred to this as
  business risk management; the industry sometimes uses the term enterprise risk management.
  One of the motivations for enterprise risk management is the changing audit landscape, particularly with regard to
  the Sarbanes-Oxley Act (SOX). For many years, organizations have complained that auditors were descending
  with prefabricated checklists in order to assess SOX compliance. Auditors had little regard for the specific risk
  management choices made by management. The Public Company Accounting Oversight Board (PCAOB)
  recognized this as counter to the spirit of SOX and created Audit Standard 5 in response. “An Audit of Internal
  Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements” is a mouthful, but its
  desired effect is enterprise risk management. The audit community, vendor solutions, and organizational risk
  managers are all responding to the change.
  This topic is discussed more deeply in the “Governance, Risk Management, and Compliance” section of this
  VantagePoint overview.


Technology Dynamics

                                                                                                                         8
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
  Figure 2 shows the radar screen for significant technology trends in security.




  Figure 2: Security Technology Trends
  The discussion of technology trends aligns nicely with the Reference Architecture root template “Information
  Security Technology Model”:
   • Technical policy management, control, and feedback: Organizations struggle with complex, fragmented,
     and proprietary environments as vendors attempt to simplify through suites and to spin myths of “GRC.”

   • Systems and storage (including data center environments): Servers and the locations in which they reside
     are becoming increasingly virtualized and dynamic. In fact, the guiding theme for Strategies tracks at Catalyst
     Conference is building the dynamic data center.

   • Network (and perimeter layers): Many organizations are pushing the increased use of endpoint controls;
     security zones are becoming more logical than physical, and firewalls are retreating toward core data center
     assets. The double-headed arrow indicates that some enterprises seek to replace network controls with endpoint
     mechanisms, while others try to further increase network-based controls like admission health checks.

   • Applications: New ways to work—including rich application environments, mobility, and user-contributed
     content—are causing an explosion of collaboration.

   • Operating system: Virtualization is creating new zoning headaches, protection opportunities, and innovation
     (or disruption) in the security market. Windows Vista and Server 2008 are on their way and will have an impact
     on much of the IT landscape. Smarter, more powerful mobile devices in the hands of users cause demands to
     open more enterprise services while leaving questions of protection adequacy.

   • Information layers: Data is finding its way toward common repositories and content types: database
     management systems (DBMSs) and Extensible Markup Language (XML). More attention is being focused on
     key management technology and data governance processes.


Virtualization




                                                                                                                         9
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
  Examining lower levels of infrastructure—such as servers and storage, endpoints and hosts, and systems that are
  being aggregated in sites like the data center—one sees a tremendous interest in virtualization and dynamism.
  That is, computing capabilities are being spun up and spun down as needed. The set of servers operating at noon
  may be completely different from the set running at midnight, due to changing capacity requirements, power
  savings, and so forth. Or, given geographic load requirements, servers handling the bulk of transactions in North
  America might switch to Europe or Asia at other times of the day. Similarly, individual storage arrays may only
  come online when particular information is required.
  One of the resultant issues, of course, is that highly dynamic infrastructure is less predictable. One client
  observed, “How do I protect a compute resource that's a print server one moment and a general-ledger reporter the
  next?” (Of course, things haven't yet gotten this dramatic, but it illustrates the potential issue.) Unpredictability
  can lead to serious problems of protection. Risk assessment and mitigation are based on knowing the general
  characteristics of systems—and these may no longer be givens.
  Related and detailed in the Security and Risk Management Strategies overview “Attacking and Defending Virtual
  Environments,” are concerns about protection within server and host virtualization. Once again, these are new
  horizons for security teams, and because industry knowledge is limited, predictability and proper protection are,
  too. Clients will be grappling with questions about commingling servers with different risk levels on the same
  host—which the Security and Risk Management Strategies team recommends against—or how to enforce zone
  boundaries within the virtual system.
  However, the virtualization train has left the station and is in the data center where it is starting to have an
  increasingly disruptive effect on the IT security technology market. Network security tools now need to have
  components on virtual networks as well as physical ones, if they want to enable visibility of all host-to-host traffic
  and support internal data center zoning. VMware has launched a VMsafe security framework and partnering
  initiative, enabling partners to run “virtual software appliances” integrated with their platform. As hypervisor
  security improves, the virtual software appliance may emerge as a reasonable policy enforcement point for
  endpoint (client and server) security and a viable and more flexible zoning approach inside the data center.
  Security teams must be in conversation with data center and server management folks to understand the impact of
  virtualization. It's something that the Security and Risk Management Strategies team has been doing and will
  continue to do in 2008 and beyond.


Network-Centric Security
  Within the network layer, a seemingly contradictory (or arguably, complementary) set of trends is underway.
  First, enterprises are experiencing a simultaneous push toward and away from network-based controls. In an
  increasingly mobile world, endpoint controls are incredibly important for understanding the health of systems and
  whether users are treating information properly. A key theme of the Network and Telecom Strategies discussion at
  Catalyst Conference in 2008 is everything wireless. One response to pervasive wireless and mobile systems is
  stronger protection nearer to where information lives.
  At the same time, however, evidence shows security zones pulling to the core of enterprise networks, with a focus
  on protection within the data center environment via network mechanisms. Zoning within these large sites
  reiterates the importance of network-based controls. As one client stated, “No one is throwing away the enterprise
  firewall.” In many cases, organizations cannot deploy host controls to certain systems—for example, regulated
  medical devices. Such unchanging systems require protection baked into the network.


Applications Driving New Ways to Work




                                                                                                                       10
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
  Within the application layer, users are working in new ways—employing rich Internet applications and an
  explosion of collaboration tools, such as instant messaging, wikis, and—of course—Web 2.0 architectures, which
  bring much more user participation and collaboration in content creation. This isn't a 2008-exclusive trend; the
  Security and Risk Management Strategies service published an overview on the topic in 2007 entitled “Securing
  ‘Web 2.0' Technologies.” But adoption and uptake are steamrolling, which means that security teams must
  reconcile the need to share with the need to protect in this intense collaboration environment. A first step is to
  reach out to enterprise collaboration counterparts to understand initiatives underway and reconcile organizational
  policies.


Windows Server 2008: Let the Planning Begin
  On the operating system (OS) front, Windows Server 2008 is clearly coming and will have a significant impact.
  Deploying this new Microsoft offering will have security implications, although adoption by an enterprise will be
  driven more by data center personnel and server managers than security teams. In many cases, decisions will be
  made in 2008, but actual deployments won't happen until 2009 or later. Security teams need to understand
  architectural approaches to ensure the platform serves organizations well from an information protection
  standpoint. For example, the Read-Only Domain Controller feature of Active Directory provides exciting
  potential for improved integrity protection, providing it is deployed as part of a broader strategic architecture.
  Operationally, varying installation profiles might make good on Microsoft's promise that the OS will be “secure
  by default/in deployment.” For example, the “server core” installation option represents only a quarter of the code
  from a full installation—this should reduce the OS attack surface. However, the first half of 2008 is still too soon
  to understand the implications of Windows Server 2008 security. The devil will be in the details of
  experience—the weaknesses exposed over time and in real deployments. The Data Center Strategies report “
  Windows Server 2008: To Upgrade or Not to Upgrade?” elucidates decisions that are being considered by server
  management teams.


