By Venkat Raghavan, Tivoli's Director of Security, Risk and Compliance, IBM Software Group
In an era of globalization, traditional boundaries continue to disappear, melting
before the relentless pace of 24/7 communications and trade. In this new global
reality, "open for business" can mean pooling resources and sharing
sensitive information among organizations. The line between participation and
isolation can also mark the line between opportunity and risk.
Now more than ever, organizations rely upon business systems and automated
policies to guard that line: to root out the threats, to safeguard intellectual
property, to protect brand image and privacy. With the emergence of each new
technology, the line can shift just a bit.
As enterprises rush to exploit the opportunities, determined insiders and outsiders
may seek to exploit vulnerabilities. Consequently, the potential of emerging
technologies marks a fundamental change in how organizations should approach
accompanying security challenges.
To gain a perspective on the security challenges organizations will face in
the next several years, the following questions should be considered: what fundamental
technology trends are expected to impact organizations in the next two to five
years? Which strategic drivers should serve as catalysts for change? And how
can organizations position themselves to profit from the myriad opportunities
while managing the risk that inevitably accompanies them?
In the next two to five years, emerging technological and social trends will
have far-reaching implications for enterprise security. These include five trends:
securing virtualized identities, alternative ways to deliver security, information
security in a Web 2.0 world, Voice over Internet Protocol (VoIP), and the security
of mobile devices. By focusing on these and other technologies as they emerge,
organizations can quickly respond to security challenges.
Securing virtualized environments
For the past two decades, organizations have raced to keep up with changing
technology requirements by substantially building out data centers. With operational
centers already stretching the upper limits of power, space and staff resources,
soaring capital costs and exponential growth in power costs are forcing organizations
to examine ways to deliver a more energy-efficient infrastructure.
Unprecedented levels of scalability and responsiveness should also be in place
to support the dramatic growth of shared applications, and the natural ebb and
flow of service demands on resources. Based on a shared infrastructure in which
large virtualized resource pools are linked to provide organizations with a
simple, quick and device-agnostic path to services, cloud computing delivers
the potential to radically change the economics of running a data center.
Through the ability to define and standardize collections of resources, cloud
computing offers simplification on a grand scale, providing an opportunity to
streamline and standardize the security approach and configurations throughout
the organization. In turn, the simplification positively feeds upon itself --
since resources can be managed in a similar fashion, a larger number of virtual
resources become manageable.
Alternative ways to deliver security
The economics of managing and operating complex, specialized IT security services
is driving a focus for new forms of packaging and delivering security services.
There are two key factors that influence this increased diversity.
First, an IT organization should decide how much control it wants to maintain.
Is it comfortable with the idea of another company providing its security services
or does it want to manage security itself?
Second, the complexity of an IT environment can heavily influence how an IT
organization chooses to obtain security capabilities. Some companies have relatively
simple, self-contained IT needs. On the other hand, some companies have highly
dynamic environments that have the ability to quickly adapt their IT services
to new business needs.
In addition to traditional software offerings, managed services and outsourcing
arrangements, there are a few trends in the delivery of security capabilities:
Appliances. In the past, IT appliances meant "one host dedicated
to one specialized function." Today's appliances are becoming platforms
in their own right, evolving to a single deliverable that contains all of the
operating system, middleware and applications preinstalled and preconfigured
to perform multiple functions targeted to a single domain of operation. Appliances
are also moving to increasingly modular physical form factors as well as virtual
Software-as-a-Service (SaaS). While managed services typically have
dedicated infrastructure for each customer, SaaS platforms deliver "one-to-many"
service in which a single platform provides a type of service to multiple customers
simultaneously. These shared infrastructure systems can provide standardized
services with little need for customization.
Cloud computing. Virtualized platforms and cloud computing environments
support highly dynamic environments with elastic scalability needs. These dynamic
environments can be used to create "cookie-cutter" definitions of
resource pools to standardize application deployment and other IT services that
can be deployed in massive numbers in very short times, leading to a "utility"
approach to consuming security services.
Information security in a Web 2.0 world
Today, an ever-expanding volume of information continually and freely circulates
across and beyond enterprises, governments and social networks, aided through
the proliferation of open, collaborative environments, Web 2.0 mashup technologies
and intelligent data streams. A boon to online communities, the information
explosion has nevertheless created a nightmare for organizations with the proliferation
of databases and a corresponding increase in data leakage that raises the potential
for data breaches and the chance of inappropriate disclosure or use of intellectual
Already a boardroom issue, organizations can expect a continued push to minimize
the risks of data breaches. As a result, there should be a new focus on privacy
management tools with the capability to mask data, particularly in nonproduction
environments such as application development where protection of data continues
to be less stringent. This focus can reinforce the need for cryptography, and
subsequent demand to simplify the complexity of the key-based algorithms and
management of keys throughout the lifecycle.
There is expected to be more internal pressure to link trust in data with decision
making. Collectively, security practices -- including data steward assignments,
data monitoring, policy-based data classification and security requirements
records -- should provide the metrics that calculate and reflect the security
protections for a particular repository. These metrics can be used in formulating
"trust indexes" that can guide decisions about the use of a data repository
-- a repository with a high trust index association can be used for high-risk
decisions; conversely, a repository with a low trust index association should
be used only for low-risk activities.
These data protection capabilities provide a trustworthy foundation to use
enterprise information assets for business optimization in a way that reflects
the value of information and protects individuals' privacy.
Protecting the evolving network
The need to accommodate bandwidth-intensive applications such as VoIP, streaming
video and online gaming has created a race within organizations to meet growing
demands for speed and bandwidth. With speeds now reaching 10G and beyond, and
traffic loads hitting unprecedented levels, service providers have less and
less visibility and knowledge of the traffic going through their networks. As
IT policies force more network encryption and virtualization creates new networks
inside the server infrastructure, visibility is expected to become even more
As a consequence, network security should become more elusive, even as new
types of attacks emerge. Virtualized environments create the possibility for
guest hosts to launch network-based attacks against other hosts. Other attacks
likely will target session initiation protocol (SIP) proxy servers, domain name
system (DNS) servers and the upper layers of the open system interconnect (OSI)
stack, including attacks on application-specific protocols and schema.
Combating these attacks likely will require more than traditional intrusion
prevention systems (IPS) and firewall technologies. Addressing these evolving
threat requirements should require a total defense-in-depth strategy based on
a highly scalable, collaborating security platform with unified and coordinated
network, server and end-point protection technologies.
Securing mobile devices
Of all the technologies available, the mobile device represents perhaps the
greatest intersection between opportunity and risk. Diverse in design and use,
and capable of delivering data, applications and services anytime, anywhere,
the mobile device has the potential to change the way governments and enterprises
conduct high-value, mission-critical transactions.
While mobile devices are becoming the prevalent channel for conducting business
and primary means for authentication, mobile phones are increasingly subject
to the same types of security attacks, but are even less mature at deflecting
Improvements are needed in two key areas: mobile platform security and telecommunications
network protection. With mobile platforms becoming more open, the mobile application
development environment, deployment processes and run-time environment should
be authorized, secure and free of corruption. And as mobile phones are increasingly
vulnerable to malware and other types of attacks, telecommunications service
providers should augment their network security by monitoring their network
traffic for security threats while maintaining optimal service levels.
In summary, these are five trends that will gain increasing prominence in the
next two to five years. If organizations recognize and respond to these trends,
they can turn risk into opportunity. After all, it's how risk is managed that
determines how an organization thrives -- or fails -- in the ever-changing face
of emerging technologies.
About the Author
Venkat Raghavan is Tivoli's Director of Security, Risk and Compliance in IBM Software Group.