Perspective: 10 things to know about info security in '07

As I write this column, it is a balmy 55 degrees here in the Boston area--hardly the type of weather that drives New Englanders to start planning for the new year.

Nevertheless, the holidays have come and gone and it is thus time to take a stab at forecasting what to expect in information security over the next 12 months.

1. More privacy legislation
Now that the midterm elections are behind us, the folks in Washington will take a break from spending our money and focus on protecting our money. Democrats like Sens. Chuck Schumer of New York and Dianne Feinstein of California love this issue anyway and it makes good press--who wouldn't be in favor of cyber-protection for their constituencies? Look for a lot of grandstanding early in the year followed by the passing of a new data privacy bill sometime in the fall.

2. Data governance
Total data capacity continues to grow around 50 percent annually, but few companies do a good job at classifying data, tracking its movement or monitoring/enforcing privacy policies. This is the most obvious reason why there are so many data breaches so often--no one has any idea of what is stored where. Rather than address this with tactical point tools, look for large organizations to get serious about data governance this year. This will drive lots of large professional services work and further industry consolidation as the EMCs, IBMs and Symantecs of the world scoop up specialists like Liquid Machines, Vericept and Reconnex.

By 2008, many security professionals will stop their incessant bad-mouthing of Microsoft.

3. IT risk management
As security becomes less tactical and gains a business/enterprise orientation, information security will morph into an evolving category called IT risk. More firms will create chief IT risk officer positions who manage system availability, performance management, disaster recovery, backup/restore, information security and IT's contribution to regulatory/industry compliance. Look for more adoption of IT governance models like ITIL/ITSM, CoBiT and NIST-800 series to dovetail from the IT risk management trend.

4. Secure software development
By the end of 2007, many enterprises will mandate that their independent software vendors and outsourcers have formal demonstrable processes for software development, similar to Microsoft's Security Development Lifecycle (SDL). Reactive software vendors will scramble to establish these processes while professional services organizations like Symantec (@Stake) that focus in this area will suddenly have more work than they could have ever imagined.

5. Encryption everywhere
PCI and new privacy regulation will act as the hammer, but there will be more and more encryption solutions coming from the industry. New databases have row level encryption baked in as do disk and tape drives from vendors like Seagate, IBM and Sun. Windows Vista BitLocker will also drive mass encryption deployment as it gains momentum throughout the year. By 2008, encrypting data won't be as big a deal. Alternatively, encryption key and policy management will become a huge issue overnight.

6. Network reconstruction
Network upgrades are ongoing, but the Y2K-like IPv6 upgrade process will take off in 2007 driving major network overhauls. Next-generation networking equipment will include security features like access controls, application-layer filtering and multilayered encryption in its design point. So expect vendors like Enterasys Networks, Extreme Networks, Hewlett-Packard and Juniper Networks to try to trump Cisco Systems by flexing more and more security muscle.

7. Security management
While growing, this is an extremely immature market as evidenced by the fact that a VC-backed start-up like ArcSight is still the market leader. The tables will turn in this year as Cisco, EMC, IBM, Novell and others look to leverage their recent acquisitions. Look for the big guys to bolster professional services in this area and add network behavior anomaly players like Mazu Networks and Q1 Labs to round out their portfolios. By the end of the decade, security management will slowly and quietly become a component of network operations.

8. Fire sales and failures
In 2007, VC-backed companies like ArcSight, Fortinet and Webroot Software have their backs to the wall. Each has done relatively well in the market, but these guys raised tons of money and there is not a profitable exit strategy in sight. For example, Webroot raised more than $100 million in funding and its main product has become a feature in Kaspersky Lab, McAfee and Zone desktop security. Yikes! With the competitive heat rising rapidly, look for a VC tag sale this year or Chapter 11 declarations next year.

9. Microsoft gains security respect
I know I'll take some heat for this one but by 2008, many security professionals will stop their incessant bad-mouthing of Microsoft. Why? Products like Forefront and Windows Vista will open a lot of eyes, but Microsoft will also provide a well-integrated security alternative, especially for small and midsize businesses. By 2008, Rodney Dangerfield will have to find a new information security home. I hear Redwood Shores is available.

10. Identity management plods along
This sector is also due for explosive growth. Government initiatives (think HSPD12), new device types and extranet applications are driving demand, while standards (SAML, 802.1x), smart new technologies like the Trusted Platform Module (TPM), and industry consolidation have reinvigorated suppliers. Slowly but surely, identity integration is getting easier, too. This means that projects can be streamlined with fewer dollars going to fat-cat system integrators like Accenture.

