The growing dependence of information technology in modern society has created new vulnerabilities. Breaches in information security can have grim consequences.
The spectrum of products and procedures aimed at providing information security is vast. One of the most common and useful technologies is encryption.
This report provides current information on encryption and other emerging technologies and trends driving the development of new information security products, applications, and markets.
Encryption provides a secure communication channel even when the underlying system and network infrastructure is not secure. This is important when data passes through shared systems or network segments where many people may have access to the information. In these situations, sensitive data and passwords should be encrypted in order to protect them from unintended disclosure or modification.
Many organisations have produced encryption products, which include software, services, servers, and consulting. The market segments vary from PC users, to financial institutions to military and government. Several approaches to encryption have been developed but there are substantial barriers to widespread deployment. For example, there are many different and incompatible encryption techniques available, and not all the software needed implements a common approach. Effective use of encryption requires vendors to agree on methods and standards. Two different cryptographic methods are being applied to computer security problems: private-key and public-key encryption.
The general public is concerned about access to private information. In many countries, there is already strong and public debate about both data security and secrecy. Many experts say that security concerns of the average home computer user are unfounded, although the public at large has not been very well informed to date. Improvements in security provided by public-key cryptography and other encryption systems are actually already providing much higher security than existed before, and public education will go a long way to addressing this issue.
Relatively weak encryption appears to have been used to protect files recovered from two computers believed to have belonged to Al-Qaeda operatives in Afghanistan. The files were found on a laptop and desktop computer bought by Wall Street Journal reporters from looters in Kabul a few days after it was captured by Northern Alliance forces on November 13. The files provide information about reconnaissance missions to Europe and the Middle East. A report in the UK’s Independent newspaper indicates that the encryption used to protect these files had been significantly weakened by US export restrictions that existed until last year. The files were reportedly stored using Microsoft’s Windows 2000 operating system and protected from unauthorised access using the Encrypting File System (EFS), which comes as standard on this platform. They were protected with a 40-bit Data Encryption Standard (DES), according to the Independent’s report.
This was the maximum strength encryption allowed for export by US law until March 2001. All systems are now sold with the standard 128-bit key encryption, exponentially stronger than 40-bit.
The computer-security market is rapidly coalescing around a few big players, including firewall leaders Check Point and NetScreen, and anti-virus company, Symantec. In this down economy, smaller companies that may have better technology, but less staying power are struggling to land clients. Often, it’s hard for them to attract big customers who need assurance that a supplier will be around to support its product.
Competition is strong among the big name vendors. Cisco Systems has gained ground on several key server rivals, such as Juniper Networks, during this tech spending downturn. Cisco has been a big player in firewalls, intrusion-detection systems (IDS), and virtual private networks (VPNs) that use encryption to secure remote connections to corporate computer systems.
A VPN is a means by which certain authorised individuals (such as remote employees) have secure access to an organisation’s intranet, by means of an extranet (a part of the internal network that is accessible via the Internet). VPN can be far less expensive than using actual private lines in a wide area network (WAN). VPNs can be strictly software, but most often they are hardware devices.
Customers would like to buy more than one security solution from a single company rather than piece together the products of several suppliers. Venture capitalists put $1.6 billion into 140 computer-security startups during 2000. That fell 38 percent to $990 million invested in 100 startups, during 2001. In 2002, some 60 startups received less than $500 million through the first three quarters.
In 2001, corporations spent on an average 3 per cent of their tech budgets on security. Many analysts are expecting this market to grow to $15 billion 2006 from what was $6 billion in 2001. Over the next 10 years, markets for firewalls and VPNs, both relatively mature products, should grow at rates above 10 per cent.
On the leading edge, in areas such as wireless security, competition is especially fierce. Startups that build security options for cell phones and wireless local area networks are competing with established players such as Check Point and General Dynamics for a market that is still more promise than a reality.
Faster growth is expected from advanced forms of protection, such as intrusion detection, and tools that protect specific applications on corporate networks and vulnerability-assessment software and services. An Intrusion Detection System (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. This trend should continue for the next few years as more companies add IDS to their existing security infrastructure and the technology becomes easier to use.
Vulnerability assessment involves engaging tech experts to check a corporate network’s security by probing and testing it. The market for this service was $500 million in 2002, with sales of automated diagnostic tools probably making up 10 per cent of the total. Annual vulnerability checks by humans can cost as much as $150 each. The same amount or less can buy multiple checks using automated systems.
Another growth area is protecting servers and desktop machines. Most companies, large and small, now use some form of perimeter firewall protection to protect their networks combined with antivirus software on mail servers and individual desktops. In fact, corporate antivirus software alone will be a $2.7 billion market by 2006, up from $1.2 billion in 2001.
From a security company’s viewpoint, antivirus protection is not enough. Desktop firewalls are mandatory for many companies, leading to big deals for suppliers such as San Francisco-area companies ZoneLabs and Sygate. Both these companies have gotten big venture financing in recent months—proof that investors believe the market is ripe for these products.
The wireless LAN (WLAN) industry is experiencing tremendous growth aided by lower pricing points and standardisation of the technology. Analysts believe that this growth will continue to accelerate, all the multi-billion dollar technology and telecommunications companies such as Microsoft, Intel, Dell, AT&T, and IBM, to name a few, enter the WLAN industry. These corporations bring their deep financial pockets and millions of consumers to the WLAN industry.