Ian Yip is NetIQ's APAC business manager for identity, security and governance
This year has undoubtedly been the year of hacktivism, bring your own device
(BYOD) and cloud computing.
Many organisations had already started to deal with the implications of cloud in 2011 and this year was a continuation of those efforts.
Hacktivism dominated the public stream of consciousness while BYOD rose to the fore within enterprise IT with most organisations struggling to handle both, not being prepared for the speed at which these factors took hold.
Hacktivism and the increased sophistication of threats have forced the IT security industry to up its game in devising and layering defences. IT security departments have never been under more pressure as breaches and incidents become more visible and frequent.
Cyber-attack motivations now have additional dimensions; in addition to attacks for monetary gain and disgruntled insiders, we now have to deal with misguided altruism and a raft of differing, often unrelated agendas.
BYOD and cloud have turned IT departments upside down and forced many to rethink their enterprise security strategies.
Together, BYOD and cloud heralded the arrival of the consumerisation of IT, essentially the democratisation of IT within organisations. Employees are no longer content with being dictated to.
As consumers, we now enjoy more useful, usable applications than ever before. We expect the same of our IT applications at work. The sentiment that work is where we go to use old technology is common and users are revolting.
If IT will not provide adequate tools for business efficiency, users can go around IT and procure their own tools with ease, credit card in hand. The fact that some of these users are C-level executives has forced IT departments to react instead of denying requests.
IT security, so often seen as a barrier which users try to get around, has had to evolve. Instead of always saying no, IT security has had to say yes more often. Constantly rejecting requests from the business due to difficulties in mitigating risks introduced make an IT security team’s job harder.
This year was the year IT security lost a great deal of control and had to play catch-up as a result. To evolve, IT security teams need to implement agile, focused, foundational security strategies and processes.
Next year needs to be the year enterprises execute on this approach to better deal with the ever-increasing speed of change.
The year ahead
Looking towards next year, many of the similar themes will continue to propagate. But how will they evolve? What else do we need to consider? Here’s a list of 10 things to be aware of:
Information and Identity will be central to IT, not just IT security. In a technological world where IT cedes a large amount of the control it once enjoyed, there is only one way to mitigate the risks a lack of control introduces. That is, organisations need to understand where all the critical information is, how it is accessed, who/what is accessing it and how to identify unusual behaviour. Doing so will make it easier for organisations to deal with external challenges.
IT security teams will actively seek to collect more data than they have in the past. Big data as a trend will be front of mind for IT departments in 2013. In the context of IT security, this means a more efficient way to store large volumes of data. Core to mitigating risks and understanding threats is having the data available and being able to access this in a scalable manner. In the past, scalability issues when accessing large amounts of data have meant organisations selectively turning collection mechanisms off, in some cases unwittingly blinding themselves to potential threats. Next year will be the year organisations start to understand how big data can help turn up the amount of information their systems collect and how IT security solutions such as Security Information and Event Management (SIEM) can process the increased volume of data in an efficient manner to allow operational teams to react to incidents in real-time. Essentially, this means organisations will be able to use big data technologies to store and access more data than they have in the past and have this be made available to manage IT security risks.Security analytics will be critical. Turning data into useful information to gain insights has been a theme throughout 2012. Coverage of the recent US presidential election used data more prominently than any in the past to predict, analyse and visualise trends and results. In addition, the high profile nature of Nate Silver’s accurate statistical prediction of the election despite criticism leading up to the event has brought the value of data analysis into the mainstream. This will only exacerbate the fascination with analytics that organisations have had over the past two years. For example, some retailers have used it to better understand their consumer. In some cases, the power of analytics has bordered on the downright creepy. This is not ideal in the consumer world, but the opposite is true in IT security. The ability to analyse data efficiently and accurately will become more critical as the capacity to store more data increases. This means that organisations must get better at filtering out noise, understanding behaviour and be able to draw sophisticated conclusions in real time so that they do not become front page news for all the wrong reasons.
Data scientists will become a core part of operational IT security teams. Organisations will increasingly recruit data scientists into their IT security teams to complement the technology solutions they put in place and to bolster their analytical capabilities. Security technologies will become better at identifying threats, but technology cannot always cover off the human element that people bring to the party. As threats become increasingly sophisticated and difficult to identify, the need for the trained, analytical human element on IT security teams will be crucial.
