Anyone who says that there will be a new buying center created from the convergence of host security and network security has to put a nickel in the silly jar.

Tell users what is not allowed and be specific, and give examples.

A university student was criminally charged in this story for allegedly testing out the student access card system, and later emailing the personal information he found to the university and the students involved.  To his credit, the student didn’t go evil and sell the information.  The student was quoted as saying that he was doing this in the interests of students.

When the norms for acceptable use are vague or unclear, you get behavior proportionally straying form the center line in both directions.  Positive change is hindered, unacceptable behavior is winked at, and the really bad behavior can proceed under the cover of a wide gray line.  Being unclear lowers the trust in the IT security function.  On the other side, security going all medieval on what is well intended and non-dangerous behavior is also a problem.  Anomie is a $5 sociology word for the stress you feel when you don’t know what norms apply. 

Tell your users that freelance white hat penetration is not allowed, but only if you have a mechanism to report and react to suspected weaknesses.  Without the responsive element of the contract (and having it be more than lip service), it won’t work.  Instead of your enemy, make the tech-savvy users your neighborhood watch.

Be very specific across your acceptable use policy (AUP) about what is and isn’t good and bad, and challenge your company’s AUP if it is a placebo or has the weight of a set of encyclopedias.  Oh yeah – and don’t rely on policy alone.  Policy is the weakest lever, and you need technology and people with it to make security work.

During my advisory sessions with midsize CIOs today the topic of Web Security came up frequently.  Aside from the increased interest due to PCI requirements, web applications are the flavor-du-jour for attackers and companies are struggling with how to protect themselves.  Web applicatons are right now the weakest link, since Off the Shelf products have the backing of vulnerability management techniques such as vulnerability scanning and or the shielding of IPS.  But when it comes to your web applications your bad coding practice chickens are coming home to roost and are dropping SQL-injected eggs, and you are on your own. 

You have really only two choices – check your applications before deployment using a code scanner, or shield them post-deployment using a web application firewall.  I have a recent research note on the web application firewall products, which provides an overview of the major web application firewall vendors I have been tracking, as well as some explanations of some of the complex and confusing deployment and technical issues (including the 6 operating modes such as reverse proxy, out-of-band, etc.). 

“MSSPs provide an off-premise service for customer premise equipment (CPE),  whereas ITC is off-premise services for off-premise equipment”.  

This afternoon I spoke this with my colleague Kelly Kavanagh who is Gartner’s lead on MSSPs and security services.  Kelly said “That’s accurate — I would also add a third definition.  ITC requires bandwidth as an adjunct service, whereas remote service absent an adjunct fits the security as a service definition”.  He explains that you can’t buy ITC firewall without buying the network, because that’s were the firewall is. You can however buy anti-spam without buying network or anything else from that same vendor.

So our expanded definition is: MSSPs provide an off-premise service for CPE.  ITC is off-premise services for non-CPE.  If the ITC doesn’t come with the network, it is security-as-a-service.

The other piece of advice during the talk was that anyone looking for some quick investment cash should start a company advertising agentless-In-the-Cloud-virtualized-green-PCI-open-source-security-as-a-service.  I think I need to stop working on the Hype Cycle…

I have a new presentation I’m delivering on on Monday, “Network Security Best Practices for Midsize Enterprises”.  The rest of the time will be split between end user and vendor “one-on-ones”, and attending some of the board room sessions for companies I cover, being certain to bring along my virtual polygraph. 

The end-user one-on-ones at this event are very challenging and valuable.  Midsize companies don’t have a big IT staff, and many will have a very limited security budget/staff.  Their questions are challenging because they are usually not as narrow as the inquiries I get from enterprise clients, and the impact of their decisions can be high: they don’t have budget to spare.  The vendor one-one-ones are a good face-to-face opportunity to get an update from the companies I cover, but exclusively to how they service the midsize.

My colleague Adam Hils and I recently completed the first “MarketScope for Multifunction Firewalls for Small and Midsize Businesses”, so I am bringing some fresh research material and survey data to present.  

I’ll be blogging here from the event during the week.  If my travel plans through Chicago to Dallas survive a big mean guy named Ike.