Survey: IT Weakening Security Features to Improve Network Speed

A new survey of 478 security professionals and C-level executives reveals that IT security pros are responding to increased network traffic by turning off functionality in their security solutions.

Despite the increasing number of risks posed by a variety of recent data breaches and attacks, 90 percent of respondents admit that they make the security/throughput trade-off. It’s not that these IT professionals don’t understand the problem; they understand the growing impact of mobile devices, for example. Despite a majority (67 percent) admitting that security trumps performance in security solution evaluations, 81 percent say they turn off functionality because network performance was negatively affected.

Even when they adopt “next generational firewall” (NGFW) products, Crossbeam says security pros have to select which features to allow so they can meet network performance goals.

Respondents also show an overwhelming distrust of performance metrics in vendor data sheets: 58.1 percent said they flat-out didn’t trust published performance claims, and of this group, 99 percent agreed that the metrics were misleading.

In all, 63 percent said they had to purchase additional hardware to meet performance goals because the promised performance didn’t match reality. Mobile operators, managed security service providers, and telecommunications companies were most affected: three-quarters had to buy additional hardware. I’ll bet their bosses weren’t very happy about the impact to their IT budget.

Of all respondents, the most (35 percent) came were network security engineers and 23 percent were network security architects. Enterprises in finance and banking made up the largest group of respondents (26 percent), followed by the telecommunications industry (24 percent).

I asked Peter Doggart, director of product marketing at Crossbeam Systems (the survey’s sponsor), about the results. I wondered about the existence of industry-standard performance tests that IT can rely on, and if there aren’t any, if there is any momentum in that direction?

“There are no clear industry standards today that effectively address the complexity of security performance testing,” Doggart said. “There are so many scenarios that could affect performance -- varying packet sizes, different types of traffic, threat density in the test environment, and various security functionality turned on or off -- so it’s difficult to pick just one standard that will reasonably address all of the various permutations of a security deployment.

“There are options that can aid IT. For instance, hiring a third-party testing firm to help conduct tests or turning to an outside integrator to guide the process will provide good indicators of true performance. However, at end of the day, every business has unique requirements. It’s up to IT security professionals to take the time up front to educate themselves on the needs of their business and how real-world performance requirements may grow over the next 3-5 years, and then test these scenarios on the equipment they are considering before they buy it.”

If trust in metrics isn’t high, you’d think IT would do some strenuous testing before buying a product. Sadly, they don’t. According to the survey, only 57 percent perform any tests under real-world conditions, and only 50 percent of this group performs intrusion protection tests.

Doggart said he thought the reasons for such testing deficiencies were due to a lack of resources and skill. “Performance testing is not for the faint-hearted. It takes many years of experience and in-depth knowledge of IT security protocols to conduct this type of testing. In fact, some organizations hire engineers specifically for this purpose.”

He pointed out that “for many others, it’s simply too expensive to undertake. The result has been that proper security performance testing is shortchanged in the face of other business priorities. This is a primary reason why “good enough” security and unsubstantiated vendor performance claims have become the accepted norm.

Are security products inherently draining on network performance, or is there any hope on the horizon? Doggart said that although security products continue to improve in performance and effectiveness, the performance demands being placed on networks for all applications are also growing exponentially.

“At the same time, the number and sophistication of threats is increasing, putting more of a burden on security technology. Therefore, the problem will never be entirely eliminated. The way to address the ‘speed vs. security’ challenge is for IT security professionals to reset their expectations about what security products can deliver and become more educated about how they will perform on their networks.”

Doggart told me that one of the surprising findings in survey is just how few IT personnel at major corporations are thinking beyond the short term. “Just over half (51 percent) report that they only evaluate their performance needs less than a year to 24 months in advance. The best possible way to reduce costly mistakes, avoid the performance drain, and mitigate business risk is to make the upfront investment to truly understand your network requirements at least three to five years out. Establishing a strong, high-performance security posture simply can’t be rushed or overlooked.”