Enterprise cloud management will be one of the major concerns. As more organisations move towards a cloud-enabled, cloud-aware environment, the lack of understanding around managing the multiplying number of cloud technologies, service providers and vendors across technology layers (e.g. infrastructure, operating system, application) will continue to be an unsolved issue into 2014. The market, standards and technologies are nascent. It is unlikely that this will be completely and easily addressed by IT teams within most organisations, but 2013 is the year to lay the foundation for the future. The most important strategic focus here is to have an agile, scalable, secure foundation.
Social identities will become a key piece of the enterprise security puzzle. The UK government announced this year that they would be looking at how to leverage social identifiers of citizens for their systems. The state of Washington in the US allowed voters to register using Facebook. Retailers are looking at how they can personalise the experience for their customers with their social identities acting as primary identifiers. Devices that employees bring into the workplace are pre-loaded with social identities such as Facebook and Twitter, which presents an easy, accessible, seamless way for enterprise IT systems to tie identities to employees and their devices. Like it or not, social identities are becoming critical to businesses. IT security needs to have policies and technology in place to support this.
IT security teams will realise they have to deal with BYOD in a strategic manner. Too many organisations have tried to deal with BYOD by deploying Mobile Device Management (MDM) products. But they soon realise this is tactical and not a long term strategic approach that allows agility. Employees within organisations, having had MDM forced down their throats have tended to revolt. Too often, MDM products become too restrictive and get in the way of business. It is more important to have a mobility strategy and manage mobile employees, not mobile devices. This means organisations need to focus on monitoring and enforcing access to information and being able to link everything back to identity. That is, the strategic, agile way to deal with mobile employees and the consumerisation of IT is through the use of Identity & Access Management combined with SIEM.
Security-as-a-Service (SECaaS) will be a real option for many new IT security projects. Despite public perception, SECaaS has existed primarily on the whiteboards within meeting rooms of enterprises in 2012. The concern when it comes to security in the cloud (both public and private) has been about the data, specifically where it is stored and who has access to it. Service providers are now aware of this barrier to entry and have started to address it. This means that there will be real options for organisations to use cloud vendors that can provide the visibility, accountability and the technology required. Organisations have become so comfortable with Sofware-as-as-Service (SaaS) models that it is increasingly becoming the deployment option of choice for new projects. This will extend to IT security in 2013, although organisations will continue to be hesitant. That said, 2013 will see many SECaaS options move from whiteboards into production.
Organisations will demand deeper insights into user activities beyond logs and events. Most SIEM products simply collect logs and events. This means there are gaps in the data collected by most SIEM data collectors. Organisations will demand SIEM solutions be capable of going beyond what standard logs and event capture mechanisms provide, especially given the advent of maturing big data technologies. For example, standard operating system logs do not capture user activity and data manipulation (and access) at a level that is sufficient for making intelligent, contextual decisions based on analytics. Having the ability to capture additional data and provide deeper insights reduces blind spots. In addition, vectors such as identity and behaviour will become mandatory in deployed solutions as organisations struggle with advanced and evolving threats. The integration of SIEM with the Identity & Access Management infrastructure has never been more important.
Personal cloud will present itself as a major issue for IT security departments and can be a bigger threat to IT security than BYOD. The proliferation of mobile devices and the BYOD trend will result in the increased usage of non-enterprise approved applications. In addition, many of these applications store data on their own infrastructure and often in third party clouds that have no direct relationship with the user of the application. Controlling and securing enterprise data that has the potential to be stored within an employee’s personal cloud presents an even more challenging problem than BYOD, especially if access is not tied to Identity and properly controlled. The issue is really about allowing data outside of enterprise IT control. Once out, organisations have little chance in maintaining visibility and control over the movement of corporate data. Further to this, organisations that have a regulatory responsibility to report on data loss may not know it has happened due to a lack of visibility. In fact, organisations may be forced to report data losses on a daily basis for reasons relating to employees having access to corporate data moving it to their personal cloud; the data, having left the confines of enterprise IT and in a zone where the organisation does not have control, must officially be classified as being lost. Organisations must control access to critical data and ensure it does not leave the confines of the enterprise environment where visibility can be maintained. Some organisations can use the rise of personal cloud as an opportunity to provide employees with business tools with similar features that are just as user-friendly, but have enterprise security built-in.
Ian Yip is NetIQ's APAC business manager for identity, security and governance