Security dominates 2008 IT agenda

This year could see the first serious VoIP exploit, among many other threats

Will 2008 see the first serious security exploit in corporate VoIP networks? Or will network security breakdowns cast a pall on the upcoming presidential elections and Olympic games? Will users' Web 2.0 forays open the malware floodgates?

Experts say security concerns will dominate the network landscape in 2008 whether we like it or not. But it won't be all gloom and doom. Faster wireless LANs are on the way, enterprise-class open-source applications are multiplying and Google Inc. is continuing to muscle its way into new markets -- raising the bar for competitors along the way.

Here are some of the highlights of what corporate IT teams can expect in the new year.

Malware of Olympic proportions

Two high-profile events -- the 2008 Olympics in China and the U.S. presidential elections -- will trigger a stream of exploits, security experts warn.

Olympics-related Web sites and networks are potential places to infect people, says Dan Hubbard, vice president of security research at Websense Inc. "The 2008 Olympics will be used as a lure for fraud, too. Massive amounts on an international scale," Hubbard says.

Also on tap for 2008 are Storm-like botnets with decentralized command-and-control structures that make them much tougher to shut down, says Craig Schmugar, researcher at McAfee Inc.

"Storm is a trend setter," Schmugar says of the infamous botnet that traces back to a network attack launched one year ago. "A lot of the spam we see is coming across Storm-compromised machines."

McAfee is also expecting a wave of malware parasitics, which look for specific files and embed themselves. To combat infection by parasitics, "you have to isolate the parasitic code within the host code," Schmugar notes. "If it overwrites the good code, you may never get it back."

VoIP not a target ... for now

One security threat that may not materialize in 2008 is exploits against VoIP systems.

It's not that the danger isn't real -- it is. VoIP is susceptible to the many exploits that networks in general are heir to, including denial-of-service attacks and buffer overflows. In addition, there are many voice-specific attacks and threats. For instance, two protocols widely used in VoIP -- H.323 and IAX -- have been shown to be vulnerable to sniffing during authentication, which can reveal passwords that can later be used to compromise a voice network. Implementations of SIP, an alternative VoIP protocol, can leave VoIP networks open to unauthorized transport of data.

Still, there have been few exploits so far and none that were widespread or crippling to businesses. "We are not hearing about attacks. We don't think they are happening," says Lawrence Orans, an analyst at Gartner Inc.

Part of the reason may be that the largest VoIP vendors (compare products) use proprietary protocols, such as Cisco Systems Inc.'s Skinny, Nortel's Unistim and Avaya Inc.'s variant of H.323, Orans says. That makes them difficult to obtain and study for potential security cracks. "These systems are not readily available to the bad guys," he says.

The bad news is that some experts don't expect the lack of attention from attackers to last.

"VoIP is, in essence, a time bomb, poised for a massive exploit," says Paul Simmonds, a member of the management board of the Jericho Forum, a user group promoting new principles for secure networking.

Waiting for 11n

On the wireless front, the buzz is all about 802.11n. Corporations eager for the next generation of WLAN technology (compare products) are so enthralled with the promise of 802.11n they're not waiting for the standard to be finalized to plan deployments. Some companies are seriously weighing the use of products based on the Draft 2 IEEE 802.11n standard, which promises data rates of 300Mbit/sec. and throughput of 150Mbit/sec. to 180Mbit/sec.

The contrast with conventional WLAN gear -- with a maximum data rate of 54Mbit/sec. and throughput of less than half that -- is so dramatic that at least some corporations are willing to pay a premium for 11n gear, and adopt a not-quite-standard technology on the assumption that any changes in the 11n standard can be dealt with via software updates.

Just as important as greater throughput is greater reliability and consistency in connectivity and performance, partly because of 11n's multiple antenna technology called multiple-input, multiple-output (MIMO). For the first time, 11n makes feasible the idea of relying on the WLAN as the primary means of network access.

Still, there are plenty of issues early adopters must surmount. The adoption of 11n will, in a few cases, force companies to beef up their edge switches to support Gigabit Ethernet. To get the full benefit of 11n capacity, they may have to upgrade existing power-over-Ethernet infrastructures to the new 802.3at standard, which barely entered the market at the close of 2007. In addition, WLAN management software from some vendors may be lagging behind the hardware rollouts, a troubling shortcoming at least in the short term.

Data center dilemmas

In the data center, the challenge for users who championed virtualization and green computing in 2007 is delivering the benefits they promised -- something industry watchers say will be no small feat.

As projects move beyond the planning phase in 2008 into broader deployment, data centers managers will need to evaluate how they're going to manage and support the new technologies without overhauling their entire infrastructure.

