Modernizing Authentication — What It Takes to Transform Secure Access
Hackers, e-legislation, the Internet, the convergence of network infrastructures, and the deployment of applications to IP networks are fundamentally changing how companies and service providers deploy applications, secure network infrastructure, and conduct e-commerce in both the wireless and wireline worlds. The Yankee Group has scoured the security industry to identify what are going to be the most prevalent trends for investment in network security for 2001. The trends include remote security, managed security service providers, secure content delivery technologies, enterprise security platforms, biometrics, and security of the next-generation networks. The Yankee Group identifies new markets, metamorphosis of existing markets, and the maturation and resurrection of legacy environments as components of this report.
Secure Predictions for 2001
- The Emergence of Security Service Switches
- $2 Billion Secure Content Delivery Market Takes Off
- Biometrics Goes Mainstream
- Managed Security Service Provider Market Surpasses $2.6 Billion
- Security Intelligence Services Blossom to Capture a $1 Billion Market
- New Security Market Emerges for Remote End-Point Security as Part of IP VPN
- Security Management Systems Emerge and Converge with Network Management Platforms
1. The Emergence of Security Service Switches
In 2001, the Yankee Group predicts that security service switches will emerge, as a new class of carrier-based network equipment, to deliver a range of value-added services to enterprise customers.Network equipment manufacturers have already begun offering multi-service switches for ATM, frame relay, and recently, IP VPNs to deliver services from the edge of the carrier's network over the next-generation optical core. In this install-once and provision-many centralized model, enhanced security services such as firewalls, intrusion detection, content inspection, authentication, and virus scanning will thrive.
These sets of advanced functions, if delivered in a carrier-based architecture with emphasis placed on reducing network elements and increasing operational efficiencies and reducing TCO, would be a boon to next-generation communication providers that are looking to increase their revenue and range of value-added services to be delivered either directly to customers or as part of their wholesale strategies. As a quick point of clarification-the Yankee Group is not suggesting that any one vendor supply all of the previously mentioned functionality through its in-house development efforts. Rather, we are recommending that they provide the carrier-grade hardware, provisioning, and management infrastructure, and partner with best-of-breed security vendors for individual security functionality.
There will be an additional challenge that vendors will need to address with regard to next-generation network architecture-the transition of IP-over-ATM, to IP-over-SONET, and eventually to IP-over-DWDM. Current security solutions all require IP to be manipulated at OSI Layer 3, which will cause problems of network latency for next-generation gigabit-based networks that will not be able to process all of the security policies at gigabit speeds. The Yankee Group is aware of several yet-to-be-made-public vendors that have their radar clearly set on these next-generation network challenges. We are sure to see venture capital pouring into these greenfield players over the next 12 months.
2. $2 Billion Secure Content Delivery Market Takes Off
The need to persistently control and secure digital content has created new opportunities for security and communications vendors, resulting in a market for secure content delivery technologies that the Yankee Group predicts will take off and surpass $200 million in 2001 and grow to over $2 billion by 2005.
Books, music, medical records, and intellectual property are all accessible over the Internet, enabling counterparties to share information securely and creating new business opportunities for e-commerce. Initially VPNs and secure socket layer (SSL) technologies have been proposed to secure content from creation to distribution. However, new vendors are creating solutions that are not network-centric security solutions but rather are aimed at securing the applications in what can be termed application VPNs (A-VPNs). The most prevalent technology is for creating secure e-mails, but this technology is expanding to securing Web pages, HTML documents, and Adobe documents, as well as intellectual property documents. This new technology, often referred to as digital rights management (DRM), is enabled by creating a security wrapper that surrounds the applications and allows for complex business rules on how the information can be accessed and who can access it, and that tracks how much and for how long the information has been used.
The Yankee Group predicts that content distribution network (CDN) providers will follow the example of Akamai, a CDN provider that is partnering with Reciprocal, a DRM vendor, in order to allow customers to capture value from content distributed over Akamai's network.
The Yankee Group believes that this technology will create new opportunities for vendors, such as video, music, and book publishers, analysis and research firms, and legacy information services firms, that will use these fundamental security technologies to create new value chains.
3. Biometrics Goes Mainstream
Biometrics is moving out of the labs and past government installations to become a mainstream technology for strong user authentication over IP networks, and the Yankee Group predicts it will become a widely deployed technology by late 2001 or early 2002. The technology is maturing and the prices are plunging (hardware is becoming deployed on keyboards and integrated into existing voice and image capture systems) at the same time that corporations are finding needs for high-confidence user authentication of which biometrics is capable.
