Scanners: Deployed Or Deplored?
The more your network is exposed to the public through Web access, the more critical the need for an automated means of finding security flaws. Fortunately, vulnerability and malware scanners continue to become more sophisticated, even as they are being subsumed into the NAC juggernaut, which we discuss in "Network Infrastructure," page 69. We're not ready to declare vulnerability scanners dead as a standalone product category, however--in fact, we expect to see their use grow and their maturity level improve in 2007. There are some places NAC systems just can't go.
Code scanners, on the other hand, have been around forever, and we seem to go through love-hate relationships with them. As we mentioned, we'll review these next year. For now, let's leave it at this: If a code scanner finds even one vulnerability, it was useful. But it's critical to remember that these tools are but one part of the overall security architecture, and the bad guys are not slowing down their attempts to find new attack vectors.
One take on this situation that we found very interesting is Blue Lane Technologies' eponymous security appliance, a passive scanner that watches the network and buys time in the patching arms race.
Who Are You Again?
As any old-school network guy will tell you, it's a losing proposition to manage individual users. Of course, you'll always have that manager who insists that everyone on her team needs different rights, and normal growth and change within the enterprise make group-level management problematic as well. Fortunately, in 2007, IdM (identity management) vendors are shifting focus from the individual to the group, and we expect to see sound solutions emerge that will help all of us manage a sane balance.
Both old and new companies, including Novell and Applied Identity, are driving the IdM market, with CA, Microsoft, Oracle, and Sun Microsystems sucking up smaller companies in order to add to their portfolios.
Ideally, we'd like a standard IdM schema that extends into the hardware infrastructure, so that we can maintain a single identity store. The problem arises with network device and appliance vendors that insist on managing valid users in proprietary ways. As you contemplate purchases, ensure you know the architecture of your name stores, how they relate and how IDs relate across them. This will streamline adoption of meta-group management products.
