Network security services have long been the bread and butter for many security solution providers. Expect more of the same in 2010, as a few network security trends are poised to represent a significant revenue opportunity for both VARs specializing in network security, as well as solution providers who want to get into the network security services field.
The frequency of high-profile network security breaches in 2009 has renewed interest in network security services. In early 2009, an intrusion at payment processing firm Heartland Payment Systems Inc. exposed potentially millions of credit card numbers. Prior to that, the TJX Companies Inc. experienced a breach that has cost more than $250 million to date. The breach at Heartland exposed far more card numbers and will cost even more than the TJX breach.
These high-profile data breaches, caused by network intrusions, have highlighted a more urgent need for effective network security, and this in turn provides VARS, integrators and service providers a convincing argument when demonstrating the value of their network security services.
More specifically, the need to harden networks as they relate to three other key IT security issues -- securing healthcare data, ensuring PCI DSS compliance and managing virtual environments -- should represent top-level priorities and revenue opportunities for security solution providers in 2010. We'll discuss each one in more detail below.
Healthcare: Protecting private medical data
Network security services VARS, integrators and service providers with expertise in HIPAA will be presented with a broadened target market for their services in 2010.
HIPAA regulations requiring the protection of private data have been in place for several years, but the economic stimulus package passed in early 2009 added additional requirements. The Health Information Technology for Economic and Clinical Health (HITECH) Act calls for tighter security requirements, increased financial penalties for loss of private medical data and extended coverage of HIPAA regulations.
Prior to HITECH, HIPAA regulations applied only to entities such as hospitals, doctors' offices and health plans. Business associates of entities covered by HIPAA regulations were enforced only by contractual terms between the covered entities and their associates, i.e. any business, such as an accounting firm, that has access to individual medical records. HITECH explicitly extends the regulations to those associates, meaning they are now subject to the same civil and criminal penalties for exposing data that previously applied only to directly covered entities.
This expanded group of companies now subject to HIPAA compliance mandates will need to enhance their network security and upgrade their internal procedures. VARs and solution providers with expertise in HIPAA and network security services will therefore be presented with additional opportunities to offer their services.
The move to electronic records is a major part of the effort to reduce medical costs. HITECH sets a goal of moving everyone in the United States to electronic medical records by 2014 and provides $19 billion over the next four years to facilitate the move. An earlier act reduces payments beginning in 2015 to medicare providers not using electronic records, making it worthwhile for solution providers to take advantage of this opportunity as soon as possible.
Only the largest medical service providers will have the internal capability to implement electronic medical records, and few will have the in-house network security technology and know-how to securely manage all the new data. The result will likely be many new network security services opportunities for VARs and service providers with HIPAA expertise.
A good place to start in keeping up with the latest HIPAA/HITECH compliance efforts (and to hunt for business opportunities) is the HITECH-funded Office of the National Coordinator for Health Information Technology website. HITECH charges this organization with developing additional healthcare security standards. VARS, integrators and service providers should follow these developments closely to ensure that their clients remain up to date on current requirements.
PCI DSS opportunities
The limitations of the Payment Card Industry Data Security Standard (PCI DSS) were demonstrated in 2009 when credit card data was stolen from companies that had passed PCI assessments, such as Heartland and Hannaford Bros. Co. It is believed that the Heartland attack used SQL injection, a well-known attack method. It's also believed that the attackers tried out varying techniques against commonly used security products until they developed a method that was not detected.
As a result of the breaches, work to make PCI DSS more effective is ongoing. But until updated requirements and related guidance are released, solution providers can concentrate on working with their customers to tighten network security procedures, asking questions like:
- Are passwords changed frequently enough?
- Are employees writing passwords on note papers and sticking them to the front of their monitors?
- What is the policy on laptops?
- Are they taken from the building and do they contain unencrypted data?
- Can employees login remotely and if so, can they access critical data?
Additionally, access to critical data should be limited to employees who have a documented business need. Solution providers can help customers discover if access is restricted tightly enough or if additional employees have been permitted access. Customers also commonly need help documenting security policies and ensuring employees understand and follow them.
VARs and service providers must emphasize to their customers that passing the PCI DSS assessment only means the assessor found no problems. An assessment is made at one point in time. Networks are constantly changing, so problems can easily be introduced that can push the network out of compliance. Solution providers can respond by offering change management as a network security service to ensure vulnerabilities are not introduced as changes are made.
Virtualization: The latest network security opportunity
Virtualization is quickly becoming a mainstream technology in companies in all vertical markets. Virtualization makes implementing and verifying security more complex and, therefore, more difficult. Virtual machines move from one piece of hardware to another as processing loads rise and fall. Applications and data that previously were confined to a specified server move across the network, exposing critical data to increased risk of experiencing data breach.
It is not clear how many enterprise virtualization installations have modified security procedures to address this network security issue. Until relatively recently, security software specific to virtual environments has not been available. For VMware, the most widely used virtualization product, the situation is now changing.
Early in 2008, VMware Inc. announced VMsafe, a set of interfaces that VMware partners can use when developing security implementations that offer the ability to monitor operation of the virtualized environment at a more detailed level than previously possible.
Security products that include capabilities based on VMsafe are now entering the market. In November 2009, Trend Micro Inc. announced the availability of Deep Security 7, which uses VMsafe to protect VMware vSphere-based environments. IBM also recently announced a VMsafe-based product. With virtualization implementations on the rise and security an ongoing concern, opportunities to sell these products are increasing, so it's important to follow this market closely.
VARs and integrators supporting customers affected by HIPAA, PCI DSS and other compliance regulations will also need to follow developments in virtualization security since many of their clients will be moving to virtualized environments.
In general, the network security services issues for 2010 will continue to closely follow developments in all of these areas. Look for new opportunities, such as businesses now covered by HIPAA and businesses virtualizing their data centers. Stress the need to tighten and document procedures and to make sure they are followed.
About the author
David B. Jacobs of The Jacobs Group has more than 20 years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software startups.