Health care and banking are the two industries that are leading the way in biometrics applications, using a variety of fingerprint-, voice-, and face-recognition technologies to solve their strong authentication needs. The health care industry's drive to secure its systems has been mandated by the Health Insurance Portability and Accountability Act (HIPAA), which requires a bulletproof solution to ensuring patient's privacy over electronic media and the Internet.
Biometrics will not be part of a stand-alone solution, but rather will be incorporated as part of an overall strong authentication system that is part of a public key infrastructure (PKI) deployment. Biometrics will be the next highest level of user authentication; it will ride the coat tails of smart card (deals are regularly hitting the $3-$5 million size) and digital certificate technology, and will be layered on top of PKI.
The Yankee Group foresees several partnerships, mergers, and acquisitions occurring as the vendors of smart card technology (which have been the preferred medium of choice for storing keys and certificates as part of a PKI) leverage their relationships with customers who will start to demand biometrics as an option for securing access to the most sensitive of corporate resources and applications. This will all be facilitated by the emergence and convergence of standards for digital certificates, smart cards, and bio-authentication solutions being established by the industry associations for both smart cards (www.scia.org) and biometrics (www.biometrics.org). These associations are also educating and training users in the benefits and practical deployments of biometrics as both a security enhancement and a way of creating additional value-added services, which the Yankee Group sees propelling this industry into 2002.
4. Managed Security Service Provider Market Surpasses $2.6 Billion
The Yankee Group forecasts that the market for managed security services will exceed $2.6 billion by 2005. It is no longer the ISPs and carriers that will be the dominant providers of these services, but rather it is the new-age managed service providers looking to fuse the needs of e-commerce, Web hosting, IP VPNs, and managed security services that will lead this new market. This new breed of players and services will not just offer managed firewalls and intrusion-detection services, but also provide security services for roaming users, internal espionage prevention, e-insurance and e-risk management, advanced corporate inoculation services, denial of service (DOS), and security intelligence, and extend security policies and systems to the extranet partner's networks.
These demands for growth will result in the consolidation among the providers of pre-implementation, implementation, and ongoing monitoring of security systems. The 80-plus start-ups that were venture capital (VC)-fed in 2000 will be under pressure to extend their operations and sales channels to such lengths that they cannot resist the urge to merge or to be acquired at bargain-basement valuations. The VCs will not lose money but will still reap four to eight times their investments, which-although below the 10 to 30-times ROI of the dot-bomb era-is more than adequate.
Additionally, value-added resellers (VARs) and systems integrators (SIs) will buy out managed security service providers. They will purchase, rather than build, their own offerings, preferring to leverage the talent and solutions put in place by these providers while taking these solutions and leveraging them into their established base of existing customers. The critical point is that the VARs and SIs already have a close account control and should be able to effectively leverage these relationships with a product line extension, with managed security as the lead products.
Finally, the Yankee Group does see the continued development of network services wholesalers as a dominant trend in the managed security outsourcing market. The key participants in this market will be players such as Lucent, EDS, Siemens, Nortel, AT&T, and Cap Gemini, all of which will become aggregators of a range of services from routers, to Web hosting, to security. They will represent a one-stop shop for customers, providing a complete portfolio of best-of-breed products and services. These companies will thrive where others have failed because of their razor-sharp focus on the needs of and the relationships with their customers.
5. Security Intelligence Services Blossom to Capture a $1 Billion Market
Network security is a reactive process of identifying policies, procedures, vulnerabilities, and threats, and then designing and implementing systems and procedures to ensure a secure operating environment. This process is iterative and takes hours or days, and frequently months, to implement. The newly emerged security intelligence service providers are flipping this paradigm on its head and claim to make adaptive network security management a proactive process, allowing users to get out in front of the hackers that are trying to infiltrate IT systems.
Security intelligence vendors, such as i-Defense, Logikeep, Atomic Tangerine, Netsec, Security Focus, and Para-Protect, provide a critical service to IT managers by providing actionable information that can be used to strengthen a company's security posture. The vendors accomplish this by monitoring all security events globally. This is done either as a real-time monitoring of new hacks, viruses, or vulnerabilities that are popping up all over the globe, or by monitoring vendor, government, and private agency alerts as to new security holes and the recommended fixes that should be installed. To counter such threats, the vendors then securely disseminate this information to their clients with specific recommendations for action. This process is different from most approaches in that it actually provides an actionable plan in real time and does not require the company to acquire and train security staff to conduct all of the monitoring and interpretations of events as they occur. These services will truly allow companies to surf the edge of the security curve, and the Yankee Group expects that the majority of managed security providers will look to OEM or resell these services as part of their portfolios by the end of 2001.