A Changing Information Landscape
  Finally, within information layers themselves, data management is evolving. Enterprises are making kings of
  DBMSs for ubiquitous storage of data and XML as a file format. A huge variety of content is consolidated inside
  databases, whether we realize it or not. This includes e-mail archives, content management repositories, identity
  stores, and filesystem metadata. At the same time, a prodigious upswing in XML formats is underway, which
  brings contextual information that can help guide protection decisions, but also brings richer content types whose
  interpreters can introduce vulnerability.
  On one hand, the rise of the DBMS is hopeful, because it's conducive to fewer moving parts and (hopefully)
  encourages consistent application of security policy across stored data locations. On the other hand, security
  groups must be keenly aware of the requirements to secure these complex resources. The Security and Risk
  Management Strategies report “Document Management Security: Not Receiving the Scrutiny It Should” points
  out that vendors often leave gaps in underlying storage layers; the same is sometimes true for DBMS products. It
  will be important for security groups to understand the underlying security model of databases and how to limit
  the rights and responsibilities of database administrators (DBA), apply encryption when needed, and so forth.


2007 in Review
  The Security and Risk Management Strategies team covered a number of key themes and trends in last year's
  VantagePoint overview, which also drove research throughout 2007. It's worth asking the question: What were
  those themes and how did they fare?
   • Proactive security approaches are essential to escape the ineffective, reactive loop and increase the
     effectiveness of information security practices.




                                                                                                                       11
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
   • De-perimeterization drives the need for distributed control points and requires careful consideration of the
     network's role in security.
   • OS security is generally improving, but new endpoint protection approaches are needed as users and
     applications remain vulnerable.

   • An information-centric security focus brings a different view to architecture and demands more sophisticated
     protection mechanisms.

   • Expect more bite and less bark from regulators as organizations reach for a more sustainable, automated
     approach to compliance.
  Each of the following sections describes how the trend unfolded throughout the year and whether the signal-to-
  noise ratio within the industry and Burton Group's coverage was strong, medium, or weak.


Proactive Security



  In the VantagePoint 2007 overview, a core Security and Risk Management Strategies theme was proactive
  security: addressing risks earlier in the IT lifecycle so as to prevent or deter problems in advance rather than
  getting caught flat-footed by incidents or having to conduct expensive remediation.
  The Security and Risk Management Strategies team saw a certain amount of improved proactivity in security
  technologies, including increased emphasis on behavioral blocking in anti-malware, database security, identity
  audit, and other areas. Some vendors and application development groups improved the security of their
  development practices. In addition, a more strategic approach to compliance and audit through judicious use of
  automation, tools, and process re-engineering is increasingly being taken.
  However, many tools and applications are still developed without good security practices, and many clients
  continue to operate their security programs in fairly reactive modes. Security vendors are still struggling to make
  the shift from signature-based malware detection on the client to providing behavioral protection and full
  spectrum defense (across multiple infrastructure layers) against the rising tide of stealthy, targeted, and criminally
  motivated attacks. This is an area where the industry needs to keep working, and it represents a medium signal-to-
  noise ratio.


De-Perimeterization



  De-perimeterization turned out to be a rather strong trend. By de-perimeterization, the Security and Risk
  Management Strategies team means the process through which an enterprise firewall becomes less effective as a
  single point of control due to a more mobile workforce, partnering, telecommuting, wireless access, and
  distributed applications. The implications of de-perimeterization are twofold: hard-crunchy-shell/soft-chewy-
  center security models are untenable, and controls must be driven more broadly throughout the
  infrastructure—not only within network control points, but into endpoints, repositories, and possibly content
  itself.




                                                                                                                       12
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
  It's clear that de-perimeterization continued to press forward in the industry. Clients generally recognize that
  security models based on a single perimeter underestimate insider threats and other dangerous attacks.
  Although—in the short term—the trend didn't lead to endpoints becoming vastly more secure, it did lead to
  increased investment in other network controls to try to shore up the effectiveness of security zones at distributed
  sites.


OS Security



  OS security turned out to be a weaker trend than expected in 2007. The Security and Risk Management Strategies
  team covered the emergence of Vista, and certainly, that's an important trend in the industry. But migration at the
  enterprise level has been fairly slow—more of an evolution than a major disruptive trend. The industry seems less
  focused on the inherent security in the OS (which we know to be problematic) and is paying more attention to
  augmenting OS protection, including through security response capabilities. At Catalyst Conference North
  America, the two standout discussions in the OS security track were “Death, Taxes, and Imperfect Software:
  Surviving the Inevitable” and “Raising Server Operating System Security to the Compliance Standard: A Case
  Study.” Interestingly, given the lighter treatment of client OS security and greater concern in the server security
  space, this year's emergence of Windows Server 2008 may strengthen the overall signal-to-noise ratio for OS
  security.


Information-Centric Security



  As information-centric security becomes increasingly important to vendors and enterprises alike, it was certainly
  significant enough to warrant a medium signal-to-noise ratio. By information-centric, the Security and Risk
  Management Strategies team means the tendency for security mechanisms to get closer to the information itself
  and the need for security teams to look at the business uses and risks surrounding information—first by
  establishing clear policies and then by using tools and processes to enforce those policies. Continued focus on
  information use control and protection at many layers is an important trend—driving a growing market for
  content filtering, encryption, rights management, content management, and related tools. As a result, the theme is
  continued in the “Data Security” section of this VantagePoint overview.


Compliance



  Unsurprisingly, compliance continued—and continues—to be a tremendous driver for information protection. It
  was a very strong trend in 2007 as regulatory mandates expanded and as enterprises and vendors put more and
  more energy (and money) into compliance programs and tools. Emphases changed however. SOX was less a
  focus, because many organizations had multiple audit years under their belts, while Payment Card Industry Data
  Security Standard (PCI DSS) deadlines had many enterprises scrambling to implement its rather prescriptive
  requirements. In addition, U.S. breach disclosure acts caused an ever-tighter linkage between organizational
  responses to compliance and information-centric security practices.


                                                                                                                       13
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
  This trend isn't going away. Therefore, it's addressed further in the “Governance, Risk Management, and
  Compliance” section of this VantagePoint overview.


Vendor Activities
  As part of assessing last year's trends, the Security and Risk Management Strategies team noted some key
  activities by vendors in each of the thematic areas:
  Network vendors:
   • Internet service providers (ISPs) are improving security, but they must confront the increasing numbers (and
     rising virulence) of botnets and infrastructure risk.

