Strategy Session: Security Drives Everything

It won't surprise you that, according to Forrester, improving security is at the top of most enterprise IT to-do lists. It's been that way for a while now and, given the regular flow of news stories about corporations losing sensitive information, and the feds likely to pass a national data-leak disclosure law (read Patrick Mueller's Legal Brief column), it's likely to stay that way. But the calculus of what constitutes a reasonable approach to security is anything but consistent from one enterprise to the next.

As an example, consider the deployment of Wi-Fi in the enterprise. In his analysis of NWC's annual NAC survey, senior technology editor Andy Dornan finds that ensuring the conformance of Wi-Fi-connected clients is way down the priority list for those who've already deployed NAC. That stands in stark contrast to those who are still in the planning stages; they rate Wi-Fi client compliance among their top four priorities.

Why this disconnect? It seems if you're concerned enough about security to already be implementing NAC, you're also probably concerned enough not to implement wireless. It's just too risky. Not surprisingly, early NAC implementers are likely to be security-minded government agencies and those who deal with them, financial institutions, and very large corporations that stand to be hit hard if they run afoul of Sarbanes-Oxley.

Meanwhile, the heavily regulated health-care sector shows less interest in NAC, but has fully embraced wireless. One senior IT architect at Kaiser Permanente made it clear why at a recent NWC NAC forum. He has thousands of network-attached devices that can't be updated for any reason--at least not without going through expensive and time-consuming FDA recertification. That makes NAC less attractive, which in turn affects the way Kaiser architects its networks.

Network architecture is but one place where the security calculus reigns supreme. As the Web 2.0 wave hits the enterprise, Ajax programming is all the rage--that is, until you consider security. Contributing technology editor Jordan Wiens brings that point home in his Rolling Review kickoff of Ajax vulnerability scanners. Will the enterprise trade-off be security for snazzy Web-based GUIs? It'll depend on your security posture. If you aren't consciously making that calculation, you can bet you're lacking on the security side.While it would seem that most everyone should have gotten the point, incidents like the huge and sustained data loss at TJX (parent company of Marshall's and T.J. Maxx) indicates that it bears repeating: Understanding your security needs is fundamental to everything you do. It doesn't mean security trumps all other considerations--that sort of thinking stifles innovation and lets more level-headed competitors gain the upper hand. But with every IT decision, if you aren't asking yourself early on, "How does this affect my security posture?" you're asking for headaches, monumental embarrassment and worse later on.

Art Wittmann is editor in chief of Network Computing. Write to him at [email protected].