6. New Security Market Emerges for Remote End-Point Security as Part of IP VPNs
A new security market for providing remote end-point security (REPS) will emerge in 2001, as managed service providers roll out services to protect the systems of remote workers when they use their computers to access the Internet. Corporations realize that when their users, while working remotely and surfing the Web, although they can connect securely to the corporate networks with IP VPN connections, may have already had their systems compromised.
When users are using a remote IP VPN connection to the office, the communication between the remote facility and the corporate office is secured via encryption and digital signature whenever the IPSEC protocol is used for IP VPNs. The problem does occur, and it was highlighted when Microsoft was penetrated in January 2001 by a hacker who was able to control resources and thereby gain entry through a remote user's connection. This is only made worse when workers are using a broadband DSL or cable connection that is connected to the Internet virtually all the time and thus is always vulnerable. These remote computers are easily hacked; they allow the intruder to gain access and turn a machine into a drone to either introduce crippling viruses or gain access to resources on the corporate network.
When a user is not connected to the corporate network and is surfing the Internet for work or personal endeavors, he or she is in essence connected to a public and therefore insecure network. Additionally, the security policies are different for the user when connected to the Internet as a corporate user than when connected for personal use. Some examples of unacceptable Internet behavior for business use that may be appropriate for home personal use are downloading games or music from a Napster-type user group, looking at religious material, online gambling, surfing sexually-explicit Web sites, and downloading free hacking software to break into a friend's system (of course, after you have been given permission to do so).
These service offerings will comprise products that incorporate firewalls, virus and content inspection, intrusion detection, and security assessment. The products will be installed on the remote machines, which would be the strongest security solution, but they do not scale well and will be the hardest for administrators to manage for thousands of remote users. Alternatively, a security assessment and IDS session could be originated from the corporate IP VPN termination equipment on initiation of the IP VPN session. This would take time and cause delay during the IP VPN session setup, but would provide heightened security and be the easiest to control. The Yankee Group predicts these services will run in the $20 to $25-per-month range per user (today e-mail virus services alone cost $5 per user per month) for a managed service on top of the $25 to $35 users pay for dial IP VPN services today, which represents an endless opportunity for managed security service providers.
7. Security Management Systems Emerge and Converge with Network Management Platforms
As of the end of 2000, security management platforms have come to the forefront for both the provisioning and hardening of network security services and products. Many of these systems can trace their roots to managed security consulting organizations that realized all the time and effort they had put into their systems to effectively manage a range of security products represented an investment of intellectual capital that could easily be commercialized and provided as a solution for managed security service providers. There are two types of security management systems.
The first is for managing the provisioning of security services throughout a carrier's or enterprise network. These systems are similar to the network management systems that exist today for the configuration of network devices and for security; this would include firewalls, IP VPN, virus scanning, and intrusion detection equipment. There is also a reporting function that would enable a service provider to show the customer what its service levels are for the actual service that has been deployed. Players in this space today are new entrants such as Ponte Communications and legacy vendors such as HP, Micromuse, and Concord. The Yankee Group anticipates that several of the existing network management vendors will look to roll out security management functionality or to acquire a start-up in order to round out their portfolio and to further strengthen their account control. This will be the preferred path for customers and especially for service providers, which are looking to spend less on hardware and increase their operational efficiencies overall.
The second type of security management platform is designed to take all of the information produced by both network equipment and security equipment, aggregating it, fusing it, providing an intelligent report of current security exposure, and finally recommending a course of action for a particular customer. These platforms have emerged from the realization that customers prefer best-of-breed solutions that do not produce information in a standardized format but still must be tied together and managed by security service providers and corporations over a geographically distributed network. The customers that do not require best-of-breed solutions and are more concerned with costs and functionality put additional strains on managed security service providers that must provide the preferred solution to their customers but may not have the expertise in managing the information provided by these low-end products. The products themselves may not have been developed well enough to provide actionable information in a natively usable format (manually analyzing log files does not scale) for service providers that require carrier-grade scalability. These advanced security management products will use smart polling to pull information from existing network and security products. They will also be augmented by agents that can be placed on critical host systems, and that can intelligently process host information as well as streamline the amount of information sent back to the security management systems. The emerging players in this field are currently Openservice, e-security, and RipTech.
The Yankee Group believes that traditional network management vendors such as HP, Open View, Tivoli, and Computer Associates will look to partner with some of these new players to help round out their offerings with the intention of eventually purchasing the best-of-breed products that will be established over the next 12 months.
Matthew Kovar, CFA, is Director, Security Solutions & Services (SSS), for the Yankee Group, Boston. He can be reached at firstname.lastname@example.org. SSS is a resource for executives charged with spearheading their company's success in securely supporting their dynamic e-commerce applications and initiatives.