   • Many security gateways add value, but they also raise the specter of clogging networks.

   • As global footprints expand, and the technical sophistication of attacks increases, a growing role exists for
     network intelligence services and other managed security service providers (MSSPs).
  Application and platform vendors:
   • Platform vendors increased their efforts in security with mixed results. in particular offers better security than
     XP in managed environments where it can be deployed properly, but unmanaged environments (individuals,
     most small and medium-size businesses [SMBs], and some enterprises) will continue to fare poorly against
     attacks. Mac, Linux, and UNIX continue to have some attractive security properties but are not nearly as
     widely deployed as Windows.

   • Most users are not equipped with endpoints whose security is adequate for medium- and high-risk scenarios
     (e.g., those risks that could cause significant or business-ending catastrophic damages or loss of human life).
     Properly deployed, National Security Agency (NSA)-approved Linux (such as ) and UNIX variants (such as
     Trusted Solaris and Virtual Vault HP-UX) may be adequate for medium surety.

   • Application vendors are largely going about business as usual; the one exception is the DBMS market, in which
     providers are cognizant of their increasing role as the mother of all repositories (as mentioned in the “A
     Changing Information Landscape” section of this VantagePoint overview).
  Content security vendors:
   • Microsoft Windows Live OneCare and Forefront Client Security were fully operational in 2007. Although
     expected to turn up the heat on other anti-malware vendors, the solutions fared poorly in anti-malware tests and
     functional comparisons with other products.

   • Improved malware protection became the first in a phalanx of emerging Microsoft security tools, making it an
     important protection player beyond the platform.

   • Enterprise content management solutions took a central position in many organizations, and SharePoint
     stimulated a considerable part of the interest.

   • The market continued to seek an equilibrium point, striving to balance greater platform (and OS) security with
     add-on security vendor solutions.
  Security management vendors:
   • After acquisitions or mergers, companies consolidate relatively quickly, but their products can take three years
     or more to see realistic integration.

   • Identity management is seeing some standardization.




                                                                                                                       14
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
   • Technical security policy provisioning and event standards are still needed: Every solution uses a proprietary,
     siloed set of tools.
  Risk management (both technical and organizational) vendors:
   • Vulnerability management products continued to get smarter, adding significant features to further realize the
     goal of technical security policy management.

   • Major vendors produced nascent “compliance dashboards”—but the functionality tended to be very limited.


Metrics for Evidence-Based Security
  Figure 3 shows the radar screen for security metrics.




  Figure 3: Security Metrics Goals and Trends
  The goal of metrics is to drive a security program from an evidentiary standpoint. Practitioners can learn a lot by
  considering the state of security and the state of society today.
  Considerable work is being done in the field of behavioral economics, and a good starting point is the book
  Freakonomics: A Rogue Economist Explores the Hidden Side of Everything by Levitt and Dubner (2006). One
  might argue that it's pulpy stuff on the superficial side, but it also represents significant underlying academic
  work. Researchers are collecting data from utility curves, consumer preferences, and other evidence that suggests
  the ways humans behave is quasirational. That is, in game-theoretical scenarios, actors don't always select the
  optimal solution.
  Metrics in the security space offer an opportunity to look for optimal solutions, even in the face of control
  frameworks, personal preferences, and best practices (none of which is wholly objective). Without a more
  objective basis for discussion—such as the actual counting of critical elements of protection—security teams can
  debate the nature and types of controls until they're blue in the face. And often, in the end, they will not have a
  confident, rational understanding of their choices.
  Senior Analyst Pete Lindstrom relates participating in a roundtable in 2007 in which senior security folks were
  suggesting that they needed three to five years to implement their particular security programs after joining their
  companies. Pete wondered how, if the IT resources are the same and, presumably, an organization's risk tolerance
  levels are the same (or at least very similar), could there be so much variance as to require three to five years of
  work in order to get to something called the “program” in place? A fundamental problem is that people define
  good security in different ways. At some point, the practice needs to provide more evidence to weed out programs
  that aren't necessarily strong and thereby obtain a better (more rational) sense for what is secure and what is not.


                                                                                                                       15
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
  What does this mean? The goal is to evolve from security being an art form and move toward it being much more
  scientific in order to ensure that evidence supports the claims security teams (and vendors) are making. In concert
  with the notion of aligning IT with business, the ability to speak concretely and numerically about information
  protection will make security groups much more appreciated in the business and, as a result, persuasive in their
  requests to senior staff.
  Another objective for metrics-based approaches is that of weeding out a typical but ineffective tactic:
  management by exception. Many organizations essentially assume that they have a secure environment until an
  incident occurs. So, the chant goes, “We're secure, secure, secure,” then, “Incident! Insecure!” In such a case, the
  assumption that the organization was secure in the first place wasn't well founded. But on the other hand, an
  isolated incident doesn't necessarily indicate an abject failure of protection, either. Exception is not the key;
  objective, ongoing measurement is.


Quantifying Risk and Controls
  But what should be measured? One example is shown in Figure 4.




  Figure 4: Naturally Occurring Events in E-Mail Can Provide Frequency Statistics That Serve a Metrics Program
  Until security teams understand the frequency of particular transactions occurring in their environments, they will
  be hard-pressed to measure forms of success—or failure—over time. Although this VantagePoint overview isn't
  advocating e-mail as the starting point for a metrics program, it does illustrate the point. Consider the total
  number of e-mail messages handled by an organization over the course of a year. These messages generally flow
  through a tree as shown in Figure 4. Some number of both legitimate and unwanted messages is controlled or
  uncontrolled. That is, they flow through an explicit programmed course, or they “slip through.” And even when
  controlled, some messages aren't handled correctly. By adding up numbers from various branches in the tree, an
  organization starts to establish raw numbers around “coverage” (those messages that followed a control path),
  “control effectiveness” (legitimate messages that were delivered and illegitimate ones denied), “residual risks”
  (messages that caused false positives or negatives), and so forth.




                                                                                                                       16
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
  One might ask the question, “Is this truly risk measurement?” And the answer is, “Not yet.” Such an approach
  may be predictive in the future, but neither individual enterprises nor the industry in total has gathered enough
  data for comparative purposes. But if we borrow from the fields of epidemiology and clinical healthcare, we'll see
  an approach to risk quantification that's similar to the above. For example, taking aspirin decreases a patient's
  chance of heart attack by X%. The reason doctors know the percentage is through prevalence and incidence
  data—historical data—that observes longer-term trends and is complemented with controlled studies to evaluate
  the difference with and without aspirin.
  The way security groups can measure control effectiveness, then, borrowing heavily from healthcare, is by
  looking at sensitivity and specificity data: true positives, true negatives, false positives, and false negatives. By
  establishing an objective measure for evaluating risk, all enterprises will be better off in the security space
  because they can demonstrate how relatively strong or weak programs have been. In time, the security industry
  should be able to state, “deploying such-and-such a filter will decrease illegitimate e-mail by X%.”