"Virtualization and green computing will flip-flop for a while, because they represent challenges beyond what they are said to do," says Robert Whiteley, an analyst at Forrester Research Inc. "We will see a bit of a virtualization hangover at first because while a lot of people have embraced the technology and seen some success on x86 servers, virtualization forces IT to look differently at managing an environment. And the greening of IT, that is going to be a challenge because a lot of companies don't have a full grasp on what it is yet."

For starters, virtual server management technology will become more critical as data center managers for the first time "face islands of hypervisors within their IT shops," which will have to be managed as a cohesive whole to truly cash in on the benefits of the technology, says Forrester analyst James Staten.

"The market is going to see the need for a heterogeneous virtualization management platform that we haven't seen up until this point," Staten says.

On the green front, industry watchers say that working toward a more efficient computing environment isn't going to be easy for most data center managers because of technical, political and other reasons outside the control of IT.

"IT needs to start understanding more about data center facilities and find ways to design data centers to eat up less power," says Zeus Kerravala, an analyst at the Yankee Group Research Inc.

Forrester's Staten says in 2008 data center managers will be tasked with "energy auditing," which involves understanding the entire power path from the utility to the CPU. While vendors will paint such efforts as green computing, companies are more interested in cutting costs.

"Being green is not the main driver for trying to conserve power. It's a cost-driven measure for IT," Staten says.

Open-source acceptance

Another cost-driven trend is open-source adoption. Many believe users' uncertainty about open source will shrink so much that their questions around it will evaporate in 2008.

"For me, the big story of open source in the enterprise is that it's becoming a nonstory," says Barry Crist, CEO of Centeris, which makes software to integrate user authentication services between Windows, Linux, Unix and Mac. "There was so much hand-wringing, but what I am seeing at the corporate level is this has become uninteresting to them. They are comfortable with the mix between commercial and open source."

Meanwhile, developments with power management, virtualization, mobile devices and data centers will drive open source and Linux in 2008.

The Linux kernel is getting updates to address the power management issue, for example, including the Tickless Kernel Project, which gives the operating system the ability to go to sleep for several hundreds of milliseconds and wake up only when there is something it needs to do. Those sorts of features will likely open 2008 opportunities for Linux and open source within mobile and embedded devices, where power management is a requirement.

In addition, the Linux Standard Base, a certification program that ensures applications can be written once and run on many Linux distributions, is undergoing updates at the Linux Foundation.

"These trends are going to create more applications for Linux and start to create a fly-wheel effect where lots of applications beget more users which beget more applications," says Jim Zemlin, CEO of the Linux Foundation.

Web 2.0: Poised for corporate role

Still trying to earn corporate acceptance are Web 2.0 technologies such as blogs, RSS feeds and wikis, which will take on an increasingly important corporate role in 2008.

"If I look at the Web 2.0 space in the enterprise, I see a lot of experimentation right now, and a lot of frustration," says Forrester analyst Oliver Young. "Are enterprises ready to deliver on the value the businesses are asking for? Probably not yet. But I think in 2008 they're going to get much closer."

Wikis will probably have the biggest positive impact, says Paul Gillin, a writer and commentator on the tech industry and former executive editor of Network World sister publication Computerworld.

"If you have a large number of people who have to share information, e-mail is a horrible way to do that," Gillin says.

With a wiki, you can set up a blank page workspace, and leave it up to users to decide who is involved, what the tasks are and how the work will be organized, Young says. It's a lot more efficient than overflowing e-mail in-boxes with mass e-mails.

But Web 2.0 technologies such as wikis and RSS feeds also have their challenges.

"The challenges are getting people to use it," Gillin says. In addition, it can be hard to get funding for Web 2.0 projects, because some management teams aren't convinced the new tools deliver real business value, Young says.

Security is also a potential problem. "Web 2.0 can make it easier for employees to share data, and in doing so make it easier for employees to abuse data," Young says. "The best way companies are starting to approach this is through strong permissioning, compliance and archiving," as well as education to make sure employees know what constitutes acceptable sharing of data.

Life in the trenches

Amid the storm of new technologies and security challenges, IT staff will have to make due with budgets that aren't growing as much as they did in 2007.

Worldwide spending growth will be moderate, at 5.5% to 6% in 2008, down from 6.9% growth in 2007, IDC says.

Economic uncertainties will take a toll in the U.S., in particular, where IT spending growth is expected to drop from 6.6% this year to 3% to 4% in 2008, IDC reports.

On the hiring front, the most sought-after candidates will be the IT hybrids -- which can be loosely defined as professionals who have as much business acumen as technical know-how.

"Hybrid jobs require IT professionals to sit down at a business meeting and be able to predict and deliver the technology the business will need to meet its goals and go about implementing it," says David Foote, CEO and chief research officer at Foote Partners LLC. "The premise of IT-business hybrid roles started at the CIO level. In 2008, you will see it as far down as the $60,000 per year operations people."

This story, "Security dominates 2008 IT agenda" was originally published by Network World.

Copyright © 2008 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon