In-Depth
Five Security Chores for 2010
What kept security administrators awake nights this year, and where should they focus their attention next year?
by Geoff Webb
It's not surprising that security was at the forefront of enterprise IT discussions in 2009. With the economy taking a nose dive, companies scurried to reduce costs, often resulting in reduced resource allocation and fewer project kick-offs.
Hackers got smarter in 2009, and companies learned a painful lesson about the cost of complacency when it came to securing sensitive data. Despite some of the highly publicized attacks that occurred, 2009 did prove to be an interesting year: IT leaders challenged the status quo and began tackling larger issues.
As we reflect on the year, five trends I saw emerge come to mind.
1. Data breaches took the spotlight
With over 100 million credit card accounts compromised, Heartland Payment Systems, Inc.'s data breach will go down as the biggest of 2009 -- and as the largest breach ever involving payment data. Sadly, they weren't alone -- 2009 saw breach after breach announced, and the pain for the breached organizations grew more serious with each announcement. As data predator skills advanced, enterprises faced greater challenges in protecting their data, resulting in stricter regulations and policies involving the payment card industry (PCI). As a result of these breaches, PCI compliance standards faced tremendous scrutiny in 2009, and will likely continue to be under fire as we move into 2010.
2. Executives come under attack
With budgets cut regularly throughout 2009, metrics played a significant role this year. Everyone from the Sys Admin to the CEO was expected, at some level, to justify spending and clearly articulate the return on investment of all projects. This past year, IT focused on carefully calcuating and preventing risks that so that it could get the biggest bang for its budget buck. Although the recession is slowly coming to an end, correlating spending with returns will continue to be important next year.
3. PCI compliance debated
The data breaches that occurred in late 2008 and consumed much of 2009 led to a continous debate regarding the validity of PCI compliance standards. Although Heartland Payment Systems, Inc. vowed that it met compliance standards, the debate heated up with experts across the board questioning whether PCI compliance standards were sufficient. It is now clearer than ever that PCI compliance is merely a baseline for security, and to be truly secure, companies must invest time and resources to fully understand how to protect their corporate data to ensure costly breaches don't impact their bottom line.
4. Virtualization causes headaches
Although no longer new, virtualization technology had security professionals reaching for aspirin in 2009. Questions about virtualization and security were ever-present throughout the year, but answers about how to best secure both virtual environments and the physical infrastructure that supports them were lacking. As IT organizations cautiously dipped their toes into the virtual pond, this very question is now gaining the attention it deserves. In the past, we may have witnessed several companies diving in head first, without much analysis, but that was not the case in 2009. Yes, people are testing the virtualization waters, but the good news is that they are asking questions, analyzing the situation, and evluating the risk prior to getting involved.
5. Security meets SCAP
Although SCAP (Securty Content Automation Protocol), a suite of open standards for such things as vulnerability enumeration, risk scoring, and information exchange, has been around for quite some time, 2009 saw significant interest in the approach of providing standard methods of identifying, quantifying and exchanging security inforamtion. Drvien by the government's Federal Desktop Core Configuration standard (FDCC), SCAP has rapidly become the Fed's de-facto integration standard for security, and it's clear that considerable interest has been growing on this approach outside of the Federal government, at the state level, and in highly regulated industries. Health Insurance Portability and Accountability Act (HIPAA) anyone?
The Challenges Ahead
As 2010 approaches, security will likely remain a top concern for IT organizations around the world, though the outlook for IT managers may be just as rocky as 2009. With new ways of conducting business in a tighter economy, security groups are more than likely to feel the effects firsthand.
That being said, five particular trends come to mind when looking to the future of this industry over the next year.
1. A growing need for greater visbility
More stakeholders than ever before are now asking security teams to provide far greater visibility into the true impact of organizational risk. There are more people within the business who now expect to see the results of the security team's efforts in a form that is easy to understand. This need for greater visibility is, therefore, driving a requirement for greater capabilities to measure business impact, risk, and exposure, and to present that information in an easy-to-consume form to operational teams, business managers, and the board of directors.
2. A renewed focus on database security
Large database managment systems are the focus of renewed data security concerns. These databases often hold very large quantities of data, some of which is very sensitive, and yet require highly specialized database activity monitoring technologies to manage and audit access -- especially the activities of privileged users such as database administrators. Taking these kinds of technologies and integrating them with the other security tools in place will rise in importance in 2010.
3. More automation of security processes
Security organizations are always strapped for time and resources, and we are constantly looking for ways to ease that burden so we can focus on often-ignored tasks that could take security to the next level. IT process automation technology is still gaining traction in the market, though I fully expect to see more rapid adoption in 2010. By automating security processes, security groups will be much better equipped to achieve consistent policy compliance, deeper corporate data protection, and streamlined incident and event management.
4. Security and availability of critical data
We should expect security teams to continue focusing on the security of critical data and ensuring the availability of that data to support business operations. For example, protecting critical data such as customer information from being exposed by a breach has become the number-one priority for organizations and most certainly will not change. Government legislation, industry mandates, and corporate best practices all demand a data-centric and integrated security program. The real challenge for security teams in 2010 will be to determine the right way to take the existing investment in many security technologies and build defenses around very sensitive, and therefore highly valuable, data stores.
5. Centralization of security events and response
Centralizing information around security events and response is a trend that will continue simply because so many organizations have reached the level of maturity in their security processes that make this centralization both possible and desirable. Centralizing security-event management provides organizations with the ability to deal with complex threats and detect and identify unmanaged changes. Such changes can weaken security controls or cause system outages that impact the business. With a single location where security events can be
correlated and analyzed, security teams can spot attacks much sooner -- before significant damage is done.
A Final Word
Data security has become the defining goal of security and compliance teams. The visibility of breaches has reached the highest levels of the organization, and the desire to avoid costly and embarassing data breaches has become something that everyone, from the CEO on down, now takes seriously. Attackers are increasingly sophisticated and the stakes are high, so the impact at every level of the organization is visible and growing.
Everything from awareness training to policies on mobile computing to greater scrutiny of user activity -- it's all driven by the need to keep sensitive data secure. Data is the lifeblood of global businesses, and organizations cannot afford costly breaches. Thus, for the forseeable future, we will all have to adapt to a far more managed, policy-driven, and secure workplace.
Geoff Webb is a senior manager for product marketing at NetIQ and a regular contributor to the Security Webb blog (http://community.netiq.com/blogs/security_webb/). You can contact the author at geoff.webb@netiq.com.