In the latest roundtable hosted by SC Magazine, in association with Websense, Andrew Kellett asks security professionals to pinpoint the likely trends for 2013.
The big security themes for 2012 were mobile device and application protection, lack of cloud-based security, data loss prevention and the need for big data management. If you add advanced protection requirements and increasing compliance demands into the equation, most of these issues will continue to retain a strong influence over proceedings during 2013 and beyond.
However, what is changing is the way that security professionals believe we should be addressing these issues. There is an urgent requirement to look more closely at the latest attack trends and deal with advanced threats more effectively. At a time when all organisations are at risk from stealth attacks, the challenge is to know how effective existing protection strategies are, and to understand what is working and what should be replaced. Businesses need to get the security balance right, they need to be able to share information with trusted partners, but still ensure that regulatory compliance requirements are met.
Infrastructure and device management changes will have a significant influence on data protection requirements
Over time, the growing use of new-generation mobile devices is going to reduce the stranglehold on the business community of Wintel (Windows operating systems running on Intel processors). We may still be at the stage where the prestige of owning and using these shiny new toys outweighs their business value, but that position is already changing.
The business value of various tablets and smartphones is growing, and the device and data protection demands on security professionals will expand next year. The break-up is likely to be messy as common endpoint protection requirements start to fragment after years of monopoly-driven consistency.
For security managers, the considerations may include maintaining data controls elsewhere, and with it the potential to turn endpoint devices into virtual display screens with update capabilities. Using this approach, information can still be delivered on an anytime, anywhere basis, but the source data may be held and secured in a remote data centre controlled by the organisation or a cloud-based service provider.
Senior executives and middle managers will continue to favour their Macs, iPads and smartphones, but for the vast majority of business users, it is likely that organisations will want to standardise on a smaller number of devices and improve the controls over what systems, applications and data their users have access to. Security professionals recognise that the push for consumerisation within business environments will continue; the security challenge will be to add business value to service delivery channels through the delivery of secure access and security management services.
The impact of 4G is likely to be a game-changer for BYOD and business users
The combined Orange and T-Mobile approach to delivering the first 4G network facilities under the Everything Everywhere (EE) brand is seen as having the potential to build on current BYOD demands. At the higher end of the scale, it will offer greater opportunities for a single device to fulfil business and social demands. Senior and middle managers are likely to be comfortable with an EE always-online approach that gives them personal as well as corporate access away from the office without having to fire up a second machine.
The always-connected mentality suits a growing number of employees who want to stay connected at home, while commuting and outside working hours. They are happy checking business communications while watching TV using a single connected device. However, it is recognised that the ‘one device' argument may only have a limited and short-term appeal.
It is already the case that the last thing that the majority of employees want to do when arriving home is check their work email. As the personal commitments to BYOD become clearer, employees are more likely to want to operate one device that is theirs and has nothing to do with work, and then utilise a single company-owned device for all commercial purposes. This preference for a separation of duties in 2013 is likely to be driven by BYOD privacy intrusion concerns. These will include the employer's ability to track device locations, control installed software applications and remove private as well as business data.
For the business, a separation of ownership may reverse the trend of supporting an ever-widening range of mobile platforms. Keeping costs low will once again become the driving force. Purchasing decisions are likely to be based on what is the cheapest, easiest to support and most robust piece of kit that can be rolled out to as many users as possible. From a company cost-saving perspective, BYOD take-up is also likely to falter if the workforce demands payment for using and adding software licences to their machines.
Dissimilar organisations take a vastly different view of future security requirements
There may be vastly different security requirements across public and private sector organisations, but there is a common recognition that data protection requirements need to change. The impractical ‘classify everything' approach has proved too difficult and, while not true for all sectors of business, the amount of sensitive data that will severely impact a company if disclosed is thought to be much smaller than many security managers have previously believed.
This is one area where the 80/20 rule does not necessarily apply. In many organisations, the percentage of data that falls into the most sensitive categories, and needs to have the highest levels of security built around it, can be as little as one per cent.
Similar distinctions can also be made in the identity management space when determining which users should have access to highly sensitive areas of the business and the strong authentication credentials needed to control that access.
In some highly regulated industries, all senior personnel need to be rated on the level of risk they present. Typical risk parameters may include: propensity to travel and areas visited; business role and access rights; and the nature of the business itself.
In some organisations, the carrot-and-stick approach to educating users is being tried. For example, if employees fail to respond to security reminders, their systems access may be curtailed or even removed. Operational problems have been encountered, but the general feeling from IT is that awareness quickly improves.
At the other end of the scale, the charity sector tends to have a completely different set of security management views. The senior people (board members) are volunteers, and in many cases are ‘allergic' to technology. They print everything needed for meetings and are much more likely to leave confidential documents on a train than they are mobile devices.
Therefore, the usage challenge is more about individual risk and accountability and the need for education on basic security matters.
Andrew Kellett is principal analyst, security at Ovum