What to Count for Security Management
  Security programs need to be managed in the same way that departments—human resources, legal, finance, and
  so forth—are managed. That is, look at resource allocation (in terms of people, time, and money) throughout a
  security program in order to be as efficient and effective as possible. It's untenable to argue that security isn't
  striving for some combination of efficiency and effectiveness that provides a risk-optimal security program. (By
  the way, it's important to note that the phrase isn't necessarily risk minimal. Be mindful that some enterprises are
  just going to be a little more tolerant of risk than others, depending on the industry, the nature and type of
  organization, and senior management personalities.)
  Although risk is one of the key outputs that may differ from other departments' measurements, security team
  inputs are quite similar. These include:
   • Time: How many hours per day and months per year are various tasks and activities taking place?

   • Resources: What number and size of objects are under our control—user accounts, systems, applications, and
     so on?

   • People: How many people make use of the IT environment? How many IT support and administrative
     personnel serve this user population?

   • Financials: What is the aggregate salary and bonus paid to security practitioners? What are the consulting,
     hardware, software, maintenance, and other hard costs in the annual budget?

   • Usage: How many network flows, e-commerce transactions, user sessions, and so forth take place daily,
     monthly, and annually? How many controls are in place for this aggregate number of transactions?


Objections to Metrics
  Past Security and Risk Management Strategies team experience with security metrics suggests that plenty of
  people will howl in protest to their use. In keeping with a popular film of 2008, one might say, “there will be
  blood.” That is, any number of professionals will argue and dispute the methods, meaningfulness, and magnitude
  of every imaginable metric. They will come up with reasons why metrics are too complex; or, if not that, why
  metrics are too simplistic. Typical objections to the use of metrics refer to:
   •   Difficulty in technical execution
   •   Issues of scale
   •   Deciding on a reference class
   •   Connecting “all the dots”
   •   Frequency of events


                                                                                                                          17
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
  But it's important to think of these security vital signs more as a starting point than an end game. In fact, these
  fledgling metrics-gathering exercises are intended to point out what is or isn't a vital sign. To whatever extent
  people are worried about the scalability and opportunity for collecting metrics, the more likely that we'll fail
  industry-wide in our initiatives. In short, the proposal to use an epidemiological model for security metrics is
  rooted in simply learning about our environments. Observe and measure until we can come to further conclusions
  and process the data to help us understand what's effective and what isn't. Obstacles abound, no doubt about it.
  Don't let them thwart your efforts.


The Road Ahead
  For 2008 and beyond, let's move security practice from an art into a science. An excellent role model is Bill
  James—described in Michael Lewis's book Moneyball: The Art of Winning an Unfair Game (2003)—whose use
  of statistics in baseball was visionary. Burton Group's desire is to pattern security in the way that Bill James
  sought to change baseball from an art into much more of a science and that Billy Beane used that science with the
  Oakland Athletics at the turn of the century and made it more effective.
  The desire is for security teams to evaluate protection programs based on overarching controls, not single
  incidents. It's a huge hurdle to overcome, admittedly. Generally, enterprises have no tolerance for any specific
  incident. Throughout 2008, Burton Group will work hard to elucidate a strategic metrics program. In addition,
  we'll be delivering top-ten strategic security metrics to help clients understand what needs to happen at the
  strategic level to objectively measure their environment. Finally, the goal is to establish key performance
  indicators for the various programs and products that security professionals put into place to make their programs
  more efficient and effective.


Evolving the Role of Network Controls
  Figure 5 shows the radar screen for trends in network controls.




  Figure 5: Trends and Issues in Network Access and Network Controls
  In order for a patient to have strong vital signs, underlying health must be in order. The same holds for
  enterprises. In order for an organization to have strong vital signs, it must focus on some fundamental policy and
  technology areas. One of these, of course, is network control.
  In the past, organizations commonly used network zoning and hard perimeters to try to control what's going on in
  their networks—surrounding vital resources with various protective mechanisms. But as business has changed,
  and because of the new dynamic nature of business, such hard perimeters and static zones really aren't the right
  tools to provide the necessary protection. Alone, they simply don't suffice.


                                                                                                                       18
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
  Many reasons account for this change. Employees travel widely, and their traffic originates from many different
  places. Enterprises may need dynamic ports to be open on firewalls, which typically must be accommodated by
  (slow) change control processes. Or, in an age of increased accountability and transparency to outsiders—such as
  our auditors—security teams may need to know more than that some traffic came from a particular IP address.
  Instead, they really want to know who was behind the generation of that traffic. As a result, identity is becoming
  much more important in network controls.
  2007 saw an upsurge in marketing around NAC—which may mean network access control, network admission
  control, or yet something else depending on who's using the term. 2008 might see a slight de-emphasis of the
  NAC message, but the technology continues to be important. However, one thing that the Security and Risk
  Management Strategies team has been able to identify is that NAC products peddled in the market don't provide a
  complete solution; in other words they require a lot of supporting cast.
  Burton Group talks about supporting casts in terms of encryption, but in the case of NAC, the concept expands:
  Understanding who's connecting to a network requires knowledge of endpoint characteristics; applying policy to a
  connecting system requires knowledge of policy and the identity of the individuals using the host; and making
  changes on an endpoint so that it conforms with organizational mandates requires managed systems and a
  knowledge of enterprise assets.


Changing Drivers for Network Control
  Although guest access to networks has always been an important, albeit tactical, driver for improving network
  access, enterprise needs have expanded well beyond the requirement to grant a visitor Internet access in a
  conference room in order to make a presentation. Similarly, as malware propagation became an increasing
  network problem, security teams shifted focus from tactical problems—such as responding to the latest
  worm—toward a more strategic examination of overarching malware problems. The question became, “What
  responses and controls will remedy the systemic problem?” In a world of quieter, targeted attacks, this becomes
  all the more important.
  Moving beyond malware, organizations are motivated by increased needs for audit. They're questioning the
  appropriate network monitoring to help track access and prohibit access of unauthorized individuals to sensitive
  systems, be they financial or other critical business activities. Is it likely that future regulation will prescribe
  particular network controls—be they preventive or detective? Some are already in place. Organizations grappling
  with PCI DSS observe that certain types of network controls—firewalls and intrusion detection and prevention
  systems, for example—are already mandatory. Will we see additional regulations that require additional network
  controls or zone access restrictions? It's likely, and the Security and Risk Management Strategies team will
  continue to track this throughout the year.


