Security: A CTO's Crystal Ball

From virtualization to cloud computing, what today's trends tell us about the focus of security professionals next year.

by Gregory Shapiro

As we look back at 2009 and look ahead to 2010, there's no denying that plenty of change is in the air for IT professionals and corporations of all sizes. The security market was shaken in 2009 as our economy hit a significant downturn that prompted businesses to look more closely at alternative IT solutions. Those efforts have already impacted business decisions that will be made in the next year.

Taking a look back at 2009, a key trend we noticed was the continued growth of spam and malware, thanks to an ever growing bot infestation. Gone are the days of wreaking havoc or destroying data on victim computers. This year we learned that spammers have taken an even more aggressive aim at profiting from sending spam and spreading the bot population.

Due to harsh economic conditions, consolidation of business, functionality, products, data centers, and servers were on the rise. This consolidation included replacing point products with complete solutions in order to reduce infrastructure, increase functionality, and ease management costs.

We also noticed an increased use of virtualization to reap the benefits of greener data centers, resulting in easier management, faster deployment, and more control over services. Enterprises continue to drive the requirement for virtualization, as it's nearly at the top of every key IT initiatives list. The demand for virtualization continued to grow throughout 2009, with the demand so high that for applications not slated for migration to a virtual environment, enterprises are demanding vendors provide formal justification for why this is the case.

Also noted in a recent study conducted by Osterman Research and previously reported by Enterprise Systems, in two years, 38 percent of corporations will be served by a SaaS solution and 49 percent of e-mail servers are expected to run as virtual servers (see

Enterprises that have reached the migration phase of virtualization, or even in the planning phase, will be at a significant advantage over those that have not thought about this shift and will have a much higher chance for success in deployment of an e-mail solution in a virtualized environment.

Over the course of 2009, there was a shift towards cloud computing alleviating the need for expensive infrastructure, maintenance, and refreshes due to relatively short life cycles. However, at least for most of the year, there were limits as to what could be trusted in the cloud. Use of public cloud services requires a rethink of security policies as data is no longer protected within the corporate perimeter. This has lead to data leakage such as the distribution of Twitter's confidential documents.

Finally, over the past year, mobile computing has become commonplace, creating the need provide service anywhere and to secure devices outside of the corporate network.

Looking Ahead

What's next? Having a good sense of what lies ahead in security trends can help IT managers and enterprises figure out where to put their investments and energy.

Going into 2010, I anticipate server consolidation will continue through the use of blended virtualization and cloud computing, utilizing private clouds seamlessly combined with local virtualized servers. The added security of private clouds and management tools will make the use of cloud or local compute power relatively transparent.

Thanks to an ever-growing mobile infrastructure and increased use of cloud-based services, ubiquitous access to systems management and monitoring of both on-site and cloud-based services will be necessary to enhance IT effectiveness.

In an effort to fight bots and avoid reputation hijacking, ISPs will increase their efforts in egress filtering by scanning traffic exiting their network for viruses as well as spam. Combined with outbound SMTP restrictions, this will help limit the damage done by bots running on zombied machines. Likewise, as anti-spam engines become more effective, IT reduces user concern and uncertainty by differentiating spam from ham. By removing the fear of false positives, the need for spam quarantines will diminish. Even today, most users ignore their quarantines after the first or second month.

Social network messaging and instant messaging will continue to displace electronic mail for person-to-person conversations, but not inside of the enterprise, especially for information sharing or group discussions. Business-to-business and business-to-consumer message encryption use will grow as businesses struggle to ensure regulatory compliance and privacy.

Finally, in 2010 there will be an increase in demand for complete solutions over point products to solve the problems associated with messaging (e.g., spam, virus, DLP, compliance, governance, policy). This is especially important as the industry faces the dwindling availability of all-knowing system administrators and as IT departments are downsized. This will create a demand for products that are easier to manage and easier to use.

Gregory Shapiro is vice president, engineering and chief technology officer at Sendmail where he has held prominent roles in the engineering, information technology, and business development departments. Prior to Sendmail, Shapiro began his professional career as a systems administrator for Worcester Polytechnic Institute (WPI) after graduating from WPI with a degree in Computer Science in 1992. Shapiro is a FreeBSD committer, has served as program committee member for BSDCon 2002, and program chairman for BSDCon 2003. You can read his blog posts at

Must Read Articles