Emerging Trends in InfoSec

Emerging Trends in Information Security

It's always fun to write about what might happen in the future: in a few years you can look back and see how wrong you were. So let's get the crystal ball out and peer into the misty depths...

Perimeter security is no longer - The workforce becomes mobile, business partnerships share resources and data, greater bandwidth leads to premises decentralisation and diffusion. In a nutshell, you can no longer surround your data infrastructure with a single perimeter and must enable multiple inroads to your core applications. There are a number of technologies which will provide a high level of protection - AV, IDS and IPS, VPN, etc - but the fact is you'll be punching holes in the network all day long. Look at firewall vendors loading new features into their products - they've seen the writing on the wall. The new thing...

Application security is where it's at - You can't stop them at the perimeter so make damn sure the crown jewels are well protected. No longer locking down ports on the firewall, the new kid on the block will be a code monkey hunkered down amid the app code wringing blood from SQL statements. Train those developers up in the principles of secure coding now.

Server OS hardening - Riding on the app security (or should that be the other way around?) comes the beasties beneath. It's long been the practice to secure Net facing servers but now it's necessary to strike a much more difficult balance between functionality and security on the internal boxes. If I can take a moment to buck a trend... kudos to M$ who have done a pretty good job with Windows 2003. All those tedious secure file and registry ACLs are in there by default, it's beyond 2000 and a wide world away from NT. Have other vendors moved forward lately?

Identity and Access Management - Bye-bye password. Hello token, tab, smartcard, biometrics. The trusty password is on its last legs - too easily guessed, broken or otherwise deduced. From now you must wave your certificate, squish your thumb on the reader and type in your random number before entry is gained. Two or even three factor authentication will become de facto as it becomes more important to prove who you are. The technology is now there to combine physical and electronic access control into one system restricting access to adult web sites and the executive water closet at the same time.

Improved malicious code - Ok, it's being "improved" all the time, otherwise there would be no new viruses and the AV vendors would all be out on the streets. In the continuing arms race malicious code writers will study the world of forensics in order to avoid detection of their pride and joy. Those pesky viruses will be hidden in hard disk bad blocks and inject into running code: very difficult to detect. If that wasn't bad enough, as we all become net-savvy and networked we'll start to spread malware to each other simply by the act of communication. Huh? Well, we'll rely on messaging apps and collaborative workspaces to interact, and these will be infected themselves or used to spread infection.

Business continuity/disaster recovery - Ever lost a server and found your backup was bad? Come to that, ever tried to restore your backup? Come to that, have you got plans for what to restore your backup on when the office has gone up in flames? Simple questions but so many never ask. Having a business continuity plan can be the difference between your business surviving or going down the pan. Hopefully more people will be ensuring they have the answers they need.

Security awareness - Getting better in the corporate world but not yet broken through to the home user. They rely on the code to protect them but they don't realise the code can become compromised with no outward sign. They're not aware of the dangers of adware, trojans or even misspelt domains. They don't understand why M$ releases updates - hey, my computer worked ok before so I don't need 'em now. Oh dear, the human element is missing and as every sci-fi fan knows, never trust a robot cop. Sadly this is one area I don't expect to change.

I think that's enough crystal ball gazing... the battery is running out and it's getting dark. I could add a lot more but the chances are I'd be way further off the mark. :-) As someone must've said, make only one prediction and your chances of being right are at least 50/50. If you have any comments find an email address somewhere around here and drop us a line.

For more on information security see Insight Consulting.