By: John Pescatore
February 5, 2002
Provided by: Gartner

Although the terrorist attacks against the United States in September of 2001 changed the perception of security, other technology issues are more important factors in determining what security issues enterprises will have to worry about in 2002. Web services tools and technologies will expose an accelerating stream of discovered vulnerabilities in 2002 (0.7 probability).

From a security perspective, Web services represent another approach to tunnel applications through firewalls. The major transport mechanisms will be SOAP over HTTP, putting more stress on the extremely vulnerable Web server implementations found in most enterprises. The use of Secure Sockets Layer (SSL) for transport security of Web services will drive application owners to lobby for firewalls to allow SSL connections through corporate firewalls, greatly increasing the likelihood of application-level attacks.

Recommendations: Until the second half of 2003, enterprises should terminate external Web services connections in a transaction zone outside the corporate firewall. Any connections that are allowed to connect directly to internal servers should be required to use SSL certificates at both ends, and XML encryption and digital signature services to protect sensitive information in Web services transactions. Enterprises should, in 2002, begin planning for implementing application-specific firewall functions, such as those offered by Sanctum, Ubizen, KaVaDo, CipherTrust, and others.

Managed security providers
At least six managed security service providers (MSSPs) will leave the market in 2002 (0.6 probability). In 2000, venture capitalists showered funding on MSSP startups. Gartner accurately predicted that the business model of the MSSPs would survive the first wave of consolidation. We expect that, in 2002, larger network service providers will enter the MSSP market and use selective acquisition as a growth strategy. Smaller, regional players that do not meet the criteria for survival will be acquired or disappear.

Recommendations: Gartner believes most enterprises will find that outsourcing repetitive firewall, intrusion detection and gateway antiviral monitoring functions will result in a higher level of security at an equal or lesser cost than doing so in-house. Enterprises evaluating MSSP offerings should include Gartner's selection criteria in all requests for proposal.

Attack target: Videoconferencing
At least one widespread Internet attack will target increased use of Internet-based videoconferencing and application collaboration capabilities deployed to reduce travel due to security and cost concerns (0.6 probability). Most security-conscious enterprises block unneeded or dangerous protocols and services (such as ActiveX controls) at the corporate firewall. Attempts to reduce travel costs before the terrorist attacks, and to avoid travel after the attacks, have resulted in increased demand for video- and Web conferencing and shared applications over the Internet. Many of these capabilities provide minimal security controls, and often require that additional ports and services be enabled at the firewall. Denial-of-service attacks will likely be the first to be launched, but 2002 will see additional attacks against specific vulnerabilities in commercial services.

Recommendations: Where possible, conferencing services should be terminated in a transaction zone and thin-client connections used from internal desktops. Enterprises should prototype any self-hosted conferencing capabilities and perform (or contract for) penetration testing. Enterprises using commercial services should require service providers to demonstrate successful security testing by an outside security firm. Bottom Line Political realities, new technologies, and changing priorities will cause 2002 to be a year of increased threat for Internet-exposed systems. Enterprises should start the year by ensuring that their Internet security foundation is solid, through security audits and application-level protection, and require each new IT project to have security built into the application.

Products | Solutions | Services | Media/Events | Partners | Employment
Clients | Downloads | About Us | Contact Us | Home

Copyright © 1999-2002 [FootPath, Inc]. All rights reserved.
SecureGURU^TMis a registered trade-mark of FootPath, Inc.