Overview

While large organizations managed through a global recession in 2009, security investment and initiatives continued, demonstrating that information security has become a major business priority.  What will change in 2010?  Security technology will go through subtle transitions thanks to new user requirements on the demand side and product integration on the supply side.  That said, ESG believes that cybersecurity will capture the world’s attention in 2010 in unprecedented ways.

ESG anticipates the following cybersecurity technologies, events, and legislative activities next year:

1. Ubiquitous encryption. Like last year, ESG believes that large organizations will continue to increase their use of encryption technologies.  Why?  Two reasons:  1) to proactively protect confidential data and 2) because encryption technologies will be “baked” into products while adding little to the price tag.  For example, technologies like disk drives, USB flash drives, tape drives, and operating systems are now readily available with encryption functionality.  In 2010 and beyond, it is likely that laptops, desktops, servers, and enterprise storage systems will also come with cryptographic processors as part of their standard configurations.  Ubiquitous encryption is a bit of a mixed blessing.  While data confidentiality and integrity may be enhanced, enterprises better have a formal documented encryption management plan lest encryption operations—and data recovery—really become a challenge.
2. Key management. Closely associated with ubiquitous encryption is key management: key generation, key rotation, key security, key backup, etc.  As the number of encryption keys used grows exponentially, centrally-managed, tightly-integrated key management services become a requirement.  Fortunately, there is good news on the horizon.  In 2010, we should see the first revision of the Key Management Interoperability Protocol (KMIP) effort coming out of OASIS.  KMIP is being led by a who’s who of industry leaders including Brocade, EMC/RSA, HP, IBM, NetApp, PGP, Seagate, and Thales Security.  The goal is interoperability between key management systems and encryption technologies and/or key management systems with each other.  Large organizations should pay attention to this effort and only purchase encryption and key management products from vendors committed to KMIP support.
3. Security management 3.0. Old style Security Information and Event Management (SIEM) systems don’t have the scale, openness, or analytical capability to keep up with the growing threat landscape.  Additionally, ESG sees a bifurcation in the market: in the past, SIEM was often simultaneously used for compliance management, security event/incident management, and log management.  In 2010 and beyond, these three IT/security disciplines will separate, but remain linked through a new security management architecture anchored by an “IT data warehouse” that collects, processes, and stores IT-based data (i.e., log data, flow data, SNMP events, IF-MAP, etc.).  Disparate analytics engines for security, compliance, IT operations, etc. will simply access this information from a common repository.  CIOs and CISOs should prepare an architectural plan for this transition.
4. The merger of DLP and eRM. DLP (data loss prevention) excels at data discovery and classification while eRM (enterprise rights management) is best for granular policy enforcement.  In 2008 and 2009, these two technologies started to come together.  Microsoft formed a partnership with EMC/RSA to align its Rights Management Server with DLP while Symantec, McAfee, and others teamed their DLP with eRM leader Liquid Machines.  Expect more momentum in 2010.  It is likely that Liquid Machines, BitArmor (a DLP/eRM hybrid), and other startups will be acquired in 2010 as markets align and consolidate.  Look for Microsoft and others to also champion standard metadata tags for heterogeneous and distributed data classification and common data-centric policy enforcement.
5. Identity management 3.0. There has been consistent identity management progress for years, but it occurred in the technology backwaters for the most part.  In 2010, the identity management discussion is likely to become far more pervasive.  VMware and Citrix will talk about trusted identities for virtual machines.  Financial services firms will aggressively offer customers authentication tokens to protect their identities and financial assets.  OpenID and similar technologies will gain consumer momentum.  The U.S. Congress will seriously contemplate a national identification card.  Why all these developments?  Identity management is out of control.  Users have too many user IDs and passwords, anonymous mobile technologies are multiplying like rabbits, and identity theft is rampant.  As a society, we must find a way to take advantage of technologies like PKI, the Eclipse Project Framework, and Liberty to do a better job of protecting identity and privacy.  In the past, this was the domain of the identity intelligentsia; in 2010 and beyond, expect pressure from John Q. Public as well.
