Perspective: If you thought 'Security '07' was hairy, just wait

While you're still recovering from New Year's partying, here's something to think about: what should we expect from the world of information security over the next 12 months? In no particular order, here's my top 10 list for 2008:

Phat desktop security
Antivirus is so 1990s, today's desktop security software must have additional safeguards for Network Access Control (NAC) and data protection. Phat desktop security has given rise to a bunch of acquisitions: McAfee bought SafeBoot, Symantec grabbed Vontu, and Trend Micro snapped up Provilla. Look for phat desktop security to put on additional pounds as desktop security and operations merge in 2008 as well. CA and Symantec/Altiris are already planning new announcements.

Public key encryption
This one will trickle in on the back of federal government initiatives, PKI-ready applications, and PKI-friendly Windows 2008. To ease PKI complexity, look for service provider offerings as well from firms like Chosen Security, RSA Security, and Verisign.

Federated identity
This, too, rides the Windows 2008 wave but I'm also hearing about service providers and large financial service vendors that have built "ready to federate" Web-based applications for their partners. Like PKI, federated identity has been overpromised in the past so don't expect it to garner major headlines. Nevertheless, federated identity will experience good growth under the radar all year. Aside from Microsoft, expect IBM, Oracle, and Sun to benefit as well.

"Best-of-breed" is another security trend that is growing passe.

Ubiquitous encryption
We will remember this as the year of the invasion of encryption algorithms. In 2008, firms will purchase new disk drives, processors, tape drives, file systems, and new databases that support native encryption. Good for data protection but security operations managers must be prepared.

Key management
This one will happen as a result of ubiquitous encryption. Lots of encryption means lots of encryption keys. If keys are lost or stolen, you either lose some data or a lot of data. Pretty soon users will demand strong centralized key management solutions. Key management leadership ought to be extremely interesting with competitors like Hewlett-Packard, IBM, nCipher, PGP Corporation, and RSA Security. Hopefully, we can agree upon some key management standards in 2008 as well.

Managed security services
Security is too complex to fool around with and there just aren't enough skilled people available. Managed services just make sense. This will be another market to watch because everyone wants a piece of the action. Look for major announcements from networking leaders (Cisco Systems, Juniper Networks), traditional system vendors (HP, IBM, Unisys), carriers (AT&T, Verizon), security players (Symantec), and systems integrators (CSC, EDS, Wipro).

Security product consolidation
"Best-of-breed" is another security trend that is growing passe. Users want consolidated administration, logging, and management, not a bunch of point tools. This, too, favors the big vendors. Smaller players will have to look for niche functionality and those opportunities to continue to grow rarer.

Information governance
There aren't many firms that know a lot about what information they have, how confidential it is, and where it is stored. This needs to change for security and business reasons. Look for lots of user and industry efforts to bridge this gap. Expect lots of hoopla over things like standard data models, meta data tagging, and information classification. Oh, and this is a market that is ripe for lots of professional services, too.

Stronger enforcement of the Payment Card Industry Data Security Standard (PCI DSS)
Is there anyone you know who has not had his or her credit card number breached? To avoid a "return to cash" movement, look for American Express, MasterCard, and Visa to start cracking the whip with tougher standards and greater fines for vendors large and small. Additionally, expect to see more credit cards equipped with onboard authentication technology and at least one data breach that makes TJX look like an amateur hack.

Log management architecture
Large firms are experiencing exponential growth in the amount of log data they collect, store, and analyze. This will prompt large organizations to move log management activities beyond security and build enterprise-wide log management architectures in 2008. Henceforth, log management services will be owned by IT departments who then charge-back internal groups for access to the log data. Great news for ArcSight, Log Logic, Log Rhythm, Q1 Labs, and the storage folks.

That's it, though I'm sure I've missed a half dozen others. Meanwhile, a belated Happy New Year.

Biography
Jon Oltsik is a senior analyst at the Enterprise Strategy Group.

More Perspectives

[fred dunn]

These could have been 2007's predictions

The biggest change in the security landscape for 2008 will be the attack vectors.