In-Depth

Top Ten Security Trends for 2005

What's in store for information security

• By Mathew Schwartz
• 12/15/2004

What’s in store for information security in 2005? Expect a strong focus on application security, growth of such initiatives as the Liberty Alliance, allowing for easier cross-organization authentication and single sign-on, and maybe even new “lemon laws” to guard against the economic impact of poorly written software.

To divine top trends for 2005, Enterprise Systems turned to Cambridge, Mass.-based Forrester Research, as well as IT software and services giant Unisys Corp., based in Blue Bell, Penn.

Here are their top predictions for 2005:

1. Secure Coding Will Get More Attention

When it comes to application security, “the two most active areas of market attention in 2005 will be secure code—including vulnerability scanning—and secure Web services, with identity federation also gaining strength,” says Randy Heffner, a vice president at Forrester Research.

All the attention being paid to developing secure code is already a boon, since just having such discussions means developers are becoming “more attuned to the need to consider such issues.”

2. Identity Federation Use Will Increase

As Heffner notes, expect use of federated identity—allowing for shared authentication across enterprises and business partners, including widely distributed single sign-on—to grow. “Users will adopt federation as a key solution to the problem of increased threats within trusted networks,” says Patrick O’Kane, chief architect of Unisys’s identity and access management practice. In particular, an October 2004 survey from Unisys found 37 percent of enterprises expect to implement federated identity management in 2005.

Adoption should also increase following the pending release the OASIS Security Assertion Markup Language, version two (SAML 2), plus from continued Liberty Alliance momentum. That standards body has dominated federated identity management work, especially since Microsoft discontinued its Passport federation plan. “Microsoft and IBM had long refused to join Liberty, but customer pressure recently forced IBM to implement Liberty within Tivoli Access Manager and, more importantly, to join the Liberty Alliance,” notes Heffner.

Some large organizations have already implemented Liberty, including American Express, America Online, Ericsson, France Telecom, General Motors, Hewlett-Packard, Nokia, Orange, and SAP. “Liberty has delivered multiple versions of its standards, has been implemented in numerous products, and is now gaining strong market traction—including support from IBM,” says Heffner. (Although Microsoft dropped Passport, it’s still releasing parts of another federated identity specification, the Web Services Federation—or WS-Federation—which is a joint venture with IBM.)

3. Virtual Directories Will Drive Identity Projects

Identity management projects often choke when it comes to centralizing identity information stored on disparate systems. Enter virtual directory technologies, which more seamlessly integrate authentication and applications. “New virtual directory technologies are eliminating the need to physically move and integrate data,” reducing implementation time and costs, O’Kane. “I’m convinced that 2005 is the year in which enterprise users will fully understand those benefits and make virtual directories part of their security strategy.”

4. End-To-End Application Security Thinking Will Evolve

One trend-cum-recommendation from Heffner is companies “develop an explicit focus on unified application security architecture” if they haven’t already done so. That means focusing on end-to-end application security, including the people, processes, and procedures involved, as well as the technology, including access controls. Consider creating an “application security architect” role to help, he says.

5. Role-Based Access Controls Will Shake Out

One form of access control is role-based access control (RBAC), which grants privileges based on role, rather than unique identity. Such an approach can ease day-to-day identity administration. The problem, however, is defining the lowest useful common denominator for roles, then taking the time to implement them. “In a 40,000-person organization with multiple systems, for example, it could take up to 12 months to define roles,” says O’Kane. Still, he expects new technology to make RBAC easier, and to put the number of roles needed for an organization of that size at about 2,500. A recent Unisys survey found 32 percent of enterprises “were likely” to implement such technology in 2005.

6. Database Security Will Receive More Attention

Today, many organizations protect their networks but pay less attention to protecting the corporate crown jewels: databases. In 2005, “database security will continue to gain importance across the industry, especially for those storing private data, primarily driven by increased intrusions and growing regulatory requirements,” says Forrester senior analyst Noel Yuhanna.

To date, many institutions haven’t created a database-security plan. Expect that to change. Yuhanna also expects database vendors to offer better-integrated security to meet those needs, as well as continued growth of third-party add-ons.

7. Lemon Laws Will Be Pushed

Could operating system and Web browser-makers be liable for their code or liable for insecurities in databases leading to loss of sensitive information? “It’s likely that in 2005 we’ll see agitation for ‘lemon laws’ on security breaches involving application software. This will significantly alter the economic balance of power between the application software provider and the buyer,” says Sunil Misra, the chief security adviser for Unisys.

8. Business Partners Must Prove Their Network’s Security

A network is only as secure as its weakest link, and as interoperability with business partners increases (especially from Web Services growth), companies are eying their partners’ networks for security risks. What’s needed: “comprehensive policies agreed on with partners,” says Misra, plus such technological safeguards as proxy firewalls and federated identity management. “E-businesses using trusted networks must evolve quickly from ‘trust me’ to ‘prove it,’” he says.

9. Malware Effects Will Linger

Given the potential for ongoing, widespread damage from today’s viruses and worms, why doesn’t more malware target users’ information for damage or deletion? Possibly, it’s because attackers have an economic incentive for stealing information, not damaging it.

Even so, “possibly out of malice, but mostly for economic motives, some attackers will seek a lingering effect, versus a one-time catastrophe” from their malware, says Misra. “In 2005, we can expect the first worm or virus with a truly dangerous payload that alters or destroys information at the record level.”

10. Credit-Reporting Agencies Will Get Involved in Identity-Theft Prevention

One of the devastating results of identity theft is the ease attackers have applying purloined information to open false bank and brokerage accounts and obtain credit cards. Expect that to change, with reporting agencies implementing user-validation methods to stem losses from identity theft. This is an either-or scenario, says O’Kane. “If credit reporting agencies don’t become more involved [in] consumer education and other proactive steps, the government will step in and start to solve the problem for them.”

Related Articles:

Which Bugs Will Bite? Vulnerability Predictions for 2004
http://www.esj.com/security/article.aspx?EditorialsID=810

Report: Last Year Was Worst Ever for Viruses
http://www.esj.com/security/article.aspx?EditorialsID=811