Many of these trends are net positives for the information security world. Despite this, we are likely to see some spectacular breaches in 2007 as well.

Biography
Jon Oltsik is a senior analyst at the Enterprise Strategy Group.

More Perspectives

[Solaris_User]

We have laws they just ignore them.

With the recent claims that the feds do not need a warrant to read e-mail because its not "in our possession" Congress needs not write aditional data privacy laws to protect our data. Also primaraly they must protect it from themselves, IE government.

The 4th Amendment (not that they pay any attention to it but..) it states we are to be secure in our "persons, houses, papers, and effects" against "unreasonable searches and seizures".

Just as government needs a warrant to search your rented gym locker so must they have a warrant to search your Yahoo inbox folder.

We need to tell George Bush he does not have a right to search without a warrant and it doesn't matter what type of terrorist activity they are investigating. The reason never trumps your right to be secure in your effects. They need a warrant always EVERY single time.

If they want to write specific laws reinforcing that, its ok by me but I just wish they would respect the laws they have.. and stop trying to find "ways around" the constitution.. it means what it says.

[Penguinisto]

"Microsoft Gains Security Respect"?

Dunno - that part remains to be seen, and it assumes a lot of things:

1) ...that Vista will have few to no exploitable holes. Not likely given its size and complexity.

2) ...that MSFT is actually proactive on patching and stays as such.

3) ...that things like DRM and other user-directed restrictions don't force users to compromise their own security (via disabling, underground patches and the like) just to run their stuff (be it custom apps, media, what-have-you).

4) ...that #3 doesn't begin to happen at the corporate level, for the same reasons.

Kudos to them for actually doing something, but IMHO the things they do will have to be effective before they lose the security risk stigma that they have rightfully earned over the years.

/P

[wbenton]

Some heat is an UNDER Statement

>>>I know I'll take some heat for this one but by 2008, many security professionals will stop their incessant bad-mouthing of Microsoft.<<<

(* ROFLOL *)

Personally I wouldn't stake anybody's reputation on that... well... except Microsoft's... (* ROFLOL *)

They have TOO MUCH to do and TOO LITTLE time to do it in. 2008 is only a year away, but it's going to take them at least 5-10 years before they can clean up the title they've earned over the past 20 years.

Walt

[Ryo Hazuki]

Agree 100%

The reason you (and many others, I bet) wouldn't stake anybody's reputation on that except Microsoft's (hahaha, how amusing you are, ever considered a career in stand-up comedy?) is because you know you wouldn't give them that respect even if they deserved it.
Actually the "much" they had to do is done already (it's called "Microsoft Windows Vista") and with an OS share of more than 90%, browser share of more than 85% and office suits share of more than 75% they actually have plenty of time to do whatever needs to be done.
To short-minded biased people like you I even say it would take eternity to Microsoft to clean up the (in several ways unfair) title they've earned over the past 20 years, but you're forgetting that (fortunately) not everyone in this world has problems giving credit where it is due, even if that means giving credit and respect to Microsoft for their efforts and improvements in their products.

[the_integrator]

Microsoft and security respect

I'm not a Microsoft basher, I work with their products all there time and I have seen vast improvments, however whilst they insist on embedding their browser into the operating system, they can not been seen to be taking security as seriously as they should. This disasterous design flaw along with the addition of ActiveX ensures their browser is significanlty less secure than other browsers. As for Symantec's credentials, these have suffered a serious blow by their insistance on the user installing wscript in order to install and configure their products. The security industry really needs to get it's act together over stupid blunders like these.
Let's see some Ronseal security!

[Ryo Hazuki]

Browser and operating systems

The act of bundling a specific software with an OS can never be considered a design flaw or anything like that by itself.
As long as the software is well designed and programmed no disasterous security flaws exploits will happen for the simple reason the software was bundled with the OS.
MacOS comes with Safari and nobody seems worried with that, even with all the recent bugs found in Mac OS.
Regarding Symantec, I still trust my AV protection to them.

[Ryo Hazuki]

Microsoft Gains Security Respect

The question whether Microsoft will get security respect by 2008 is not a question if that respect will be deserved by Microsoft (IMHO it is already to some extent with products like Windows Vista, Internet Epxlorer 7 and Windows Defender), but if people in general (and that includes many short-minded, ignorant, biased people towards Microsoft) will give that respect where it is due, even (even) if that means giving respect to evil Microsoft (something I seriously doubt will ever happen, at least regarding some people).

[Ryo Hazuki]

Because...

...it's a very tuff job to open the eyes of Microsoft haters...