Options for Implementation: Overlap and Confusion
  The options for implementing all types of network controls abound. Security teams have already deployed a
  panoply of devices: firewalls, router and switch blades, intrusion detection/prevention solutions, and early NAC
  products. In some cases, Security and Risk Management Strategies clients have deployed whole new architectures
  surrounding networks—to improve zoning, monitoring, or other protection goals. Organizations looking to
  enhance network protection face the problem of overlapping marketing claims and capabilities in all these various
  products.
  For example, many of the NAC products that came on the market in the last 18 months look very similar to
  intrusion detection or prevention systems. Moreover, endpoint health check functions have look-alikes in virtual
  private network (VPN) technologies. The value proposition for a stand-alone NAC solution may be in question.
  Or perhaps more accurately, the definition of NAC is at issue. NAC is really a feature of a total network security
  architecture in which a variety of controls work together to achieve drivers discussed in the previous section.




                                                                                                                       19
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
  The market is recognizing this. Burton Group is already beginning to see a shakeout of the NAC vendors as our
  customers try different approaches. This will be a key area of focus for research this year, as the Security and Risk
  Management Strategies team examines how enterprises are really using network controls and what's the most
  appropriate and successful implementation of these controls.


Measuring Vital Signs
  Network controls help to buttress and measure vital signs. The capabilities that many IT shops have in
  place—whether they are intrusion detection and prevention or even scanning capabilities associated with an
  admission control system—help to identify patch levels, unknown systems, volatility of network addresses, and
  more. All of these make for very interesting metrics, especially when tied to various incidents and the overall
  costs associated with responding to them. (However, it's important to remember the message in the “Metrics for
  Evidence-Based Security” section of this VantagePoint overview: Managing by exception is not a favorable tack.)
  The intersection of metrics and policy enforcement raises important questions. Is it really appropriate to enforce a
  policy that says “you must apply the following 13 patches” or “you must have anti-malware signature update 732”
  if a business function might be disrupted as a result? What is the balance between system quarantine, so an
  endpoint can be patched, and uninterrupted business functions associated with generating revenue for the
  customer? Which metric is more important, for example: the frequency that systems are able to successfully
  complete transactions, or the frequency that malware-infested hosts were prohibited from causing further harm?


Changing Network Controls: Broad Impact
  Whether expanded or contracted, a change to network-based controls has far-reaching implications. Such a
  change impacts the network architecture, it impacts underlying network infrastructure, and it impacts endpoint
  management system. And the reverse is true, too. A change to network architecture will generally necessitate
  controls changes; the ability to successfully use a given part of the network for meaningful control may be called
  into question.
  That, of course, begs the question: What is the future of this network security architecture? Burton Group has
  developed several new Reference Architecture templates and technical positions to help answer that question.
  And the team will continue to probe the question throughout 2008.


Data Security
  The radar screen for data security is shown in Figure 6.




                                                                                                                       20
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
  Figure 6: Trends and Issues in Data Security
  Media disclosures of breaches, the problem of information leakage, and customer record protection requirements
  have prompted a deep industry focus on data security. In fact, this topic has somewhat dominated the whole risk
  and compliance landscape. It's really important to look at what are the vital signs to measure in this area.
  At a high level, at least three significant issues need to be addressed (and, in some cases, are starting to be
  addressed):
   • Vendors moving from tactical sales to strategic solutions: No vendor is likely to walk away from a quick
     Band-Aid sale that salves a small pain point. But the requirements of data protection in 2008 and beyond will
     be much broader than can be covered by a loose hodgepodge of products. Certainly, clients recognize this, as
     they craft multiyear target architectures. Importantly, vendors are recognizing this as well. Acquisitions of data
     leakage protection vendors, encryption solutions, and messaging security tools bring disparate threads of
     protection into a more unified whole. At least, that's the potential. Reality is that product integration takes many
     years. More importantly, it's not clear that a given vendor's unified protection suite will be the answer to data
     security issues. However, vendors thinking more strategically is a positive sign and a trend that should
     continue.

   • Organizations grappling with information risk: Organizations are asking themselves, “How do we create
     and use information?” They are taking a deeper look at information classification, how to control what
     information leaves repositories, and where data is disseminated to distributed endpoints. These are important
     topics and ones that have often been overlooked from a strategic perspective. As to metrics, the remaining
     challenge is putting numbers to these topics. That is, what's data worth? How much revenue can such
     information generate, how much compliance exposure does such information create, and what would be the
     economic impact of a loss? Answering these questions is true information risk management, and the state of the
     art is still young.




                                                                                                                       21
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
   • Standard of due care rising: Data security—particularly the protection of customer information—has long
     been underinvested in the . In effect, the market environment did not sufficiently punish organizations for
     information loss and breaches. For some time, the regulatory environment did not compensate. Recent and
     ongoing change is twofold. First, regulations in North America and beyond (such as 's likely enhancements to
     its Information Technology Act) are counteracting information loss externalities. That is, these regulations are
     putting a reputational, and sometimes dollar-actual, price tag on data loss. Second, as organizations broaden
     their global footprint, they understand theft of proprietary intellectual property can be exceedingly harmful.
     Cisco's Christopher Burgess related horror stories at Catalyst Conference Europe last year and expanded upon
     them in his book Secrets Stolen, Fortunes Lost: Preventing Intellectual Property Theft and Economic
     Espionage in the 21st Century (2008, co-authored by Richard Power). Entire corporate product lines can be
     stolen, duplicated, and brought to market in competition. Intellectual property and customer data are both
     valuable. Enterprises have raised the stakes on what they consider prudent data security.


Technology Trends
  Although a longer-term strategic view is unfolding, many technical choices are still tactical with a few notable
  exceptions. Network content filters are being deployed for data leakage protection. Recognizing the role of
  roaming users, focus is increasingly on content control at endpoints as well—including using virtualization
  mechanisms to limit endpoint handling of data in the first place. Also, Burton Group observes considerably more
  focus on encryption of endpoints and encryption of data in repositories. However, most of these initiatives are
  silos. To move to a strategic focus, organizations need to move toward deploying enterprise key management that
  can optimize how that encryption is controlled. Financial services clients are among the first to explore
  centralized key management. Vendors such as EMC/RSA and nCipher are going to market with solutions.
  Standards bodies such as the Organization for the Advancement of Structured Information Standards (OASIS)
  and Institute of Electrical and Electronics Engineers (IEEE) are starting to advocate non-proprietary technical
  approaches. And industry consortia—notably the Financial Services Roundtable (BITS)—are articulating critical
  requirements.
  Some other areas, particularly enterprise rights management (ERM), continue to be niche technologies. However,
  they do show promise. Vendors such as EMC, Oracle, and Microsoft have made investments to push forward
  ERM solutions and to join them with enterprise content management products. On the other hand, a technology
  like ERM must be cautiously evaluated and expectations kept in check. In the end, its information protection
  capabilities are limited by software surety, key-handling approaches, and—once again—siloed use.


