In-Depth
Security Trends in 2010
Security will continue to be a hot-button issue this year. Here’s how to protect your business-critical information.
by Robert Grapes
Although many predict the economic recovery will be slow and long, initial signs of improvement have us all wondering what 2010 will look like for companies and people in IT. Already, the malaise and pessimism of 2009 is being replaced with a general sense of guarded optimism. Recent trade events are more upbeat, well attended and forward-looking than those same events the previous year. New M&A activity is providing companies with greater multiples than were possible just a year ago. Media articles are re-shifting focus to spotlight technology advances rather than merely providing a forecast of the companies producing them.
Although still not reaching the level prior to the downturn, 2010 is shaping up to be a more positive and promising year for budgets and IT employees. As such, security will remain a hot-button issue and an area of increased focus for all companies that need to protect their proprietary, business-critical information.
The Rise of Checkmark Security
As the pressure to put more services and information online increases, government agencies will be challenged to create and implement standardized regulations to help safeguard data. With various audit requirements already in place (such as FISMA, PCI DSS, HIPAA and SOX), 2010 will see an increased trend towards checkmark security – companies working hard to meet the specific demands and requirements of audit checklists in order to avoid costly fines.
Although it is difficult to complain about any increased security initiative, this particular trend could cause organizations to focus too much on meeting standard audit requirements, leading them to ignore other areas of security that could leave their organization vulnerable. Companies will still have to contend with limited budgets and resources, so it is imperative that they continue to implement security fundamentals while ensuring compliance requirements are met.
Securing a Virtualized World
The trend toward operating in a virtual environment will be led by business benefits and raise many new security and management challenges this year. If implementation tactics are not thought through and potential new exploits not considered, virtualization could become a technology lever that an attacker can easily abuse. Incidents such as thefts, replay attacks, and unauthorized access by the virtual machine (VM) administrators themselves will find their spot in the news.
To mitigate these incidents, organizations will need to thoroughly plan virtualization efforts and place significant emphasis on securing the infrastructure. Ultimately, advances in security technologies will afford the opportunity to automate many of the activities associated with deploying a virtual infrastructure and the applications that operate within it. Implementing the appropriate security controls in a virtual environment must account for the dynamic nature of virtual machines themselves while simultaneously overcompensating for the barrage of novel exploits that are sure to follow the new technology platform.
Increased Shift toward Cloud Computing
Cloud computing is reshaping our understanding of IT infrastructure. Elastic computing provides a compelling business model that helps drive the adoption for cloud-based application deployment. However, IT executives running and maintaining these systems in 2010 will quickly learn that this shift can eliminate all the fundamental infrastructure controls that have been in place within their own data centers.
As cloud computing capabilities, services, and offerings expand and become more robust, the popular platform will also become a favorite target for rouge attackers. Cloud providers and cloud-based applications will be tested with typical assaults that have consistently played out in the media, but they will also start to face more sophisticated attacks that threaten the data in use, opening the door for a serious breach.
More than ever, organizations will need to intensively monitor and manage access to critical information assets in all facets of the organization, employing proactive warning systems to circumvent critical incidents and limit exposure to credentials and vital information that lives in the cloud.
Managing Identity
Identity Management will continue to be a significant IT initiative in 2010, as the hard times of 2009 illuminated the need for tighter security controls over access to devices, systems, applications, and data. Many solutions exist to help end users maintain their identities and passwords across systems. To best protect proprietary information, companies need to identify and understand the different types of privileged accounts they employ so they can implement the best security solution(s) to meet their needs.
Identity solutions will move further towards application-centric identity from the suite providers while maintaining efforts for open, interoperable solutions. Similarly, role management will move towards providing a single authoritative source of role information across the network, rather than for each application.
Smartphone Advances
The surge in smartphone dependence has increased at an enormous rate. Heavily relied upon for many business and personal uses, it is only a matter of time before smartphones create weak points for business applications as they are targeted by attackers going after Java and Browser implementations. The rise of innovative and varied attacks is inevitable, as smartphones are just as likely to become a zombie device in a dedicated-denial-of-service (DDOS) attack or infused with a malicious code that siphons data or performs keylogging. This year we’ll likely see reports of the first examples of sophisticated phone-based attacks, and as a result of specific breaches, a precedent will be set for corporations placing tighter restrictions and controls on the type and usage of smartphones with corporate applications.
Although IT has been constrained over the past few years due to the economic environment, 2010 appears to be the turn at the bottom of the curve, with budgets slightly increasing rather than declining. However, IT groups will need to remain frugal and diligent in their 2010 spending and stick to the fundamentals when it comes to security and business operations. If companies can meet this challenge, we should expect 2011 to be a larger budget year than 2010. Then we can truly expand our efforts and reclaim some of the project initiatives we were pursuing before the downturn.
Robert Grapes is chief technologist at privileged account management solutions provider Cloakware. You can contact the author at robert.grapes@cloakware.com.