Disruptive Trends in Information Security
Attacks and cybercrime are not the only things vying for information security professionals’ attention. Another issue is the parade of technical innovations that provide businesses with compelling opportunities for improved productivity and service levels. At the same time, these innovations — like many new technologies — are not fully “baked” at first and often don’t have all the security features that organizations need.
Some new technologies, such as virtualization, are more mature, but organizations (including their security teams) are still playing catch‐up in terms of knowing how to configure and operate them in a way that protects them from internal and external attacks.
Everything was fine in corporate IT organizations until users started bringing their own personal computers, tablet computers, and smartphones to work and using them to get their jobs done. Security professionals need to address several issues pertaining to BYOD (bring your own device, or bring your own disaster, as many security professionals like to call it):
Endpoint security: When personally owned devices are used to conduct business, the organization may have a more difficult time employing its antimalware, patch management, and encryption enterprise tools. In addition, many mobile platforms lack mature enterprise management capabilities and antimalware.
Control of sensitive information: When personally owned endpoints (laptops, tablets, smartphones, or anything else that employees own that they use to conduct official business) are lost or stolen, the organization may have more limited means of remotely wiping data on these devices. And when an employee leaves, determining whether he or she really (and effectively) erased company data will be difficult.
Many mobile device management (MDM) tools are available for enterprises, but these tools are still maturing. Few if any offer truly comprehensive management and data protection capabilities across the variety of devices that employees are likely to use for business.
Virtualization is the practice of installing one or more instances of actively running operating systems on a single hardware server. The primary business driver for virtualization is the preservation of capital. The main technology drivers are more efficient use of server hardware and the capability to quickly move a running system from one hardware platform to another.
The master virtualization program is called a hypervisor, and the operating systems running on a hypervisor are called guests. In addition to operating systems such as Windows, Linux, and MacOS, network operating systems can run as guests, including routers, firewalls, intrusion detection systems (IDS), and data loss prevention (DLP) systems. Hence, it’s now possible to build an entire infrastructure stack, including network infrastructure, on a single hardware server.
This powerful capability is part of what keeps an information security professional up at night. The lack of “air gaps” between infrastructure components in a virtualized environment provides more opportunities for attackers to successfully infiltrate virtual systems.
Another concern of IT managers and security managers alike is virtualization sprawl, the uncontrolled implementation of new virtual servers without proper approval. Unlike the former physical world, where management’s approval to purchase server hardware served as the means to control the implementation of new servers, with virtualization it’s possible to create a new server with just a few clicks.
The trend in cloud computing can be summed up as follows: Organizations tend to acquire new business applications hosted by other organizations, rather than hosting the applications themselves on purchased computer hardware. In other words, why buy new hardware, operating system, database management system software, and application software, when you can pay some other company to do all that for less money?
The lists of pros and cons for cloud computing are long. The economic drivers swing heavily in favor of cloud computing, but many IT and security organizations are unprepared to manage the security of cloud apps as effectively as on‐premise apps.
The most important issues that security professionals face regarding cloud computing include the following:
Cloud sprawl: Because it is so easy to begin using a cloud‐based application, IT and security organizations often have little visibility into just how extensive an organization’s use of cloud services has become. The number of unapproved cloud services in use by your organization is probably worse than you think.
Data security: Knowing which controls a cloud services provider uses and their effectiveness can be difficult. In other words, the protection of information stored in the cloud can be difficult to verify.
Data control: An organization that isn’t aware of all the cloud apps it uses has lost control of its data. If you don’t know where your data is, how can you control it?
Legal issues: Security and privacy laws crisscross the world, making data jurisdiction and data sovereignty stickier issues than ever. For instance, how do you know if it’s even legal to store certain data in certain locations (provided you even know the physical locations of data stored in the cloud).
As scary as this all sounds, hope is on the horizon.
The Internet of Things
The Internet of Things (IoT) is the name given to the coming phenomenon of the wave of Internet‐connected smart devices. Soon, nearly everything consumers purchase that uses electricity will have a CPU and be connected to the Internet, including our home appliances, our vehicles, our gadgets, and even us.
In the context of information security as it is known today, this proliferation of Internet‐connected devices will intensify the vulnerability management problem. With so many more devices with latent vulnerabilities, adversaries will have a new playground to explore.