6. A wider and deeper threat landscape. Since the threat landscape grows exponentially each year, this is an easy prediction for 2010.  Nevertheless, 2010 will up the threat ante in several ways.  First, the wave of web-based attacks will continue to escalate as we see major web properties compromised regularly.  Second, we are likely to see increasing attacks on non-Windows platforms such as Mac, iPhone, Android, Blackberry, and Nokia devices as well as over IP phone systems.  Finally, ESG anticipates the return of killer worms (like Conficker) with an increase in frequency like we saw in 2004.  Most of these worms won’t carry a malicious payload; rather, they will be used for disruption and reconnaissance purposes.   Users must anticipate this threat escalation by arming endpoints with best-of-breed security technologies, moving to cloud-based threat management for scale and performance, and studying threat intelligence reports on a regular basis.
7. The appointment of White House Cybersecurity Coordinator. President Obama announced his intention to appoint a national cybersecurity coordinator in May 2009, but the position remains vacant as of this writing.  Many folks in Washington are not happy about this.  In August, the House Bipartisan Cybersecurity Caucus wrote a letter to the President recommending that he fill this job as soon as possible.  Ditto for Representative Yvette Clarke of New York, Senator Joseph Lieberman, and industry group TechAmerica.  The President has clearly been distracted by health care reform and the economy over the past few months and, with the holidays just around the corner, nothing is likely to happen in 2009.  Nevertheless, I expect that Congress will really turn up the heat in January.  The President should nominate someone by the end of February.
8. A major cybersecurity incident. While the 2007 TJX breach is still the poster child for data theft, expect something much bigger in 2010.  It may be an attack on a bank, power grid, or telecommunications network.  It may occur in the United States, Western Europe, or Asia.  While it would be impossible to pinpoint what will happen, ESG has a feeling that something more menacing will occur.  Unfortunately, the world has to learn its lessons the hard way (again), just as it did with the terrorist attacks of September 11, 2001.  The aftermath of this attack will be ugly as politicians blame law enforcement, intelligence agencies, and one another for the incident.  If this event occurs in the United States, President Obama may become a major scapegoat, especially in light of his cybersecurity coordinator delays.  As for common citizens, we will ultimately be a bit more frightened, much more concerned, and a lot more demanding that something get done—fast.
9. New U.S. cybersecurity legislation. This, too, is a fairly easy forecast given the number of active bills in the U.S. House and Senate.  Just this week, the House of Representatives cleared the Data Accountability and Trust Act (DATA), which could pave the way to national breach notification legislation, superseding today’s morass of individual state laws.  This past November, the House also passed H.R. 4061, calling for more investment in cybersecurity research.  The U.S. Senate is also active.  The Rockefeller-Snowe bill seeks to rationalize and structure federal cybersecurity efforts while Senator Joseph Lieberman has introduced a bill that clarifies the cybersecurity role of the Department of Homeland Security.  In 2010, it is likely that these 2009 efforts will bear fruit.  ESG anticipates a national data breach bill, increased cybersecurity funding, and a major overhaul of the Federal Information Security Management Act (FISMA) in 2010.  Once again, look for a lot more legislative activity in the event of a major cybersecurity event in 2010.
10. Enhanced cybersecurity awareness and education. While congress debated investment in cybersecurity training and education in 2009, there was little tangible evidence of change.  Cybersecurity skills remain scarce and the October declaration of “National Cybersecurity Awareness Month” was nearly invisible outside the beltway.  Look for a major change in 2010.  Many cybersecurity bills include increased investment in cybersecurity education programs like the National Science Foundation’s (NSF) Scholarship for Service (SFS), the NSA’s Information Assurance Certification Program, or the joint NSF/NSA Cyber Corp.  In addition to higher educational programs, expect the U.S. federal government to team up with the security industry to greatly increase public service programs on cybersecurity awareness.  ESG anticipates a highly visible public relations campaign analogous to “Just Say No (to drugs)” effort or the “Smokey the Bear” campaign to prevent forest fires beginning in 2010.

The Bigger Truth

In summary, 2010 will bring incremental rather than radical changes in information security.  In the meantime, the cybersecurity landscape will be even more dangerous next year, culminating in a major event.  The good news is that this one event will greatly increase cybersecurity awareness and make preparedness a top priority.  The bad news is that many legislators and citizens will overreact to vulnerabilities, problems, and proposed solutions.  Public and private sector organizations around the world must rapidly increase their cybersecurity knowledge in order to better understand security incidents, increase preparation, anticipate emergency response, and institute the appropriate level of risk management assessment along with suitable security safeguards.