Date: 18 Mar 2010
The potential of emerging technologies marks a fundamental change in how enterprises should approach accompanying security challenges
In an era marked by the relentless pace of communications, what fundamental technology trends are expected to impact organizations in the next two to five years? Which strategic drivers should serve as catalysts for change? And how can organizations profit from the myriad opportunities while managing the risk that accompanies them? In the next two to five years, emerging technological and social trends will have far-reaching implications for enterprise security. These include five trends: securing virtualized identities, alternative ways to deliver security, information security in a Web 2.0 world, Voice-over-Internet-Protocol (VoIP), and the security of mobile devices. By focusing on these and other technologies as they emerge, organizations can respond to security challenges.
The economics of managing and operating complex, specialized IT security services is driving the quest for new forms of packaging and delivering security services. There are two key factors that influence this increased diversity. First, an IT organization should decide how much control it wants to maintain. Second, the complexity of an IT environment can heavily influence how an IT organization chooses to obtain security capabilities.
In addition to traditional software, managed services and outsourcing arrangements, there are a few trends in the delivery of security capabilities:
Appliances: Appliances are becoming platforms in their own right, evolving to a single deliverable that contains all of the operating system, middleware and applications preinstalled and preconfigured to perform multiple functions targeted to a single domain of operation.
Software-as-a-service (SaaS): In SaaS, a single platform provides a type of service to multiple customers simultaneously. These shared systems provide standardized services with little need for customization.
Cloud computing: Virtualized platforms and cloud computing environments support highly dynamic environments with elastic scalability needs. These dynamic environments can be used to create ‘cookie- cutter’ definitions of resource pools to standardize application deployment and other IT services that can be deployed in massive numbers, leading to a ‘utility’ approach to consuming security services.
The information explosion witnessed in today’s age has created a nightmare for organizations with the proliferation of databases. Already a boardroom issue, organizations can expect a continued push to minimize the risks of data breaches. As a result, there should be a new focus on privacy management tools with the capability to mask data, particularly in non production environments such as application development where protection of data continues to be less stringent. This focus can reinforce the need for cryptography and the demand to simplify the complexity of the key-based algorithms and management of keys throughout the lifecycle. There would be more internal pressure to link trust in data with decision making. Collectively, security practices—including data steward assignments, data monitoring, policy-based data classification and security requirement records—should provide the metrics that calculate and reflect the security protections for a particular repository.
The need to accommodate bandwidth-intensive applications such as VoIP, streaming video and online gaming has created a race within organizations to meet the growing demands for speed and bandwidth. With speeds now reaching 10G and beyond, and traffic hitting unprecedented levels, service providers have less and less visibility and knowledge of the traffic going through their networks. As IT policies force more network encryption and virtualization creates new server infrastructure, visibility is expected to reduce further. Virtualized environments create the possibility of guest hosts launching network-based attacks against other hosts. Other attacks may target session initiation protocol proxy servers, domain name system servers and the upper layers of the open system interconnect stack, including attacks on application-specific protocols and schema.
Combating these attacks will require more than traditional intrusion prevention systems and firewall technologies. Addressing these evolving threat requirements should require a total defence-in-depth strategy based on a highly scalable, collaborating security platform with unified and coordinated network, server and end-point protection technologies. Of all technologies, the mobile device represents perhaps the greatest intersection between opportunity and risk. It has the potential to change the way governments and enterprises conduct high-value, mission-critical transactions. But mobile devices are increasingly subject to the same types of security attacks, and even less mature in tackling them.
Improvements are needed in two key areas: mobile platform security and telecommunications network protection. With mobile platforms becoming more open, the application development environment, deployment processes and run-time environment should be authorized, secure and free of corruption. And telecommunications service providers should augment their network security by monitoring their network traffic for security threats. These are the trends that will gain traction in the next two to five years. If organizations recognize and respond to them, they can turn risk into opportunity. After all, it’s how risk is managed that determines how an organization thrives—or fails.
The writer is country manager, Tivoli Software—IBM India/ South Asia.