Security

There is a change brewing in information security and information management. In the early days, this discipline really came down to event detection. Security information management systems scanned a bunch of data looking for needle-in-the-haystack events that indicated trouble. All other data was considered "noise" and thrown away.

With the onset of regulatory compliance a few years ago, this model went through an initial change. The "noisy" data was now necessary information to demonstrate security controls for compliance audits. Still, event data and compliance data remained separate entities.

Now things are changing yet again. In today's dangerous security landscape, no data is considered "noise" anymore. Rather, security analysts now want access to terabytes of historical data for analysis. Furthermore, this underlying data has become more complex. Beyond just log files, security analytics now encompasses other data types like network flows, directories, physical access, and video surveillance. If there is reason to believe that Joe the IT administrator has been covertly accessing quarterly financial data, a subsequent security investigation will encompass everything and anything including when Joe was in the building, when he logged onto the network, which systems he accessed, and what he did.

This type of investigation requirement changes the security technology model. It means collecting, normalizing, and storing a ton of data. It means sophisticated algorithms and processor-intensive query engines. It means the integration of physical and information security, including video surveillance. Sound like law enforcement or the NSA? Perhaps, but large organizations are already headed down this path.

From an industry perspective, security information management systems will need to re-architected for this type of scale and power. Vendors like ArcSight, eIQ, Nitro Security, RSA, and SenSage have already anticipated this change--as have log management vendors like LogLogic and LogRhythm. This may also introduce the heavyweight security vendors like Comverse, Narus, and NICE into the enterprise space. In either case, I anticipate lots of activity in 2009 regardless of the current economic woes.

In spite of the global economic recession, information security will continue to be a dominant IT priority in 2009. Why? There are simply too many threats and vulnerabilities creating a perpetual increase in IT risk.

With that, here is my top-10 list (in no particular order) of technologies and trends to watch for in the new year:

1. The evolving definition of endpoint security: Some analysts have declared that, antivirus software is dead. I disagree and submit that endpoint security is simply evolving as a function of the changing threat landscape. This is the primary reason why Sophos (a legacy antivirus company) bought Utimaco (a data security company) in 2008. Look for traditional antivirus, anti-spyware, and firewall software to merge with endpoint operations, data loss prevention, and full-disk encryption in 2009.

2. More emphasis on cybersecurity: This year began with the establishment of the Comprehensive National Cybersecurity Initiative (CNCI), an effort to strengthen government networks. While well-intended, CNCI has received minimal funding and support. In December, a Center for Strategic and International Studies report, further described the sorry state of cybersecurity and called for drastic improvements. Look for President-elect Barack Obama to get behind this effort in a big way with funding, a real public/private partnership, and cooperative intelligence and law enforcement with a growing list of foreign nations.

3. Increasingly stringent privacy legislation: Privacy advocates like the American Civil Liberties Union and the Center for Democracy and Technology are hopeful that the change in administration will finally lead to more comprehensive national privacy legislation in 2009 and beyond. This momentum should persuade the Senate to finally push the Personal and Data Privacy Act of 2007 (S.495), which has been dormant since May. In the meantime, look for states like Michigan and Washington to follow the lead of Massachusetts and Nevada in mandating data encryption.

4. Security in the cloud: While "cloud" has turned into a vague industry security blanket term, I do believe that 2009 will be a strong year for managed security services. Many organizations simply don't have the capital budget dollars or security skills to take on the increasingly sophisticated bad guys themselves--good news for IBM and Symantec. Additionally, companies like Blue Coat, Cisco, and Trend Micro will supplement on-site security equipment with scalable reputation and update services in the cloud.

5. Virtualization security: As server and desktop virtualization continues to proliferate, we will need better security tools for things like role-based access control, virtual server identity management, virtual network security, and reporting/auditing. Citrix, Microsoft, and VMware will lead this effort with partnering support from others like IBM (Project Phantom), McAfee, and Q1 Labs.

6. Secure software development: In 2008, the majority of malicious code attacks targeted applications, not operating systems. This fact combined with growing focus on cybersecurity will force software companies to embrace secure software development efforts such as the Open Web Application Security Project (OWASP) or the SANS Software Security Institute. Ironically, Microsoft and its Pro Network partners like Security Innovation are best positioned to bring secure software development best practices to the masses.