I asked Doggart for his general assessment of the survey results.

“The survey shows that most are in agreement about the need for stringent security, but it can easily get pushed down the priority list when it starts to affect the performance of the business. It’s clear from the findings that the trade-offs between security and performance are introducing unnecessary risk to the business.”

What’s his solution? “We recommend that anyone looking for security solutions for their high-performance networks seriously assess the performance needs of the business, and then rigorously test potential solutions to ensure that the technology stands up to real-world conditions.”

You can download the survey results at www.crossbeam.com/performance.

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 07/19/2011 at 11:53 AM0 comments


Survey Provides Insight into Enterprise Cloud Plans

Cloud has caught on, according to a new survey, but most enterprises are taking it slow. A new report from Gatepoint Research and commissioned by ScienceLogic found that although 79 percent of 100 executives (most from large enterprises) responding to its survey are running some part of their production applications in the cloud, 64 percent of all respondents are running no more than a quarter of them with that technology.

When moving to the cloud, however, IT isn't comfortable turning over complete responsibility to the service provider. Two-thirds of respondents (66 percent) say they will turn the training their existing IT operations staff in cloud management, and 65 percent say they'll be using on-premises tools to monitor performance. Nearly as many (64 percent) say they will probably need new management tools; a third unsure what their needs will be.

Cloud technology does hold promise. Over half of the respondents expect that the technology will enable collaboration, and most expect the technology to help them reduce IT costs, remove silos, and lower the number of performance issues as they move to the cloud. However, for most, enterprises “are uncertain about the role of IT Operations as assets move to the cloud.”

I asked ScienceLogic’s CEO, Dave Link, what conclusions he drew from the survey.

“The survey data tell us that enterprises are clearly moving to cloud computing in significant numbers and support analyst predictions that there’s a great deal of growth yet to come in the cloud-computing market,” Link said. “Although IT operations will continue to change with new technologies, there’s no doubt that operations is every enterprise’s vital link to managing essential business infrastructure -- whatever form it takes.”

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 07/15/2011 at 11:53 AM0 comments


Where Is Tech Headed? Just Ask Kids Around the World

Looking for innovative directions and ideas for your software projects? Just ask kids. They’ll tell you that the future lies in better integration of digital experiences with the real world and “more intuitive, human-like interactions with devices, such as those provided by fluid interfaces or robots.”

From the crayons of 201 kids -- none older than 12 -- in Argentina, Australia, Chile, Colombia, Denmark, India, Mexico, The Netherlands, Panama, South Africa, Spain, the United Kingdom and the U.S. came a wealth of ideas as described in the study, Children’s Future Requests for Computers and the Internet. Conducted by Latitude, an international research consultancy “that helps clients create engaging content, software and technology that harness the possibilities of the Web,” the study examined our tech future imaginings and desires as seen through the eyes of kids, or as the study calls them, “digital natives.”

What opportunities for developers do they reveal? Perhaps it’s no surprise that the drawings demonstrated “that kids wanted their technology to be more interactive and human, better integrated with their physical lives, and empowering to users by assisting new knowledge or abilities.” The researchers looked for specific tech themes, and they found plenty -- shedding light on how your software can engage this new audience.

For example, say goodbye to the divide between digital and physical. Kids thought of computers that could “print” real food or let them touch objects they see on their screen. Forty percent conjured up a world where they were immersed in physical spaces (such as real or simulated travel) or devices that helped them with a physical activity. The survey calls this the Internet of Things, which is replacing the Internet of Information Delivery. There’s a greater interest in using the Web for self-improvement (to learn a new language, for example); almost a third thought of platforms for “creating games, Web sites, [and] action figures.” The “urge to create” was strong: design (landscaping, fashion) were popular.

The youngsters see a user interface that is more interactive -- one-fifth incorporated verbal-auditory controls (voice activation and control, for example); 15 percent wanted touchscreens. Robots and virtual companions showed up, too, and children in Africa, South Asia, and Latin America were more likely to think of their computers as friends or teachers.

Where a child lives has an influence in their outlook. For those in the U.S., Europe, and Australia (92 percent of the sample), the focus was on interactivity. For children in South Asia and Africa, the emphasis was an “a clear outcome ... or tangible benefit” (such as providing help with their homework). Yes, there were even kids that envisioned systems to help them clean their rooms.

“Kids are asking for computers to look, feel, sound, act – and interact – more like humans,” said Jessica Reinis, a senior research analyst at Latitude and the study’s leader. “In many cases, it’s not enough to have a machine that simply completes a task for them; kids today have a strong bent towards independent learning, creation and artistic endeavors, and they’re looking for technologies that can teach them and really engage them in new ways.”

A picture is worth a thousand words, so check out this collection of the kids' artwork.

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 07/06/2011 at 11:53 AM0 comments


Data Protection: Survey Reveals Cracks in Readiness

What data protection issues and trends are the most important to enterprise IT pros? According to a new survey from Sepaton, a data protection provider, disaster recovery and regulatory compliance topped the list, a shift from “improve disaster recovery,” 2010’s top issue. “Data will be unrecoverable in the event of a disaster” and “Regulatory compliance issues (retention, restore, etc.)” were the top backup/data protection fears.

Given that a quarter of respondents are protecting 200 terabytes or more, and another 10 percent manage between 100 and 200 terabytes, it’s easy to understand why recovery is key. What’s more interesting to me is that though many releases I see these days give vague descriptions of the rate of data growth, the Sepaton survey actually quantifies that growth. Nine percent of respondents say data is growing more than 50 percent annually, and eight percent say growth is between 41 and 50 percent. Another third (36 percent) peg the figure at between 21 and 30 percent. That’s a lot of growth.

How are organizations protecting their data? Sixty percent use a mix of tape and disk-based backup technologies; 57 percent are using tape libraries at their main data centers; about 48 percent use disk-based backup with deduplication; onsite snapshots on NAS filers is popular at 44 percent of these enterprises. For remote/branch offices, physical tape is used at over half of surveyed enterprises; disk-based backup came in second, followed by replication, onsite snapshots, and cloud backup applications. When asked what technology they’d be using in a year, the trend was toward disk-based backup and using less physical tape.

I asked Joe Forgione, senior vice president product operations and business development at Sepaton about his reaction to these numbers -- for his take on tape and disk media in the enterprise and what trends he sees.

“Large enterprises are tiering their data protection based on the value of the data. The most valuable data in the data center is retained on disk and replicated to a remote site for a retention period of weeks to months for fast recovery from disk. At that point, the data may be expired or vaulted to tape utilizing existing consolidated tape infrastructure in one data center for deep archive (based on long-term retention requirements).

“The trend is to leverage/consolidate existing tape infrastructure in data centers for deep archive purposes but utilize disk for day to day data protection operations which ultimately reduces the need for more physical tape infrastructure. With the ability to dramatically reduce WAN bandwidth with deduplication technology, branch offices are now deploying automated disk based data protection locally for fast recovery of data onsite while replicating to the data center for DR and deep archive on tape.”

Larger data volumes take their toll on backup windows. Although just one in ten enterprises (11 percent) say they need no more than five hours, over a quarter (26 percent) say they need more than 24 hours to complete a full backup. It takes more than just time to complete a full backup -- it takes more hardware. Fifty percent of respondents said they added 1 to 3 new disk-based data protection systems in the last two years; 12 percent added 3 to 5 new systems.

Following “unrecoverable data” and “regulatory compliance” as top concerns comes “adopting/migrating to new technology will cause disruption” as a key concern, which should have vendors concerned. After all, providing higher service levels with any new product -- let along new technology -- can be cause for worry.

Nearly seven in 10 respondents concede that their enterprise “fell short on data protection.” Part of this is likely due to the “do more with less” mantra, which could explain why “insufficient budget” was reported by 32 percent of respondents as the primary reason for inadequate data protection; 21 percent say their team is understaffed. Nearly a third (32 percent) say their data protection doesn’t fall short. Lucky them.

There are clearly key issues that need IT’s attention. For example, only 43 percent of respondents said their disaster recovery testing “is frequent enough and reflects a realistic DR scenario.” That leaves 57 percent not fully prepared. Worse, 35 percent of remote or branch offices are unprotected.

The survey, conducted in April, focused on the 168 enterprise IT professionals in companies with a minimum of 1000 employees and 50 terabytes or more of data to protect in North America and Europe out of an original survey size of nearly 600 people.

You can read the full survey results here (short registration required).

-- James E. Powell
Editorial Director, ESJ

Posted on 06/29/2011 at 11:53 AM0 comments


IT Systems Failure Costs Quantified in New Survey

Sure, we all know that downtime harms meeting our service-level agreements, but how do you quantify downtime's costs? CA Technologies sponsored a survey of CIOs, IT directors and managers, COOs, and operations directors in North American and European enterprises to understand and measure the consequences of downtime.

According to CA’s Avoidable Cost of Downtime report, “Businesses collectively lose more than 127 million person-hours annually -- or an average of 545 person-hours per company -- in employee productivity due to IT downtime.” Put another way -- it’s the equivalent of 63,500 people sitting idle, unable to perform their job duties, for an entire year.

The retail industry took the biggest hit in terms of person-hours lost, followed by the public sector. Small businesses (those with 50-499 employees) far and away suffered the most, followed by large enterprises (over 1000 employees) and midsize firms (500-999 employees).

Not all downtime results in complete work stoppages; the respondents averaged 14 hours of downtime per year; during this time, employees were “only able to work at 63 percent of their usual productivity.” Employees suffer during recovery as well. “[O]rganizations lose an average of nine additional hours per year to the time it takes to recover data. During these times, employee productivity only climbs to 70%.” Public-sector employees are the least productive during IT outages (working at just 58 percent of capacity when systems are down and 67 percent of capacity during the recovery). Small companies were the least productive (employees work at 56 percent during downtime and 62 percent during recovery).

How well is IT prepared for such outages? Not very: over half of respondent firms (56 percent of North American enterprises and 30 percent of those in Europe) lack a “formal and comprehensive disaster recovery policy.” Fortunately, a fifth says they are developing such policy, but 13 percent have no plans to make such plans. (Let's hope you don’t work for one of them.)

Organizations take a hit to their reputation, say half of those surveyed; nearly a fifth (18 percent) categorize the impact as “very damaging.” More than four in 10 respondents say downtime harms staff morale, and over a third (35 percent) claim IT downtime can adversely impact customer loyalty.  In my many years in corporate IT, downtime equals long, long coffee breaks for business users; employees often don't go looking for alternative tasks they can complete in the meantime. They're poised waiting for the system to "come back up any second."

The survey found that “87 percent of businesses indicated that failure to recover data would be damaging to the business; 23 percent said this would be ‘disastrous.’” Imagine losing or improperly completing an order when a system crashes; now imagine the number of people that person will tell via Facebook or Twitter. To me, the 23 percent figure seems low.

“There are a variety of practical and affordable steps organizations can take to protect themselves against the adverse business impact of IT outages,” said Steve Fairbanks, vice president of product management, Data Management, CA Technologies, in a company release announcing the survey results. “Given that these outages are a fact of life -- and that some of the consequences of outages can be irreversible -- investments in improved business continuity are extremely worthwhile.”

The survey was conducted in November 2010 by independent research firm Coleman Parkes. Respondents were evenly split among small, midsize, and large enterprises. The survey was conducted among 200 enterprises in North America and 1,808 companies in EMEA (spread across the UK, France, Germany, Spain, Italy, Belgium, the Netherlands, Norway, Sweden, Finland, and Denmark).

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 06/02/2011 at 11:53 AM1 comments


Which Industry’s Employees Fall for Phishing E-mail Most Often?

Although cybercrime research reveals “widespread vulnerability to phishing in virtually all business sectors nationwide,” new research has identified five industries where employees are most likely to click on links in phishing e-mail messages. What’s even more chilling is how successful this thankfully benign attack was.

KnowBe4, an Internet security awareness training (ISAT) firm, released the results of its new cybercrime experiment that identifies “the nation's most Phish-prone industry sectors” -- that is, those where employees are most “susceptible” to its cybercrime ploy. The top five: travel, education, financial services, government services, and IT services. Yes, IT services.

KnowBe4 conducted the experiment by targeting small and midsize enterprises (SMEs) from Inc. 500 and Inc. 5000 lists. It used Inc.’s Web site to assemble the SME’s domain names and a “free data-gathering service to find publicly available e-mail addresses.”

According to the company, “Individuals who clicked the link were directed to a landing page that informed them they had just taken part in phishing research. The [e-mail messages] were successfully delivered to about 29,000 recipients at 3,037 businesses; and in nearly 500 of those companies, one or more employees clicked the link.” That’s nearly one in six employees at targeted companies.

In a release, KnowBe4 founder and CEO Stu Sjouwerman points out that "Any business that provides access to e-mail or access to its networks via the Internet is only as safe from cybercrime to the degree that its employees are trained to avoid phishing e-mails and other cyberheist schemes.” Sjourwerman is also an author whose latest book is Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.

KnowBe4 categorized the targeted companies into 25 industry sectors. The travel industry showed the most vulnerabilities; employees in 25 percent of travel companies responded to the phish-y message. Following closely behind: education (22.9 percent), financial services (22.7 percent), government services (21.2 percent), and a group that should know better: IT services (20.4 percent).

"Our cybercrime statistics should serve as a wake-up call to SMEs nationwide," noted Sjouwerman, in what I can best call an understatement. "Not only are these businesses at risk for financial loss through a cyberheist, but their susceptibility to phishing tactics could compromise sensitive customer data such as credit card, bank account and social security numbers."

Why are the percentages so high? Sjouwerman attributes it in part to a “false sense of security” -- that people assume antivirus software “and an in-house IT team provide sufficient data security.” Given that IT services made it into the Top Five list, there’s clearly a retraining opportunity here.

The cleverness of cybercriminals can still overcome the best intentions of employees. As Sjouwerman points out, “Many of the top Phish-prone industries are regulated and subject to compliance rules, so well-meaning employees can be tricked into clicking a link if they believe an e-mail was sent by a government or law enforcement agency, or by someone they know and trust.”

More details from the study, including percentages by all 25 industries, by state, and by domain suffix (among others) can be found at www.knowbe4.com/fail500/. No registration is required.

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 05/31/2011 at 11:53 AM0 comments


Enterprise Cloud Use, Plans Revealed in New Survey

The CDW 2011 Cloud Computing Tracking Poll released this week asked 1200 IT professionals about their use of cloud computing, what’s driving its adoption (and what factors are impeding progress), the benefits expected and realized from the technology, and their cloud plans for the future.

At first glance, use of cloud is impressive: 84 percent of IT managers report that their enterprise uses at least one cloud application, yet only 38 percent acknowledge that “their organization has a written strategic plan for cloud adoption.”

The most popular cloud applications are utilitarian: Gmail (34 percent), Google Docs and MicrosoftLiveMeeting (29 percent each), and WebEx (28 percent). Gmail is most popular among small and midsize businesses and higher education institutions; Google Docs is most popular with K-12 and higher education.

These figures show the public side of cloud. However, when asked what cloud approaches their “organization is most likely to use,” 47 percent said it was a private cloud, with 19 percent choosing community cloud and 19 percent choosing a hybrid cloud. Only 7 percent chose the public cloud.

