Five Emerging Security Trends

Untitled Document

In an era of globalization, traditional boundaries continue to disappear, melting before the relentless pace of 24/7 communications and trade. In this new global reality, "open for business" can mean pooling resources and sharing sensitive information among organizations. The line between participation and isolation can also mark the line between opportunity and risk.

Now more than ever, organizations rely upon business systems and automated policies to guard that line: to root out the threats, to safeguard intellectual property, to protect brand image and privacy. With the emergence of each new technology, the line can shift just a bit.

As enterprises rush to exploit the opportunities, determined insiders and outsiders may seek to exploit vulnerabilities. Consequently, the potential of emerging technologies marks a fundamental change in how organizations should approach accompanying security challenges.

To gain a perspective on the security challenges organizations will face in the next several years, the following questions should be considered: what fundamental technology trends are expected to impact organizations in the next two to five years? Which strategic drivers should serve as catalysts for change? And how can organizations position themselves to profit from the myriad opportunities while managing the risk that inevitably accompanies them?

In the next two to five years, emerging technological and social trends will have far-reaching implications for enterprise security. These include five trends: securing virtualized identities, alternative ways to deliver security, information security in a Web 2.0 world, Voice over Internet Protocol (VoIP), and the security of mobile devices. By focusing on these and other technologies as they emerge, organizations can quickly respond to security challenges.

Securing virtualized environments

For the past two decades, organizations have raced to keep up with changing technology requirements by substantially building out data centers. With operational centers already stretching the upper limits of power, space and staff resources, soaring capital costs and exponential growth in power costs are forcing organizations to examine ways to deliver a more energy-efficient infrastructure.

Unprecedented levels of scalability and responsiveness should also be in place to support the dramatic growth of shared applications, and the natural ebb and flow of service demands on resources. Based on a shared infrastructure in which large virtualized resource pools are linked to provide organizations with a simple, quick and device-agnostic path to services, cloud computing delivers the potential to radically change the economics of running a data center.

Through the ability to define and standardize collections of resources, cloud computing offers simplification on a grand scale, providing an opportunity to streamline and standardize the security approach and configurations throughout the organization. In turn, the simplification positively feeds upon itself -- since resources can be managed in a similar fashion, a larger number of virtual resources become manageable.

Alternative ways to deliver security

The economics of managing and operating complex, specialized IT security services is driving a focus for new forms of packaging and delivering security services. There are two key factors that influence this increased diversity.

First, an IT organization should decide how much control it wants to maintain. Is it comfortable with the idea of another company providing its security services or does it want to manage security itself?

Second, the complexity of an IT environment can heavily influence how an IT organization chooses to obtain security capabilities. Some companies have relatively simple, self-contained IT needs. On the other hand, some companies have highly dynamic environments that have the ability to quickly adapt their IT services to new business needs.

In addition to traditional software offerings, managed services and outsourcing arrangements, there are a few trends in the delivery of security capabilities:

Appliances. In the past, IT appliances meant "one host dedicated to one specialized function." Today's appliances are becoming platforms in their own right, evolving to a single deliverable that contains all of the operating system, middleware and applications preinstalled and preconfigured to perform multiple functions targeted to a single domain of operation. Appliances are also moving to increasingly modular physical form factors as well as virtual form factors.

Software-as-a-Service (SaaS). While managed services typically have dedicated infrastructure for each customer, SaaS platforms deliver "one-to-many" service in which a single platform provides a type of service to multiple customers simultaneously. These shared infrastructure systems can provide standardized services with little need for customization.

Cloud computing. Virtualized platforms and cloud computing environments support highly dynamic environments with elastic scalability needs. These dynamic environments can be used to create "cookie-cutter" definitions of resource pools to standardize application deployment and other IT services that can be deployed in massive numbers in very short times, leading to a "utility" approach to consuming security services.

Information security in a Web 2.0 world

Today, an ever-expanding volume of information continually and freely circulates across and beyond enterprises, governments and social networks, aided through the proliferation of open, collaborative environments, Web 2.0 mashup technologies and intelligent data streams. A boon to online communities, the information explosion has nevertheless created a nightmare for organizations with the proliferation of databases and a corresponding increase in data leakage that raises the potential for data breaches and the chance of inappropriate disclosure or use of intellectual capital.

Already a boardroom issue, organizations can expect a continued push to minimize the risks of data breaches. As a result, there should be a new focus on privacy management tools with the capability to mask data, particularly in nonproduction environments such as application development where protection of data continues to be less stringent. This focus can reinforce the need for cryptography, and subsequent demand to simplify the complexity of the key-based algorithms and management of keys throughout the lifecycle.

There is expected to be more internal pressure to link trust in data with decision making. Collectively, security practices -- including data steward assignments, data monitoring, policy-based data classification and security requirements records -- should provide the metrics that calculate and reflect the security protections for a particular repository. These metrics can be used in formulating "trust indexes" that can guide decisions about the use of a data repository -- a repository with a high trust index association can be used for high-risk decisions; conversely, a repository with a low trust index association should be used only for low-risk activities.

These data protection capabilities provide a trustworthy foundation to use enterprise information assets for business optimization in a way that reflects the value of information and protects individuals' privacy.

Protecting the evolving network

The need to accommodate bandwidth-intensive applications such as VoIP, streaming video and online gaming has created a race within organizations to meet growing demands for speed and bandwidth. With speeds now reaching 10G and beyond, and traffic loads hitting unprecedented levels, service providers have less and less visibility and knowledge of the traffic going through their networks. As IT policies force more network encryption and virtualization creates new networks inside the server infrastructure, visibility is expected to become even more opaque.

As a consequence, network security should become more elusive, even as new types of attacks emerge. Virtualized environments create the possibility for guest hosts to launch network-based attacks against other hosts. Other attacks likely will target session initiation protocol (SIP) proxy servers, domain name system (DNS) servers and the upper layers of the open system interconnect (OSI) stack, including attacks on application-specific protocols and schema.

Combating these attacks likely will require more than traditional intrusion prevention systems (IPS) and firewall technologies. Addressing these evolving threat requirements should require a total defense-in-depth strategy based on a highly scalable, collaborating security platform with unified and coordinated network, server and end-point protection technologies.

Securing mobile devices

Of all the technologies available, the mobile device represents perhaps the greatest intersection between opportunity and risk. Diverse in design and use, and capable of delivering data, applications and services anytime, anywhere, the mobile device has the potential to change the way governments and enterprises conduct high-value, mission-critical transactions.

While mobile devices are becoming the prevalent channel for conducting business and primary means for authentication, mobile phones are increasingly subject to the same types of security attacks, but are even less mature at deflecting them.

Improvements are needed in two key areas: mobile platform security and telecommunications network protection. With mobile platforms becoming more open, the mobile application development environment, deployment processes and run-time environment should be authorized, secure and free of corruption. And as mobile phones are increasingly vulnerable to malware and other types of attacks, telecommunications service providers should augment their network security by monitoring their network traffic for security threats while maintaining optimal service levels.

In summary, these are five trends that will gain increasing prominence in the next two to five years. If organizations recognize and respond to these trends, they can turn risk into opportunity. After all, it's how risk is managed that determines how an organization thrives -- or fails -- in the ever-changing face of emerging technologies.

About the Author

Venkat Raghavan is Tivoli's Director of Security, Risk and Compliance in IBM Software Group.

More by Venkat Raghavan