In-Depth
How Mobile Cloud Will Make Security Priority #1
A look at how security is evolving around three key information technology developments.
By Andrew Wild, Chief Security Officer, Qualys
Several themes that started to emerge in 2010 have solidified into areas of significant focus for business and IT strategic planning during 2011 -- including cloud computing and use of mobile devices. As with many such evolutionary processes, issues such as security were something of an afterthought when these new ideas first came on the scene. However, security is taking a more important role in enabling technology; it doesn't matter how groundbreaking or bleeding edge a new computing paradigm is if it opens the door for the malicious users to get into your corporate network, its value to your business is less than zero.
Let's look at how security is evolving around three key information technology developments, and how security is playing such an increasingly important role that we expect security to become less of an afterthought -- evolving to become a key part in business agility and the ability to rapidly adopt new technologies.
2012 Prediction #1: Cloud computing will take mobile device (in)security to a whole new level
The proliferation of mobile devices, primarily smartphones and tablets, across corporate America over the course of the past year has been nothing short of stunning, and for IT professionals, particularly security professionals, nothing short of a nightmare. New platforms, new devices, and new form factors will continue to mushroom across the world. According to Ovum principal analyst Pauline Trotter, "The business smartphone market will see significant growth over the next five years, with shipments rising from 26.8 million at the end of this year to 54 million in 2016, a CAGR of 12.4 percent." Thanks to the growing ubiquity of cloud services, they'll be connecting to the Internet anywhere and everywhere -- and then connecting to corporate networks, bringing with them who knows what.
Of course, there are many benefits to workforce mobility for the business -- reduced overheads, greater productivity, and a lower-stress working environment among them. In 2012, businesses must put a solid mobile device management and security strategy in place. Mobile devices that are out of sight should never be out of mind -- because cybercriminals have already figured out that's a pretty easy door to break through into the corporate network. Security that's tethered to a desktop or a server won't be of much help against users clicking on an infected Web link with a device that stores all their corporate login credentials.
Fortunately, cloud services are maturing to the point where security can be reliably deployed and implemented to protect both the devices and the networks they're connecting to. In 2012, we will see an upsurge in location- and device-independent security so that, no matter what the device or where it is, up to date security will be in place 24x7. We can also expect manufacturers to realize the value of security to the users, and will build security features into the devices themselves as a competitive advantage for their products.
2012 Prediction #2: The Outsourcing of Information Security
Today's threat landscape is so complex and sophisticated that for many businesses, it's simply not cost-effective to attempt to manage security using internal resources alone. Cloud-based security takes the heavy lifting and complexity burden off the business and moves it to an infinitely scalable platform.
A recent survey from the Ponemon Institute found that organizations not only don't have a handle on important aspects of cloud security -- and they are well aware of this. More than half of respondents to the survey (52 percent) rated their organization's overall management of cloud server security as fair (27 percent) or poor (25 percent). Another 21 percent didn't have any comment on their ability to secure their cloud servers. Another 42 percent expressed concern that they wouldn't know if their organizations' applications or data was compromised by an open port on a server in a cloud.
Traditionally, information security has focused on providing solutions to security challenges -- the reactive mode, if you like. Perimeter security -- firewalls, IDS/IPS, and the like -- form the core of the reactive model; over the past several years, this model has expanded to include various forms of endpoint security, DLP, mobile device management, SIEM, and more. Unfortunately, reactive strategies in the face of today's dynamic and determined threat landscape are no longer enough -- and human beings remain the weakest link in the security chain.
To move forward, we need to first step back and remind ourselves that the fundamental purpose of information security, risk management, and governance is to align the objectives of IT with those of the business, to protect the company's assets, and to create a culture of information accountability.
In 2012, organizations will be far more diligent in their selection of third-party resources, and proactive security measures will form a significant part of technology-solution RFPs. A number of organizations have developed detailed questionnaires to determine not only the technical security controls deployed as part of a vendor's solutions, but also the maturity of the vendor's information security program as well. Organizations undergoing PCI and other compliance audits must qualify the security of their third-party solutions as well as their in-house practices, so it's in their best interests to review a vendor's disaster recovery, business continuity, security incident response, policy and procedure development, software development life cycle, and information security awareness programs.
Look for data protection mandates to start providing guidelines on content for vendor security questionnaires.
2012 Prediction #3: The myth of the Advanced Persistent Threat (APT) will be exploded
"Full of sound and fury, signifying nothing." Shakespeare could have been describing the security vendors that jumped on the APT bandwagon. InfoSec went through a phase early in its evolution when some vendors believed scare tactics would drive revenues. Fortunately we got over that, but now we seem to have traveled back in time to the FUD era again.
This year, APTs have been blamed for almost every headline data breach that the affected businesses claim caught them by surprise. It is my fervent hope that in 2012 organizations will regain their collective sense and realize that APT prevention is simply the latest silver bullet solution vendors want them to buy into. The reality is that most attacks categorized as APTs -- including RSA, Sony, Epsilon, and CitiBank -- were caused by human failings -- individuals getting fooled by a clever phishing attack.
If your organization wants to protect itself against APTs in 2012, you must:
- Design and implement a serious user education program. Make it a requirement for all members of staff, and revisit it regularly.
- Deploy patches and upgrades in a more timely fashion than you've done in the past. Unprotected vulnerabilities are an open door for hackers. Find a vulnerability management system that will do the heavy lifting for you.
- Seriously consider outsourcing at least some elements of your security infrastructure. Local configurations will have less impact on vulnerabilities if security configurations and proactive protection are managed through the cloud.
In an ideal world, much of the above would become part of compliance requirements (especially the user education part), and APT will go the way of many other TLAs before it and never be heard of again.
We can all live in hope -- just remember that hope is not a security strategy.
Andrew Wild is chief security officer at Qualys, where he oversees the security, risk management and compliance of its enterprise and SaaS environments. Prior to joining Qualys, he managed a team of information security engineers responsible for the design, implementation and operation of security solutions for EMC's SaaS offerings, with heavy emphasis on cloud and virtualization technologies. Andrew has a master's degree in electrical engineering from George Washington University and a bachelor's degree in electrical engineering from the United States Military Academy. He is a veteran of the United States Army and served in Operations Desert Shield and Desert Storm. You can contact the author at [email protected]