Adoption is largest among “large businesses” (at 37 percent) and higher education (at 34 percent). Although 29 percent of respondents in the federal government say they use cloud apps, only 23 percent of those in state and local governments do. Nearly a third (31 percent) report that their organizations are currently considering cloud technology, and 33 percent are in the planning stage; 8 percent say they are not considering using the technology.

Security is the top inhibitor to cloud adoption or expansion. Among non-cloud users, 45 percent are concerned about safety; the figure is 32 percent for cloud users. Of all users, cost concerns (40 percent) came in second. To protect themselves, organizations using cloud encrypt transmitted data (54 percent), manage access to cloud applications in house (50 percent), or require passwords be changed every quarter (44 percent).

When all respondents were asked about their top goals, they put “consolidate IT infrastructure” at the top of their list (42 percent), followed by “reduce IT energy/power consumption” (42 percent), “enable or improve ‘anywhere access’” (38 percent), and “reduce IT capital requirements” (37 percent). Cloud seems to help enterprises meet these goals -- and then some. Of the 320 respondents using cloud, 48 percent said cloud had helped them consolidate their IT infrastructure, 49 percent had reduced power, 49 percent achieved “anywhere access,” and 52 percent had reduced capital requirements.

Speaking of expenses, only 36 percent said cloud applications cost less than traditional applications. However, 84 percent of cloud users said annual costs were reduced by moving applications to the cloud; annual savings averaged 21 percent. In five years, cloud users expect that, with the growth of cloud use, they’ll save an average of 31 percent of their annual IT budget.

One-third (34 percent) of the 320 respondents who implement or maintain cloud computing predict that the IT budgets five years from now will allocate a third of their budget on cloud “resources and applications.” Of the remaining 880 respondents who (those not implementing or maintaining cloud projects), cloud spending is predicted to be just 28 percent in 2016.

The survey received 1200 responses from IT professionals in “small, medium and large businesses; Federal, state and local government agencies; health-care organizations; and K-12 and higher-education institutions” in the United States. You can download the full report here; registration is required.

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 05/26/2011 at 11:53 AM0 comments


Cloud Computing Confounds Small Business Owners

Although large enterprises seem to “get” what cloud computing is and the benefits it offers, the message hasn’t reached small businesses yet. In this month’s SB Authority Market Sentiment Survey released yesterday, of about 1,800 respondents, only 29 percent admitted they knew or had ever heard of cloud computing.

Of these, only a quarter (26 percent) said they could describe what cloud computing actually is.

Likewise, their understanding of offsite storage (or storage in the cloud) is lacking. When asked, “Do you have data or critical information, software, or hardware in your physical office like a server, a tower, or a hard drive that may not be secure,” 78 percent answered “No.” However, when asked if all of their “critical computer hardware, software, and data” was stored and backed up offsite, only 29 percent answered “Yes.”

In a statement, Barry Sloane, president and CEO of Newtek Business Services’ The Small Business Authority brand (which conducted the survey), observed, “There is no doubt that business owners will embrace the cloud concept and over time gravitate towards its massive benefits. We surveyed over 1,800 independent business owners and discovered that the concept of cloud computing has begun to disseminate into the marketplace, due primarily to large advertising programs by entities like Microsoft, Cisco, and others. Business owners will need to understand what the cloud is and what it can do for their businesses in the areas of cost control, data security, data protection, accessibility, efficiency, and productivity to facilitate a smooth running technological platform for their business.”

About the data backup poll results, Mr. Sloane noted, “Server huggers beware. The cloud is approaching; the security blanket of the server in the closet onsite and having an assistant backup important business data and confidential client information needs to be behind us all. Our survey this month is quite telling about what independent business owners really need to know about the cloud and how misinformed they are about data safety and security.”

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 05/26/2011 at 11:53 AM2 comments