In-Depth
IT Security: 2012 in Review, Predictions for 2013
The top trends security administrators dealt with in 2012 and what's ahead in 2013.
By Reuven Harrison
As CTO of Tufin Technologies, a network security company, I've designed security products that were developed either in response to, or in anticipation of, major shifts in enterprise computing. One lesson I have learned over the years is that network security does not occur in a vacuum; it is inextricably linked to other developments in IT security and enterprise computing as a whole.
As a result, innovation in one area of IT may have unintended or unforeseen consequences. For example: in 2002, the Sarbanes-Oxley Act thrust much of the burden of compliance and on the IT security group. However, as one of the first IT-oriented regulations, it accelerated the rise of the CSO/CISO position, which elevated the function and importance of the IT security group, and ultimately changed the perception of IT security from an operational sinkhole to a business enabler.
Although those sorts of "ripple effects" make it difficult to anticipate the full impact of any particular trend, I'd like to share some observations on significant events that occurred this year and what I see as driving IT agendas in 2013.
Top 3 Trends of 2012
2012 Trend #1: Cyberwars became a reality
Both hackers and movie storylines have been telling us for years that the cyberspace is a dimension of vast potential, for both good and bad. This year, we have seen some serious cyberwars in the headlines and now we know it's for real. Perhaps the most significant indication that this reality turned a corner in 2012 was Stuxnet, widely reported in June 2012 to have destroyed 1,000 centrifuges that Iran was using to enrich uranium after taking over the computerized systems that operated the centrifuges. It opened people's eyes to the fact that a cyber event can actually result in physical damage. In October 2012, the U.S. government accused Iran of retaliating by launching distributed denial-of-service (DDoS) attacks against U.S. financial institutions.
These events have caused nations and organizations to reconsider their security strategies. They are increasing their investment to both defend themselves and improve their cyber-ammunition. Countries all over the world are dedicating significant government resources to protect their critical infrastructure, and the IT security industry is closely engaged, developing technologies specifically designed for cyberwarfare. As unfortunate as the reality of cyber war is, preparing for it will continue to be a wellspring of innovation.
2012 Trend #2: Next-generation firewalls were established as the industry standard
Because network firewalls are not able to differentiate various forms of modern Internet applications (mostly running over HTTP on port 80), their relevance was beginning to be called into question. However, next generation firewalls (NGFWs) provide the ability to set access policies based on users and applications, thereby reestablishing the firewall as a fundamental security device. While application-aware firewalls have been around for some time, Palo Alto Networks' investment in innovation and market education has resulted in widespread adoption of commercial grade NGFWs. By the end of 2012, most large enterprises will have adopted this technology to varying extents, or at least plan to.
This year, the strategic value of NGFWs was highlighted in Gartner's 2012 Firewall Magic Quadrant, and several firewall vendors including Check Point, and Cisco launched their own NGFWs. However, because many organizations have yet to fully utilize the application awareness component of NGFWs, it is hard to foresee their true impact. That said, there is no doubt that they have revitalized the firewall industry and will continue to do so as firewalls are used to their full capacity. NGFWs could potentially displace the need for other types of solutions, or accelerate the convergence of network security and application management across other fronts.
2012 Trend #3: PCI DSS was established as the primary regulatory standard for IT security
Eight years after it was first introduced, the Payment Card Industry Data Security Standard (PCI DSS) has gained the respect of security professionals. In contrast to other standards, which require companies meet a certain objective with no explanation or guidance on how to reach compliance, PCI DSS is prescriptive. It outlines specific IT security controls and processes about how to manage and secure credit card data. It strikes a good balance between technology, business processes and implementation practices and is maintained and updated regularly.
Although it is far from perfect, it does ensure that organizations subject to it adhere to a set of industry standard best practices. To its credit, the PCI Security Standards Council has established a thriving ecosystem that gives enterprises and auditors access to solutions and service providers that can be used to implement the standard. Although "compliant" and "secure" are still far from synonymous, PCI DSS has created more common ground between the two than any other external mandate to date.
What Should We Expect in 2013?