Evolution of Network, Application, and Data Security Controls
  Data protection begs some architectural questions. Figure 7 examines the balance of network, application, and
  data control effectiveness. Last year, Principal Analyst Dan Blum was conjecturing the relative paths of various
  types of controls when he uncovered an interesting security evolution diagram in use by Microsoft and Boeing.
  Although no full agreement exists about the precise location and direction of the curves in the graphic, and
  refinements will no doubt be made as research progresses through 2008, the diagram serves to illustrate some
  important points.
  (Network controls, by the way, include such things as firewalls, VPNs, filtering at gateways, and so forth.
  Application controls include endpoint security, authentication, authorization, and such. Data controls include
  encryption, key management, information labeling/classification, rights management, and related technologies.)




                                                                                                                       22
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
  Figure 7: Conjecturing the Falling and Rising Importance of Different Classes of Controls (Derived from a
  Diagram by Dan Hitchcock, Microsoft)
  What Figure 7 suggests is that network controls dominate or are most important in many of today's environments,
  but they're going to decline in effectiveness due to the de-perimeterization and virtualization trends discussed
  earlier. An important caveat is that most organizations need to achieve a certain level of network control via
  zoning and related means, but maintaining a strong protection posture will require increased investment in
  technologies that may become more challenging to deploy in the era of de-perimeterization.
  As network control effectiveness declines, application and endpoint controls come to the fore. These include
  access control, encryption, identity management, and other technologies that can take up the slack from loosened
  network protections in more open environments. Application controls are also a response to compliance
  requirements whose interpretation includes better software development lifecycles, separation between developer
  and operational roles, and defined walls between development, testing, staging, and production environments.
  In addition, pervasive collaboration and compliance are forcing organizations to apply finer-grained controls over
  data, and some controls may be placed within the data itself. This suggests that technologies that tie security
  attributes to the data and monitor or track its use—starting with granular access controls and encryption, but
  perhaps including data self-protection technologies like rights management—may become much more crucial
  than they are today. This is a topic of research in 2008 that will inform both enterprise security architecture
  considerations and vendor solution emphases. The upcoming Security and Risk Management Strategies overview
  “Toward Nanosecurity: Inherent Protection for Endpoints, Applications, and Ever-Smaller Virtual Objects” will
  further explore these topics.


Organizational Issues
  Looking at the impact curves in Figure 7, it's clear that technology plays an important role in data protection. But
  that's not the full story. Organizational issues exist as well. One of the points mentioned in the “Security Mega
  Trends” section of this VantagePoint overview is the move toward intense collaborative environments within the
  enterprise. This creates a bit of a culture clash between the collaboration and content advocates. In fact, it can be
  illustrated by something used to describe information-centric security: a well. In last year's VantagePoint
  overview, for example, the Security and Risk Management Strategies team explained how protection is getting
  deeper—that protection around data is becoming layered as it has for years in network environments.




                                                                                                                       23
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
  The well is an apt metaphor for the conflict we face. Middle Eastern desert ethos is that well water can't be denied
  to man or beast. This is echoed—although overstated—in the philosophy of many collaboration advocates:
  Broader sharing of information brings new innovation and value to an organization and shouldn't be denied.
  Security professionals, in contrast, are well protectors. They tend to advocate limited sharing (and wouldn't be
  popular in a desert). But it's a reasonable stance to believe that a copy of the customer confidential database
  should not be on everyone's system.
  So one fundamental organizational issue is reconciling protecting the information “well,” access to it, and the
  level of collaboration that is prudent.
  In addition, it's important to realize that the stakeholders gathering around the well have been changing, or at
  least, their numbers have been expanding. For example, the Security and Risk Management Strategies team has a
  lot of conversations about electronic discovery, and how legal teams—whom we've never really had to deal with
  much in the past—are now intimately involved with the usage, disposition, and protection of information. One
  organization reports that, amazingly, legal teams say “No” even more often than security teams, so maybe we will
  be kindred spirits. But whatever the case, we need to reach out to legal teams and understand what their issues are
  in the same ways that we have traditionally had to do with audit teams. It's also critical to make sure that policies,
  in addition to controls, reflect legal requirements and a proper balance between protection and availability (the
  latter being incredibly important to e-discovery).
  For example, organizations are grappling with the tradeoffs between confidentiality and the use of encryption:
  Without proper key management, information can be lost, resulting in dire consequences in a court case.
  The upshot is that data protection depth and control are important. But security teams need to be thinking about
  moving beyond simply adding a layer of leakage prevention, endpoint filters, increased encryption, and so forth.
  Think about the wells themselves—the various repositories, the DBMSs, and so on—and what new stakeholders
  will be involved and what policies will result in proper governance of data.


Governance, Risk Management, and Compliance
  Last year, the Security and Risk Management Strategies team warned to watch out for the “attack of the lawyers,”
  and evidence has shown that was a valid warning. The effects of legislation like California Senate Bill 1386,
  SOX, and the credit card industry's PCI DSS have been significant on a variety of businesses. The role of lawyers
  in the life of security practitioners is not likely to decrease in 2008, with continuing and heightening e-discovery
  requirements and privacy stipulations.
  However, the conversation is broadening. The radar screen in Figure 8 highlights the forces acting on the market.
  In keeping with Newton's law that every action has an equal and opposite reaction, while various forces have been
  acting on the market, the market has been acting in response.




                                                                                                                       24
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
  Figure 8: Trends in Governance, Risk Management, and Compliance
  What's happened are increasing vulnerabilities and losses. Over the course of the last couple of years, investors
  and consumers have endured the TJX data breach, the collapse of Enron and WorldCom, and a variety of other
  high-profile failures. Not the least of these is the largest banking fraud and loss in history: Société Générale,
  where a junior-level trader circumvented controls and created a risky, leveraged position far beyond what should
  have been allowed. The result was a $7 billion loss.
  In response to those high-profile failures and their impact on society, regulators increased pressure on businesses
  to comply with new legislation and rules to prevent recurrences. This increasing regulatory pressure led
  executives of organizations—whose lawyers advised them that they could not decline to implement such
  compliance mandates—to increase compliance budgets and have dedicated resources to comply with the new
  regulations.
  Of course, an increased budget is an irresistible attractor of vendor products and services. As a result, a variety of
  vendors have created offerings that they are increasingly labeling as “GRC.” Bob Blakley observes that vendors
  hope their prospects will perceive “GRC” to mean governance, risk management, and compliance. But it's likely
  the vendors themselves are thinking of the “giant rolls of cash” that will be spent on their tools.
  The designation “GRC” is mostly smoke and no fire. The tools that are labeled thus seldom do all three—they
  seldom automate governance and risk management and compliance. In many cases, tools don't do any single
  function particularly well. Of course, this is still the early days, and it's reasonable to expect tools to mature. But
  maturation is unlikely to converge the automation of all three disciplines into a single solution. Because of their
  nature, these activities are conducted by very different leaders in an organization.


