Last year I made following predictions for 2010. Even thought 2010 was tough year for many and most of the CIO and CISO were looking for cutting cost still security did get a good boost. It is warming up what will come in 2011 and 2012 will be much bigger for security.
1. Virus / Malware will hit Mobile
Virus / Malware for mobile devices and smartphones will escalate as more apps are provided that facilitate users ability to do more things related to e-commerce, travel and financial apps. Given that many end users feel less vulnerable on their mobile devices it could be a steep learning curve to convince them they need to take similar protections as they would on their PCs. Guys making the malware will promote these virus and malwares software for your phones as free downloads of ringtones, games, utility apps. These apps will be say as spyware applications for PCs. With GPS enabled phones, it will be dangerous to get infected with these viruses.
[Realization – Yes. Many new viruses did come in but the impact is still that great mostly because the compromise and loss are still unknown and they are not mass scale. With PC anti virus maturity, most of the phone vendors have implemented good process to screen the applications (screening and code signing etc). It is not much of threat until user installed the FAKE application. With user education, later can still be resolved.]
2. Security as a Service
Security Tokens which have become Software driven in lieu of hardware will go subscription based from license procurement model. This will be enabled by the selling Security as a Service. This will be true for managed and hosted services where regulation compliance is a need and customer wishes to have 3rd party Security provider. The overall security as a service will cover better vulnerability management/reduction, application level firewall, strong authentication, robust encryption and closer attention to legal jurisdictions.
[Realization – Yes. This has also come into main stream. Google has released support for 2FA for their Google Apps. Along with that, everything that is moving to cloud which needs to have strong authentication and strong privacy control. 2011 will be much bigger year for Security as a service. Still strong authentication solutions are not giving the best suited simple, easy, effortless user experience. This is the GAP that need to be filled up. 2011 will be interesting year to see Saas to mature and enterprises using Cloud Services will certain go for Strong authentication based login.]
3. End To End Encryption
With the mobile workers and work from home mindset, remote access will become more crucial and at the same time, there will be a lot of data at the user side getting generated and will be under threat (of getting stolen or theft). Along with this, why should you trust the network - Wired or Wireless networks? End to end protection is going to get a big boost in 2010 to protect the data. For instance, insurance agents are doing business from their laptop and there is no protection of the end-customers private information on the system. Application to Application, end to end protection will be the basic need for all the e-business work flows above and beyond SSL certificate.
[Realization – Partly yes. Application based end to end encryption is certainly a need but an alternate solution – Out Of Band Authentication - is giving a better and stronger security solution as compared to end to end encryption. E2E is a good technical solution but backend system integration has been the show stopper for it whereas OOB is simpler to implement. Still OOB will not be able to protect from internal breach. End To End Encryption Or confidential data masking must be put in place. Companies like safe.net are betting on end to end encryption with their HSM based solution, it will good to see how well it does?]
4. Tested and Certified Software Will Have the Edge
Currently a lot of software and hardware products do not have security checklist as a must to pass. Now more push towards Certification and Compliance will come into action and making it a standard. BASIL, PCI-DSS, HIPAA are there but it will go to many other sectors. Procurement actions will require more robust testing of software and firmware to insure significant reduction of many of the vulnerabilities that we are dealing with today. Certification should become faster and cheaper for this too happen.
[Realization – Partly Yes. There has been increase in security awareness and adoption was increased. PCI-DSS and HIPPA certainly come out stronger in 2010. Basil 3 should also made good impact in coming years. Security Awareness and Security not be taken as afterthought are needed more as fraudsters are getting smart in tricking gullible users. Still a lot more emphasis needs to go in Security, Privacy education and ceritification. ]
5. Multi-factor Authentication becomes more popular
Event though Granter states that 2FA is not enough (which all the security gurus have been screaming for decade) still 2010 will be the year for wider adaption of two-factor authentication for the end users. With federation of the many various types of two factor authentication that are around today we will finally see strong authentication become the rule NOT the exception. However, it will not be limited to 2FA(what you know? and what you have?) , but it will become multi factor (where you are? what you see? and what you are?) questions also will become the identity authentication criteria to allow the authentication and access. It will certainly be driven by software (not hardware) to make it widely.
[Realization – Yes. Many companies and sectors are adopting multi factor authentication. Many new companies providing Multi factor authentication have coming alive. OATH had 10-12 members last year but now they have 30plus members that are taking public standard for OTP ahead in the market. Mobile phone based software application form of token is going to be a very popular token for coming years. Unfortunately hackers have become smarter to break One time password based authentication. OOB authentication Or PKI based end to end encryption will be needed. Web SSO (with SSL-VPN or without SSL-VPN) will also come into strong focus as each enterprise uses many applications that they wish to webify and take it to market. OTP, Web SSO, Federated Identity, Unified Single ID will be becoming more common words we will hear in 2011. All of this will be needed for cloud infra also. ]
6. Voice biometric for Password Reset and Getting new services activated
Password management is one of the biggest expensive support activity. Filling form, faxing them and waiting for weeks to get your PIN will change through Voice biometric. Forgot the PIN, call the support helpline, authentication your self and get the new PIN. Same will apply to new services where you will need Activation Code or PIN delivered from out of band with authentication.