2013 Prediction #1: The primary role of IT will become service delivery
Corporate IT is becoming less focused on being an infrastructure provider (and maintainer) and more focused on service delivery. This is in great part because applications have, over time, become the lifeblood of the modern enterprise. How could a hospital function if doctors could not access patient records? How long could a brokerage last if its customers could not access its e-trading application? Just imagine if your company's payroll application crashed and you couldn't get paid! It is this kind of dependence on applications that departments to restructure their focus and processes around application delivery.
One obvious example of this is the rise of Web-based applications and cloud-based, "as-a-service" business models. Although cloud computing has changed how and what enterprises outsource, in 2013 we will see the ripple effect hit internal IT organizations. Enterprises will see new departments form such as application operations and application development. Change processes will need to span across departments including application development, IT operations, and network security. To become more agile and responsive, enterprises will need to improve communications between the various groups within IT and will likely rely on process automation and other technology-driven solutions to expedite this shift.
2013 Prediction #2: IPv6 rollout will accelerate
With the world quickly depleting what is left of the four billion IPv4 Internet addresses in existence, efforts to transition to IPv6 have increased. Moving to IPv6 is a gargantuan effort -- it requires massive infrastructure modifications, constant testing, and a level of industry-wide cooperation, coordination, and partnership that has never occurred before. The transition itself is a highly technical endeavor, but the vision behind IPv6 matches the effort it will require to get there.
Commonly referred to as an "Internet of things," IPv6 adoption (and the 340 billion IP addresses it brings) promises a world where every physical object is hooked up to the Internet and able to communicate with every other object. Running out of milk? No problem, your fridge will order it for you online.
Getting there is no easy task. The transition is still slower than expected but it is accelerating. In 2013, we will witness the formation of "IPv6 islands" within larger IPv4 networks. These pure IPv6 subnets will help the industry to mature. More vendors will support IPv6 and network engineers will gain knowledge about architecture, routing, and security. Human and financial resources will be dedicated to moving IPv6 forward. It will be a year of significant experimentation and learning. We are unlikely to see the "Internet of things" manifest itself in a dramatic way, but the infrastructure upgrades required to make that happen will evolve significantly.
2013 Prediction #3: Firewalls will become embedded into network infrastructure
The IT security market is booming. Canalys Research estimated the market at $22 billion in 2012, growing by 8.7 percent each year. As a result, many technology vendors want to expand into security. For network infrastructure providers, the firewall becomes an obvious point of entry. Although the enterprise firewall market became saturated long ago, new firewalls still keep popping up, as do unified threat management systems (UTMs), and as previously mentioned, all the incumbent firewall vendors have developed their own NGFWs.
In 2013, this trend will accelerate. We will see companies from various domains introduce their own firewall, each with enough appeal to support a certain degree of adoption. Enterprises will find themselves with an increased set of management challenges, as they will now have 4-5 firewall flavors rather than the 1-3 they have today. Organizations must streamline the unavoidable spike in complexity and leverage the expanded set of infrastructure offerings in order "future-proof" their networks in terms of cyber attacks, compliance, IPv6, and application delivery, for starters.
Innovations and progress made in upgrading infrastructure, architecture, and design -- the enterprise and Internet plumbing, so to speak -- will drive major shifts within and outside the realm of IT security. Security professionals who can correctly anticipate the impact of sweeping trends will find themselves better equipped to deal with changes to their job function or duties and will be in a much stronger position to proactively navigate their careers.
Reuven Harrison, co-founded Tufin Technologies in 2004 and served a vital role as CTO during the company's fast-paced growth as a worldwide provider of solutions that enable IT administrators to effectively audit, monitor, and optimize ever-growing firewall policies. Responsible for the innovation within Tufin's products, Reuven leads the company's products team, managing all product architecture while ensuring seamless integration with all leading firewall vendors. Reuven brings more than 20 years of software development experience, holding senior developer positions at Check Point Software, as well other key positions at Capsule Technologies and ECS. He received a Bachelors degree in Mathematics and Philosophy from Tel Aviv University. You can contact the author at reuven@tufin.com
or @reuvenharrison on Twitter.