The Real Goals and Value of G, R, and C
  It's key to note that the individual letters, the G and the R and the C—the governance, the risk management, and
  the compliance functions—are real activities and they're important. Governance is not a product. Governance is
  the process by which management controls an organization in order to create value in it. In order to govern well,
  senior management must have enough visibility into the organization and how the organization is implementing
  management mandates to observe the effect of its policies and adjust any that aren't having the desired effect.




                                                                                                                        25
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
  In Burton Group's view, governance is roundtrip management: the set of processes and tools that support
  management's creating a policy, observing the implementation of the policy, observing the effects, and correcting
  based on observation of the effects. A subdiscipline, information governance, is an important component.
  Information governance supports corporate governance by ensuring that the information handed to senior
  executives is available, timely, and accurate.
  Similarly, risk management is, of course, very real. It's the fundamental activity of business. Technical risk
  managers, including security people, tend to think that the goal of risk management is to limit losses, but that's
  really not the case. In a business context, the goal of risk management is the creation of value through the
  assumption of prudent risks and the avoidance of imprudent risks. Taking enough risk, while keeping harm at bay,
  is fundamental to profitable activity. In other words, risk management should be a value-creation prospect and
  viewed as an upside, not a downside, for business.
  Finally, compliance—the C—is also very real. Compliance primarily aims to limit the liability of a business by
  satisfying requirements of the law. But if one only does that, business will likely end up being very inefficient.
  The activity must be balanced with business-driving activities.


Evolving the Role of Risk Management
  In 2008, organizations should discuss the relationship between governance and risk management. Governing
  managers need to reform the risk management discipline by refocusing risk managers away from loss reduction
  and toward a better balance between loss reduction and value creation.
  In other words, risk managers should move from a strict focus on avoiding bad risks to a more balanced focus that
  includes identification of good risks. This allows a company to venture into areas that create value by
  acknowledging and manipulating risk, rather than being manipulated by it. The vital sign that the Security and
  Risk Management Strategies team will focus on during the year in this area is the true organizational risk
  management metric: change in net present value. That is, dollars. Simply, it measures whether risk management
  activities return value to a business.


Appropriately Governing Compliance
  In addition to changes in risk management, governance also has a task to accomplish in reforming compliance.
  Most current compliance tools and practices focus on things like checklists and periodic audits to ensure that
  enterprises carry out required activities rather than on whether or not carrying out such activities actually
  improves the performance of an organization and its avoidance of loss.
  The governance goal of compliance activities is to build organizational transparency. That is, when an enterprise
  activity or condition creates a risk that management ought to be aware of, a compliance program should identify
  that risk to senior management and give them an opportunity to take action to fix it. Arguably, this will raise red
  flags with legal teams. Lawyers may frown on a program that identifies risks, because it may identify liabilities as
  well. On the other hand, management can't eliminate a risk that it doesn't know about. Burton Group's focus in
  2008 is to encourage compliance activities—and a set of automated tools—that build real transparency. Instead of
  loss avoidance, measure how long it takes to correct meaningful variance, or provide feedback that enables
  management to effect policy changes.


Going Global




                                                                                                                       26
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
  Some organizations may not consider themselves global enterprises if their only campus is based in the United
  States. But looking more broadly across organizational structure and extending the definition to include suppliers,
  partners, researchers, and other organizations that support an enterprise, almost all organizations have “gone
  global.” Although myriad things are going on in global enterprises, the hottest security and risk management
  topics are: how internal controls are being distributed (often to local managers) to satisfy policy mandates; the
  multitude of regional regulations that are being created and must be observed for security compliance; and how to
  deal with the increasing number and variety of third parties needing access to internal resources.
  These high-level themes break down into a number of trends shown on the radar screen in Figure 9.




  Figure 9: Trends in Increasingly Global and Multi-Jurisdiction Enterprises
  An area of note on the radar screen is the dotted square on the right. For a global enterprise, the area of
  compliance has counterbalancing trends. While, for many, the first round of regulations are now becoming
  relatively well understood, other new regulations are showing up on the radar screen at most global enterprises.
  These may be local laws that must be handled in specific ways, international variations of a domestic law (SOX is
  a good example), or a regulation that must be extended across a border because of business relationships and
  contractual stipulations.
  This is causing global enterprises to struggle with compliance. They're trying to figure out whether they need to
  expand their current initiatives, refocus their initiatives, or even break them down into smaller tasks to tackle each
  regulation on a region-by-region basis.


Have Policy, Will Travel
  How can an organization manage and enforce policy across a global footprint? An emerging approach is to deploy
  policy and control in a hierarchical fashion. This manifests itself in several ways. First, enterprises generally
  realize that, although central bodies may create policies and control standards, regional execution and
  enforcement are necessary due to the size and the breadth of a typical global concern. A European conglomerate
  may stipulate that all business units must prevent unauthorized customer data exposure and, within the EU,
  further require controls pursuant to the European Union Data Directive. But for an Indian business unit, adherence
  to local laws (such as the Information Technology Act) must dovetail with corporate mandates for data protection.
  Second, while the top-down channels are distributed, bottom-up reporting aggregates centrally in order to verify
  compliance and to ensure that the hierarchical framework itself is effective and efficient. This trend moves
  controls down to local levels, but it also requires supporting infrastructure to be relocated or logically secured so
  that realms or containers of security can be properly protected and isolated. In simple terms, monitoring—a key
  for organizational transparency—should be tamper resistant.




                                                                                                                       27
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
  Finally, local personnel are often best equipped to handle any issues around local regulations, any type of cultural
  differences in how personnel interact, and how compliance is controlled. In short, controls are being created at the
  top and delegated down into the areas that can best support them whether by region, line of business, or product.


Worldwide Web of Compliance
  In keeping with comments in the “Governance, Risk Management, and Compliance” section of this VantagePoint
  overview, external entities place local regulations on global enterprises, which impacts internal information and
  technology structures. For a large enterprise, this can cause a lot of concern and cost around determining which
  regulations affect what parts of the enterprise and how compliance can be achieved. Commonly, global
  enterprises hesitate to offer a full view of internal environments to just any regulatory body in just any
  jurisdiction. Of course, doing so risks raising the ire of authorities, even if an outside regulatory body doesn't
  strictly need such widespread access. It is necessary to understand what is the minimal amount of data that can be
  exposed to a given regulatory body and how to provide the separation that keeps regional data (and the
  regulations that govern it) only where it is needed.
  It's important to understand that today's compliance automation tools don't necessarily assume the realistic,
  complex model facing global organizations. That is, they don't accommodate the fact of multiple regulations in
  varying jurisdictions may derive from similar frameworks, but have potentially different compliance
  requirements. Moreover, these tools rarely support separation among regulatory domains, to ensure that regional
  auditors examine only the limited part of the organization they absolutely need to. Therefore, there's considerable
  work ahead for compliance tools.


