Survey: IT Weakening Security Features to Improve Network Speed
A new survey of 478 security professionals and C-level executives reveals that IT security pros are responding to increased network traffic by turning off functionality in their security solutions.
Despite the increasing number of risks posed by a variety of recent data breaches and attacks, 90 percent of respondents admit that they make the security/throughput trade-off. It’s not that these IT professionals don’t understand the problem; they understand the growing impact of mobile devices, for example. Despite a majority (67 percent) admitting that security trumps performance in security solution evaluations, 81 percent say they turn off functionality because network performance was negatively affected.
Even when they adopt “next generational firewall” (NGFW) products, Crossbeam says security pros have to select which features to allow so they can meet network performance goals.
Respondents also show an overwhelming distrust of performance metrics in vendor data sheets: 58.1 percent said they flat-out didn’t trust published performance claims, and of this group, 99 percent agreed that the metrics were misleading.
In all, 63 percent said they had to purchase additional hardware to meet performance goals because the promised performance didn’t match reality. Mobile operators, managed security service providers, and telecommunications companies were most affected: three-quarters had to buy additional hardware. I’ll bet their bosses weren’t very happy about the impact to their IT budget.
Of all respondents, the most (35 percent) came were network security engineers and 23 percent were network security architects. Enterprises in finance and banking made up the largest group of respondents (26 percent), followed by the telecommunications industry (24 percent).
I asked Peter Doggart, director of product marketing at Crossbeam Systems (the survey’s sponsor), about the results. I wondered about the existence of industry-standard performance tests that IT can rely on, and if there aren’t any, if there is any momentum in that direction?
“There are no clear industry standards today that effectively address the complexity of security performance testing,” Doggart said. “There are so many scenarios that could affect performance -- varying packet sizes, different types of traffic, threat density in the test environment, and various security functionality turned on or off -- so it’s difficult to pick just one standard that will reasonably address all of the various permutations of a security deployment.
“There are options that can aid IT. For instance, hiring a third-party testing firm to help conduct tests or turning to an outside integrator to guide the process will provide good indicators of true performance. However, at end of the day, every business has unique requirements. It’s up to IT security professionals to take the time up front to educate themselves on the needs of their business and how real-world performance requirements may grow over the next 3-5 years, and then test these scenarios on the equipment they are considering before they buy it.”
If trust in metrics isn’t high, you’d think IT would do some strenuous testing before buying a product. Sadly, they don’t. According to the survey, only 57 percent perform any tests under real-world conditions, and only 50 percent of this group performs intrusion protection tests.
Doggart said he thought the reasons for such testing deficiencies were due to a lack of resources and skill. “Performance testing is not for the faint-hearted. It takes many years of experience and in-depth knowledge of IT security protocols to conduct this type of testing. In fact, some organizations hire engineers specifically for this purpose.”
He pointed out that “for many others, it’s simply too expensive to undertake. The result has been that proper security performance testing is shortchanged in the face of other business priorities. This is a primary reason why “good enough” security and unsubstantiated vendor performance claims have become the accepted norm.
Are security products inherently draining on network performance, or is there any hope on the horizon? Doggart said that although security products continue to improve in performance and effectiveness, the performance demands being placed on networks for all applications are also growing exponentially.
“At the same time, the number and sophistication of threats is increasing, putting more of a burden on security technology. Therefore, the problem will never be entirely eliminated. The way to address the ‘speed vs. security’ challenge is for IT security professionals to reset their expectations about what security products can deliver and become more educated about how they will perform on their networks.”
Doggart told me that one of the surprising findings in survey is just how few IT personnel at major corporations are thinking beyond the short term. “Just over half (51 percent) report that they only evaluate their performance needs less than a year to 24 months in advance. The best possible way to reduce costly mistakes, avoid the performance drain, and mitigate business risk is to make the upfront investment to truly understand your network requirements at least three to five years out. Establishing a strong, high-performance security posture simply can’t be rushed or overlooked.”
I asked Doggart for his general assessment of the survey results.
“The survey shows that most are in agreement about the need for stringent security, but it can easily get pushed down the priority list when it starts to affect the performance of the business. It’s clear from the findings that the trade-offs between security and performance are introducing unnecessary risk to the business.”
What’s his solution? “We recommend that anyone looking for security solutions for their high-performance networks seriously assess the performance needs of the business, and then rigorously test potential solutions to ensure that the technology stands up to real-world conditions.”
You can download the survey results at www.crossbeam.com/performance.
-- James E. Powell
Editorial Director, ESJ
Posted by Jim Powell on 07/19/2011