[Infowarrior] - Looking ahead at security trends for 2009

Richard Forno rforno at infowarrior.org
Tue Dec 23 21:10:39 UTC 2008 

Looking ahead at security trends for 2009
Posted by Jon Oltsik

http://news.cnet.com/8301-1009_3-10128133-83.html?part=rss&subj=news&tag=2547-1_3-0-20

In spite of the global economic recession, information security will  
continue to be a dominant IT priority in 2009. Why? There are simply  
too many threats and vulnerabilities creating a perpetual increase in  
IT risk.

With that, here is my top-10 list (in no particular order) of  
technologies and trends to watch for in the new year:

1. The evolving definition of endpoint security: Some analysts have  
declared that, antivirus software is dead. I disagree and submit that  
endpoint security is simply evolving as a function of the changing  
threat landscape. This is the primary reason why Sophos (a legacy  
antivirus company) bought Utimaco (a data security company) in 2008.  
Look for traditional antivirus, anti-spyware, and firewall software to  
merge with endpoint operations, data loss prevention, and full-disk  
encryption in 2009.

2. More emphasis on cybersecurity: This year began with the  
establishment of the Comprehensive National Cybersecurity Initiative  
(CNCI), an effort to strengthen government networks. While well- 
intended, CNCI has received minimal funding and support. In December,  
a Center for Strategic and International Studies report, further  
described the sorry state of cybersecurity and called for drastic  
improvements. Look for President-elect Barack Obama to get behind this  
effort in a big way with funding, a real public/private partnership,  
and cooperative intelligence and law enforcement with a growing list  
of foreign nations.

3. Increasingly stringent privacy legislation: Privacy advocates like  
the American Civil Liberties Union and the Center for Democracy and  
Technology are hopeful that the change in administration will finally  
lead to more comprehensive national privacy legislation in 2009 and  
beyond. This momentum should persuade the Senate to finally push the  
Personal and Data Privacy Act of 2007 (S.495), which has been dormant  
since May. In the meantime, look for states like Michigan and  
Washington to follow the lead of Massachusetts and Nevada in mandating  
data encryption.

4. Security in the cloud: While "cloud" has turned into a vague  
industry security blanket term, I do believe that 2009 will be a  
strong year for managed security services. Many organizations simply  
don't have the capital budget dollars or security skills to take on  
the increasingly sophisticated bad guys themselves--good news for IBM  
and Symantec. Additionally, companies like Blue Coat, Cisco, and Trend  
Micro will supplement on-site security equipment with scalable  
reputation and update services in the cloud.

5. Virtualization security: As server and desktop virtualization  
continues to proliferate, we will need better security tools for  
things like role-based access control, virtual server identity  
management, virtual network security, and reporting/auditing. Citrix,  
Microsoft, and VMware will lead this effort with partnering support  
from others like IBM (Project Phantom), McAfee, and Q1 Labs.

6. Secure software development: In 2008, the majority of malicious  
code attacks targeted applications, not operating systems. This fact  
combined with growing focus on cybersecurity will force software  
companies to embrace secure software development efforts such as the  
Open Web Application Security Project (OWASP) or the SANS Software  
Security Institute. Ironically, Microsoft and its Pro Network partners  
like Security Innovation are best positioned to bring secure software  
development best practices to the masses.

7. Information-centric security: The recent Microsoft/RSA announcement  
is a sign of things to come. Organizations large and small need to be  
able to discover and classify sensitive information, apply security  
policies, and then enforce these policies throughout the network. This  
will continue to become a reality in 2009 as documents and file  
systems are integrated with data loss prevention and enterprise rights  
management systems. Look for further progress like the introduction of  
PKI in the mix along with discussions about metadata standards for  
data classification and security rules enforcement.

8. Ubiquitous encryption: Encryption technologies are more often  
becoming "baked in" rather than "bolted on." Tape drives now contain  
cryptographic processors as do hard drives from Fujitsu, Hitachi, and  
Seagate. And Intel will ship a version of its vPro chip set in 2009  
that also supports on-board encryption. In 2009, we will start to see  
multiple layers of encryption technologies running on top of each  
other. Good for data confidentiality and integrity but this will also  
highlight the need for enterprise-class encryption key management-- 
another technology on the 2009 "watch list."

9. Entitlement management: Authentication gets you in the network  
door, while entitlement management governs what you can and can't do.  
Entitlement management is currently done on an application-by- 
application basis but this doesn't scale, is ripe for human error, and  
is nearly impossible to audit for compliance. Enter centralized  
entitlement management brought to you by Cisco, IBM/Tivoli, Rohati,  
and RSA Security. Look for lots of buzz as well as pilot projects by  
the summer. By the end of 2009, IT professionals should be intimately  
familiar with XACML (XML Access Control Markup Language).

10. Business process security: Securing all IT assets across the  
enterprise is a daunting task--too big for risk-averse business  
managers. Rather than rely on IT reports and security point tools  
alone, line-of-business executives will want more visibility and  
oversight into their exclusive domains with detailed and succinct  
portals, reports, and auditing systems. Ultimately, CEOs will support  
this effort as it forces individual business units to build security  
into their P&Ls. This trend favors big services vendors like  
Accenture, CSC, and HP with vertical industry tools, business process  
expertise, and executive relationships.

I'm generally an optimist, but I do have one additional, more gloomy  
prediction. Given the alarming state of disarray, look for some type  
of security breach in 2009 that exceeds the TJX incident.

On that cheerful note, happy holidays.

More information about the Infowarrior mailing list