Security's disorderly mess

About five years ago, you couldn't pick up a trade magazine or speak to an IT professional without tripping across the subject of consolidation. Whether you were talking server, storage or data center--or any other realm of IT, for that matter--it seemed as if consolidation was on everyone's lips. And why not? All of these functional technology categories had morphed into distributed operational nightmares. Before long, there was an urgent need to clean up the mess.

Take storage as an example. Every server in the data center had its own spinning disks that needed to be monitored, backed up and maintained. With more servers entering the mix, demand increased for extra human resources, software tools and redundant tape drives. And as always, the IT operations team was left to manage this headache.

A solution to this chaos evolved as shared storage subsystems gave way to storage area networks (SANs) that simplified storage management and merged tape drive requirements. The creation of a common infrastructure with shared services was a great idea. Before long, smart enterprises achieved similar results by consolidating other technologies as well.

With measurable benefits, you'd assume consolidation would have been embraced everywhere. Guess again. Despite progress on other fronts, the reality is that security remains a disorderly mess.

The reality is that perimeter security remains a disorderly mess.

Any explanation begins with an understanding of the way IT pros think about the problem. Security professionals have always had a "best of breed" mind-set that valued the performance of individual applications over buying prebundled software suites. This results in good protection but also introduces box fatigue.

Imagine a security perimeter composed of a Cisco PIX firewall, McAfee antivirus software, Websense content filtering, a Blue Coat Systems proxy server and an Internet Security Systems intrusion detection system--along with the accompanying 5 different servers, associated costs and sundry operational challenges.

Since failure on any one of these boxes can halt network traffic, security systems often get purchased and configured in redundant pairs. The whole security ensemble is often accompanied by load-balancing switches from Cisco Systems, Nortel Networks and F5 Networks that divvy up the work across all of the security systems to ensure maximum performance.

See what I mean about complexity? One security professional summed up his frustration this way: "Our perimeter security is difficult to manage, expensive to run and impossible to troubleshoot!"

As if security costs and operations weren't bad enough, today's perimeter mess results in a few other big problems. Ironically, security complexity actually introduces security issues.

I'd hate to be the security guy who has to tell the CEO that the company can't accommodate the new business initiative because of some security configuration issue.

With so many boxes to manage, the chances of a vulnerable or incorrectly configured system dramatically increase the potential for security holes.

Finally, security complications restrict business flexibility. Firms want to open up their networks to customers, business partners and suppliers to increase revenue opportunities and productivity.

These kinds of business initiatives require customized security configurations, depending on the level of trust for each constituency. For example, the company's best customer communicating over a private link will be treated differently than a casual supplier accessing systems over the Internet.

I'd hate to be the security guy who has to tell the CEO that the company can't accommodate the new business initiative because of some security configuration issue. Security just can't be about boxes; it has to be regarded as a business service.

A new twist in security systems
Since security piece parts can't deliver the goods, it's time to glue them together into consolidated perimeter devices (CPDs). As the name implies, CPDs take all these security hardware and software goodies and place them on a single, easy-to-manage system. By eliminating boxes and networking equipment, CPDs are cheaper to buy and run. Advanced management knobs and dials also help make security more business-friendly.

Early CPDs are just starting to make a dent in the market. Crossbeam Systems partners with Check Point Software, ISS and Trend Micro, among others, to offer a line of multigigabit CPDs. Inkra Networks delivers a system that can virtualize security services across multiple network segments. Symantec takes a different tack by integrating both hardware and software combining firewall, antivirus, intrusion detection and prevention, and antispam on a single box.

Additional vendors in this sector include Fortinet, Juniper Networks, SonicWall and WatchGuard, with many others on the horizon.

This is a market in its infancy, so vendors are bound to offer a lot of fancy talk and slick brochures, but future versions will be packed with real networking and security enhancements. Industry players will look to partner or acquire others that can help them deliver more protection or better networking. Point tool vendors that don't make the right deals or sell themselves to the security big boys are in big, big trouble.

It's bad enough that perimeter security is expensive and difficult. But if it can't also keep up with new business demands, something has to give.

To be sure, calls for security consolidation will not go down well in some quarters. But while some security zealots may kick and scream about putting all their eggs in one basket, they should also heed the words of a wise technologist I know: "When technology enables the business, the CIO becomes a hero. When technology is a business bottleneck, the CIO becomes unemployed."

Truer words were never spoken.