Security shopping lists made for the New Year

Whereas 2001 be remembered as a year marked by an exhausting string of virus attacks and cyberterrorism fears sparked by the events of Sept. 11, security experts predict that computer security in 2002 will shift away from perimeter defences in favour of internal access control and authentication management.

“Physical access, who you are, and [whether or not] you are allowed [specific privileges] is going to be among big technology questions that are going to be answered in 2002,” said Charles Kolodgy, Internet Security analyst at Framingham, Mass.-based International Data Corp.

“Smart cards, USB tokens, and biometrics will be some of the hot areas because companies, organizations, and others are beginning to realize they need to have a better handle on who’s coming and going,” Kolodgy said. “Passwords just don’t give you enough confidence in these things.”

End-users can also expect scrutiny directed at Web services applications. They may see improvements in the nature of safeguards to protect a specific set of database records – such as profiles or user accounts – while in transit across systems to validate identification, security experts said.

“Anyone not thinking about Web services for back end integration will be behind the eight ball for 2002,” said Peter Lindstrom, director of security strategies at Hurwitz Group in Framingham, Mass. “Web services is about simplifying communication between systems. That’s where encrypting and signing the data becomes significant. It’s not just data. It’s content and context.”

Lindstrom pointed toward a handful of vendors that look to build on capturing brisk Web services security momentum in 2002, including Vordel Systems, Netegrity, Foreign Systems, and Zolera.

In fact, Lindstrom said that he believes security software will mount a comeback atop users’ ROI (return on investment) budget considerations as internal access issues such as lax user account passwords and ID management shift from nuisance to legitimate corporate threat. Lindstrom contends that the connection between workflow and self-service management and authorization/authentication was largely ignored in the past.

Vendors that provide an automated process to create, administrate, and manage user accounts include Waveset Technologies, Business Layers, Access 360, Courion, Thor Technologies, and BMC Software.

“I think software will take the lead [over hardware solutions]. You name the security player, and they have a management framework coming down the pike. Management frameworks will mature over 2002 and get a sense on how we’re going to do enterprise security,” Lindstrom added.

Still, Kolodgy notes that end-users will find a strong push for beefed up USB (Universal Serial Bus) tokens and SSL (Secure Socket Layer) cryptographic acceleration products that require less cumbersome readers as an alternative to smart cards. In general, security hardware products remain attractive to customers due to ease-of-use functionality.

“You don’t want users to play too much. You want distributed firewalls and products and that don’t need a lot of human interface. [With hardware], you don’t need to worry about support, upgrades, or patching. The software is still on [the] high end but appliances make it easy to fit in,” Kolodgy said.