What it takes to be "secure" is for some the source of much confusion. The short answer is: you can never be "secure," only "secure enough." The long answer involves a discussion about risk aversion, networked environments, business expectations, and a host of other factors that create an enterprise security profile.

But even that does not eliminate the confusion generally involved, particularly on the part of nonsecurity professionals. For example:

  • Internet-oriented senior executives may consider the firewall the only necessary security solution.
  • e-Business directors may highlight their secure communications using encryption.
  • Many legislators talk about the need for privacy. Certainly HIPAA and Gramm-Leach Bliley are of prime importance to the affected parties.

In each of these cases, impressions are either too narrow or too vague, with no real rigor applied to security management as a whole. This leads to challenges for the security professional in justifying budgets, clarifying security issues, and strengthening the security posture of an enterprise.

THE HURWITZ TAKE: There are four disciplines in security management that must be considered for an enterprise security group to be successful. These disciplines can be laid out on a crossed axis, with identity management at the top and configuration management at the bottom of the vertical axis; and threat management to the right and trust management to the left on the horizontal axis. Each of these disciplines is described below:

Identity management. The focus of identity management is on user provisioning — the creation, maintenance, and termination of user accounts and management of credentials in support of authentication and access control. Activities in the identity management space have parallels to the customer relationship management (CRM) world. The companies in this space include Entact, Access360, WaveSet, BMC, CA, Tivoli, and Courion.

Configuration management. Configuration management solutions ensure that systems and devices on the network are securely configured. They protect against vulnerabilities and weaknesses that can be exploited by perpetrators to gain unauthorized access to the system. Activities in this space often parallel, in fact sometimes conflict with, the network and systems management world. Representative companies include SolSoft, PentaSafe, BindView, Symantec, Checkpoint, and ISS.

Threat management. Threat management has come to the forefront of security management with the growth of the Internet. Threat management activities monitor networks to identify inappropriate activity and intrusion attempts. The foundation of threat management is intrusion detection. Representative companies in this space are ISS, Symantec, NFR Security, Recourse, e-Security, Tivoli, LanCope, and SilentRunner.

Trust management. Trust management provides security services geared toward managing online relationships. The primary tools used are encryption products like public key infrastructure, as well as more specialized solutions like digital rights management software and security appliances or gateways. Companies in this space include Entrust, RSA, Baltimore, VeriSign, SingleSignOn.Net, CipherTrust, and NTRU.

The core activities related to each of these four disciplines are the traditional "triple A" solutions: authentication, access control, and audit (AAA). AAA provides the inline solutions, such as biometrics, smartcards, web access control, and secure logging facilities, that manage user access to resources and log that activity. These are the foundation services of security.

It is important to note that multiple market segments exist within these four disciplines; some of the products compete with each other, others are complementary. The goal is to break down the concept of "security" in a way that is easy to understand yet provides more depth and clarity than the market at-large has today.

Peter Lindstrom is a Senior Analyst for Security Strategies with Hurwitz Group in Malvern, Penn (www.hurwitz.com). He can be reached at plindstrom@hurwitz.com.