Third-Party Access: Continuing Challenge
  In the expanded enterprise, third parties often work in conjunction with—or in some cases, replace—a global
  enterprise's internal employees. It's not a new trend. Burton Group has discussed this challenge in its coverage of
  the virtual enterprise network (VEN) from 2003 and earlier. Although third parties may need access to the same
  information systems as employees, the fact is that employees are internal resources and are therefore bound by
  more company controls and use additional resources that will not be made available to outsiders. (But an
  enterprise must still be mindful of misplaced trust in insiders, who remain a pernicious threat.)
  What's new is the increased international diversity of third parties. Outsourcing and global expansion often
  implies offshoring. We conduct business with people who are unlike us. The result may be vast cultural
  differences: changing social norms and assumptions, philosophical differences about business practices, different
  treatment of personal information/privacy/secrecy, and dissimilar processes for litigation in local courts. All of
  this requires sensitive communication and finely crafted contract language to define terms and process. In
  addition, global enterprises are searching to determine what additional protection controls—particularly technical
  ones—are needed for allowing access to internal information.


Final Word
  The outlook for 2008 suggests considerable disruptive changes:
   •   Economic uncertainty
   •   Virtualized, dynamic resources
   •   Highly collaborative information sharing
   •   Increased interest and deployment of service oriented architectures
   •   Mobility that challenges network controls and zones
   •   Extensive governance challenges in enterprises that are increasingly globalizing and incorporating many
       different cultures



                                                                                                                       28
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
  Overall, marketplace security vital signs show increased attention to information protection. And it's not coming
  just from vendors. Regulators, enterprise risk managers, and even senior managers realize its importance.
  The bad news is vital signs within IT shops. The application of metrics, how we count things, and how we
  understand success within our enterprise security program are rather immature. These are elements that need
  thought leadership and steadfastness.
  In consideration of the key Security and Risk Management Strategies themes for 2008, some countervailing trends
  emerge. Some of these are moving toward more centralization in our environment and some toward
  decentralization.
  Playing to the theme of increased centralization are enterprise-wide (business) risk management; governance as
  executed through roundtrip management (bringing reporting up to senior executives as they push policies
  downward); the notion of key management and more centralization of encryption; and controls established as part
  of data center consolidation. These all help provide a central view and a better sense of what an organization is
  doing.
  At the same time, things are pushing away from the center in the realms of outsourcing, SaaS, and
  globalization—negotiating the waters of many different jurisdictions and spreading controls to local units.
  Burton Group's continued goal is to bring forward research and resources to dialogue and work together on
  helping the security vital signs into 2008 and beyond.




                                                                                                                       29
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
The Details
  Below is select pertinent Security and Risk Management Strategies coverage for the year in review:
  Proactive theme:
   •   “VantagePoint 2007: Information Security Trends” (overview)
   •   “The Long Tail of Risk and the Dynamics of the Security Market” (overview)
   •   “The Changing Face of Vulnerability Management” (Market Landscape document)
   •   “Implementing Security Controls in Outsourced and Offshore Environments” (overview)
  De-perimeterization theme:
   • “Zones” (Reference Architecture technical position)
   • “Network Perimeters” (Reference Architecture technical position)
   • Network templates (via the Security and Risk Management Strategies template “Information Security
     Technology Model”)
   • “Architectural Alternatives for Enforcing Network Admission Requirements” (overview)
  Operating system (OS) security theme:
   • “Windows Vista Balances Security and Convenience: Your Mileage Will Vary” (overview)
   • “Attacking and Defending Virtual Environments” (overview)
  Information-centric security theme:
   • “Information Classification: The Most Important Security Thing You're (Still) Not Doing” (overview)
   • “Document Management Security: Not Receiving the Scrutiny It Should” (report)
  Compliance theme:
   •   “Governance, Risk, and Compliance” (overview)
   •   “Products for Managing Governance, Risk, and Compliance: Market Fluff or Relevant Stuff?”
   •   “Enterprise Security Control Standards: Which Ones and Where They Apply” (overview)
   •   “What and Why PCI?: Inside the Payment Card Industry Data Security Standard” (overview)




                                                                                                                       30
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
Conclusion
  Information security is evolving in 2008 in response to disruptive changes. Economic uncertainty, intensely
  collaborative styles of work, virtualization, increased outsourcing, and ongoing compliance pressures require
  careful consideration and adaptation. The vital signs of the market are relatively strong, with continued focus on
  information-centric controls, healthy debate about balancing endpoint and network protections, and a drive toward
  improved enterprise/business risk management. Vital signs within protection programs require work, however.
  Useful metrics programs are rare, despite their importance to governance activity. Learning what to measure, and
  sharing the results, will be important to individual organizations and the security industry at large.




                                                                                                                       31
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
Related Research and Recommended Reading
  Especially with regard to security metrics, the following are worthwhile reading:
  Books:
   •   Ian Ayres. Super Crunchers: Why Thinking-by-Numbers Is the New Way to Be Smart.
   •   Peter Bernstein. Against the Gods: The Remarkable Story of Risk.
   •   Jerry Harbour. The Basics of Performance Measurement.
   •   Andrew Jaquith. Security Metrics: Replacing Fear, Uncertainty, and Doubt.
  Papers and articles:
   • William Grove, Paul Meehl. “Comparative Efficiency of Informal (Subjective, Impressionistic) and Formal
     (Mechanical, Algorithmic) Prediction Procedures: The Clinical-Statistical Controversy.” American
     Psychological                                         Association.                                    1996.
     http://www.psych.umn.edu/faculty/grove/086comparativeefficiencyofinformal.pdf.
   • Emma Skogstad. “Using Benchmarking Metrics to Uncover Best Practices.” ITManagementNews. 1 Jul 2003.
     http://www.itmanagementnews.com/itmanagementnews-54-
     20030701UsingBenchmarkingMetricstoUncoverBestPractices.html.
   • Pete Lindstrom. “Three techniques for measuring information systems risk.” SearchSecurity.com. 17 Feb 2005.
     http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1060169,00.html.




                                                                                                                       32
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com
Author Bio
Trent Henry
Vice President and Research Director
Emphasis: Information Protection; Compliance and Control Standards; Content Security;
Background: Trent Henry is the vice president and research director for Burton Group’s Security and Risk
Management Strategies service. He covers information protection, compliance and control standards, content
security, and cryptography. Prior to joining Burton Group, Trent was in the PKI industry as security management,
technology research, and Internet server and protocol product development. He also performed duties at Identrus,
Digital Signature Trust, Ameritech, and Apple Computers. With 15 years of experience, Trent is a respected speaker
and writer on information security, audit, and compliance topics. He has participated on security standards bodies
such as X9, and Internet Engineering Task Force (IETF) and contributed to the fist Common Criteria Protection
Profile slated to become an ANSI standard.




                                                                                                                       33
BURTON GROUP 7090 Union Park Center Suite 200 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:103
posted:4/10/2010
language:English
pages:33