7. Information-centric security: The recent Microsoft/RSA announcement is a sign of things to come. Organizations large and small need to be able to discover and classify sensitive information, apply security policies, and then enforce these policies throughout the network. This will continue to become a reality in 2009 as documents and file systems are integrated with data loss prevention and enterprise rights management systems. Look for further progress like the introduction of PKI in the mix along with discussions about metadata standards for data classification and security rules enforcement.

8. Ubiquitous encryption: Encryption technologies are more often becoming "baked in" rather than "bolted on." Tape drives now contain cryptographic processors as do hard drives from Fujitsu, Hitachi, and Seagate. And Intel will ship a version of its vPro chip set in 2009 that also supports on-board encryption. In 2009, we will start to see multiple layers of encryption technologies running on top of each other. Good for data confidentiality and integrity but this will also highlight the need for enterprise-class encryption key management--another technology on the 2009 "watch list."

9. Entitlement management: Authentication gets you in the network door, while entitlement management governs what you can and can't do. Entitlement management is currently done on an application-by-application basis but this doesn't scale, is ripe for human error, and is nearly impossible to audit for compliance. Enter centralized entitlement management brought to you by Cisco, IBM/Tivoli, Rohati, and RSA Security. Look for lots of buzz as well as pilot projects by the summer. By the end of 2009, IT professionals should be intimately familiar with XACML (XML Access Control Markup Language).

10. Business process security: Securing all IT assets across the enterprise is a daunting task--too big for risk-averse business managers. Rather than rely on IT reports and security point tools alone, line-of-business executives will want more visibility and oversight into their exclusive domains with detailed and succinct portals, reports, and auditing systems. Ultimately, CEOs will support this effort as it forces individual business units to build security into their P&Ls. This trend favors big services vendors like Accenture, CSC, and HP with vertical industry tools, business process expertise, and executive relationships.

I'm generally an optimist, but I do have one additional, more gloomy prediction. Given the alarming state of disarray, look for some type of security breach in 2009 that exceeds the TJX incident.

On that cheerful note, happy holidays.

For a look back at security in 2008, check out Elinor Mills' year in review.

If you haven't heard about the current DNS vulnerability, here is a Reader's Digest-like summary. Security guru Dan Kaminsky found a vulnerability that could give the bad guys a relatively easy way to redirect Internet traffic. For example: You might think you are logging on to Bank of America's Web site. But instead, some hacker may have just exploited a domain name system vulnerability and is now in control of your identity.

Kaminsky deserves credit for finding this flaw and alerting the Internet community so it could fix the problem. This effort is well under way, but according to an article in yesterday's New York Times, Kaminsky believes that 41 percent of all DNS servers are still vulnerable, meaning that no one has patched these systems with new software that closes this gaping security hole.

The danger here is that most of the world will shrug its collective shoulders, dismissing this as a technology problem. The truth is that this is the Internet equivalent of a bridge collapse on Interstate 35W in Minneapolis. This disaster demonstrated that a critical piece of infrastructure was badly in need of repair. Unfortunately, the same is true of DNS, a critical but rickety technology.

Clearly the folks who control most of the Internet infrastructure get this. Comcast and Verizon have already patched their DNS servers, while AT&T is in the process of doing so. Great, but what about all of the companies with a large Internet presence? This is where the Internet may be most vulnerable, folks. According to ESG Research, 48 percent of large organizations (i.e. 1,000 employees or more) experienced at least one DNS outage in the past 12 months. What's more, 42 percent of these companies consider patching and upgrading DNS a time-consuming operational process. Given these statistics, my guess is that a lot of enterprises believe that the DNS problem doesn't really impact them, that it is really an Internet infrastructure problem. This is a misguided and dangerous perspective.

DNS anchors all Internet communications, thus it should be considered critical infrastructure. It's time that enterprise organizations realized this and started treating it accordingly. Hopefully Kaminsky's discovery will act as a change agent to fix the problem. Otherwise, we could all be in trouble.