[Realization: Yes & No. This never got into action in 2010. Few banks did roll it out and companies like PerSay did get market attention for a short time. The clients for voice biometric for looking at authentication for phone banking or customer support. It never really did well or will pick up in 2011 mainly due to two reason – First: Voice biometric is cracked (there are ways this technology can be broken – I will not cover that in this post but it is doable.) and Second reason is : business model is per Call, the billing is exponential as the more users and more transactions will come into play. It is good as there is no software or hardware involved to be issued to the end-user but cost-security does not favour this form of security.]
7. Social Networking Threats on rise
As more and more businesses turn to social networking sites to extend their customer reach and build brand awareness, sensitive data becomes even more available and vulnerable. This past year, the KoobFace worm spread like wildfire through several social networks including Facebook, MySpace, Friendster and Twitter. In October, a massive bot-based attack, Bredolab, affected three-quarters of a million Facebook users by sending fake password reset messages. No solution will come in 2010.
[Realization – No. I am just amazed to see people are just not worried about their privacy and security. There have been so many applications (for facebook, hi5, orkut that simply steal the users personal details. You click on Allow and your complete life is out in somebody’s hand. 2011 will be the same and people will still do the same thing. More Threats and Attacks will happen on / using Social Networking. It is like smoking where we know it is not good but we will still do it.]
8. Digital Signatures will go Mobile
Today we have two options to do Signing (to enforce Non Repudiation) - Software Signing (through your internet browser secure storage of Certificates) OR Hardware Signing (where Smart Card OR USB Key stores your Certificate). Both are good but restrictive in nature. What you carry with you once is a Phone. Your Keypair will be carried inside your Phone and you will use that for signing and verifying your transactions, documents and emails. It will be cost effective and not restricted in nature as compared to today's options.
[Realization – Yes. Infact I am proud to share: we, EZMCOM, are one of the first movers for complete out with Mobile PKI as a Service that will be enabled for all the banks and financial institutes in country in ASEAN. It gives higher risk appetite, legal binding, simple-effortless user experience (unlike hardware PKI token) and global roaming. In fact the model is “pay per use” making it very competitive in terms of pricing too. 2011 will be big year for this as it will go global. ]
9. Email Protection with DLP (Data Leakage Protection)
Email is the most widely used communication tool for businesses today. Email Signing to hold its legal value is become a need of the businesses. Also making your communication confidential will also become crucial. Solutions like PGP for desktop email encryption and signing are present but they will not fly any more. It will be enterprise level or ISP level email protection. Currently we have anti spam, anti virus for our email but not sufficient when it comes to internal breaches and legal conflict. Email Signing as well as DLP will come strongly in 2010-11.
[Realization – Not Really. Email Archival and DLP did get good attention and it was very much needed in 2010. Still Email signing / encryption is not coming into main stream yet. Why? Gmail does not want it as they cannot show advertisements. Blackberry offer it but you need to pay premium. Why will anyone give email security. I will be happy if free email encryption (SMIME) gets offered esp by gmail, it will be great service to all.
On the other hand for DLP, Only enterprise market are looking at DLP solutions. DLP is more to do with processes + people than technology. Simple way to bypass is to carry a camera (which all phones have now) and click the pictures of the documents from your screen. Controlling people in the world on web is not possible there are many simple or sophisticated ways to bypass security and steal the data.
What is needed in 2011 is collaboration tools like yammer and close network + application monitoring tools. We need to have happy employees that work closely so they do not steal. If somehow there is a PC compromised by external hacker(s) then application / network monitoring will be the right solution. In addition, if you have really private and confidential files and data then go for PKI Certificate based Encryption Tools (there are many good ones in the market now. 2011 might have this but i am blur on this one.]
10. Identity Management and Authentication and SSO will consolidate
Consolidation of the PIN, Token, Certificate along with web based SAML enabled single sign-on is going to give efficient, best TCO, least support mainly for private and public sectors. National ID cards will become crucial to enable many e-service, m-services and real services using one consolidated platform for Identity Management and Authentication. Federated Identity will become more popular in 2010.
[Realization – Not Really. 2011 might be the year for it after the long recession.]
11. Rise of Scareware
While free anti-virus products are great to decrease the growing amount of malware threats out there, users need to be cautious about rogue anti-malware products -- otherwise known as "scareware" -- that organized crime rings will use to take advantage of end-users and disable their computers. Scareware reared its ugly head this year through fake advertisements (malvertising) for antivirus onThe New York Times website.
[Realization – Yes. 2010 has seen many malware and scareware esp. As SMSes, emails and browser plugins. There is no stopping in 2011, it will continue and now a better and biggest enabler is Social Networking sites where more scarewares will be coming in. There is always a NEWS – good or bad / real or fake. Wikileaks is also whistleblower for good of the world. 2011 will many more surprises solets wait for it.]
12. No Privacy
Google, Facebook, twitter etc willensure you have no privacy alot. Your emails, blog, wall-to-wall comments, tweets will be used for social intelligence. Your location will be given away through your Nokia, Iphone, Blackberry. Please be aware of No Privacy World.
[Realization – Yes. 2010 started No Privacy and 2011 will be more No Privacy year. Every one will know where you are, what you are doing, whom are you with, what you are hearing, what you are texting / tweeting / facebooking . Your Pc and your phone are the spy on you. This is a double edged sword that is good (when it comes to shoping / getting deals / location based service – it is great) but it is bad (when every one in facebook / google will know what you are hearing / doing ?).
Decide you self are you private person or public person? ]
It will be great to hear out your comments. Do contact me at vikram @ ezmcom . com
0 comments:
Post a Comment