Trying to avoid the obvious and the already underway, here are my predictions for 2010.
1. Cloud security standards emerge. By the end of 2010, we’ll see a framework emerge for establishing a well defined set of technology, practices, and processes, organized into different levels of trust. Ultimately, adherence to these specifications will need be certified by third parties. The effort won’t be complete, but it will be underway. Look to the government as key industry (other than the vendors) driving this effort.
COROLLARY: The use of cloud will take off as adopting organizations by and large overcome their security concerns – or at least, understand them at a specific enough level to seek out providers that satisfy these concerns.
2. Federation will start to take off by the end of 2010. Use of federation will be fueled by SaaS and cloud computing and the need for single sign-on to bridge identity from the enterprise to those external environments. Where standards reign over kludges, SAML will be the leading mechanism. OpenID will continue to be just a lab toy for the "Identerati".
3. Managed Security Services expands far beyond “Managed”. Organizations are not only turning to managed security services, they are seeking more from their providers than merely assuming operational functions. Increasingly, they seek partners to help them with security strategy, benchmarking, making the business case, and integration. MSSPs that are in fact multifaceted solution providers will start to establish market dominance. Big winners will be IBM, VZB, Wipro, among others.
A while back, I blogged on how researchers have developed tools to intercept streaming video from video conferencing systems and IP surveillance cameras. Today I feel so prescient with the Wall Street Journal's article on how Iraqi insurgents are using similar software to intercept the video feed of Predator Drones.
The article has the catchy subtitle "$26 Software Is Used to Breach Key Weapons in Iraq; Iranian Backing Suspected." It discusses how the insurgents are using the software to intercept the Drone's unencrypted video stream, "potentially providing them with information they need to evade or monitor U.S. military operations."
According to the article, the military has been aware that this type of attack was posssible for some time: "The potential drone vulnerability lies in an unencrypted downlink between the unmanned craft and ground control. The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn't know how to exploit it, the officials said."
Let's hope that the Pentagon has learned what happens when you ass-u-me things...
I’d like to take a small commercial break from your regularly scheduled security & risk programming to bring you the following observation . . .
I was recently in a client session with one of our great infrastructure & operations (I&O) analysts, Glenn “Automation” O’Donnell. His research on IT automation is extremely interesting — both tactically (advice for improving IT operations) as well as philosophically (a call to arms for IT professionals to update their skill set — or risk obsolescence).
Anyway, in this session Glenn made a great observation: IT is at a key inflection point in 2009 and it’s never going back. He was distilling the result of three IT macro-level events colliding:
Business Technology (BT) architecture redefining how we define IT services
Cloud computing and virtualization redefining how we build IT services
Automation and ITIL redefining how we run IT services
But the big takeaway form me was automation. It’s the main ingredient in transforming information technology.
And now as we return to our regularly scheduled security & risk programming I’d like to pose the following question: What is automation doing for information security? My take: Not much.
Sure, we see pockets of automaton in information security. I’ve seen: