Many of our clients have, by now, taken care of all the basic stuff for IT and online security: they've promoted strong passwords, implemented web access control, and many have even rolled out full disk encryption to laptops.
But as the wheel of innovation turns, what was once novel turns into the obvious and run of the mill. So what’s around the bend for mainstream on-line security? Biometrics, digital right management, cyber identities?
Accenture Tech Labs R&D is working on security solutions that may seem optional or even lavish for many organisations today, but that will likely become the "new normal" in the near future. These Labs initiatives and priorities are informed by our clients and market research. Here are the items that top the list:
Protecting against insider activity.
You hire personnel that you expect will do the right thing, ethically and commercially. Most organisations choose to nurture a culture of trust as they nudge and remind employees of certain compliance obligations (submitting expense reports, changing passwords etc).
On the other hand the IT security discipline also fiercely follows Ronald Reagan's catch phrase: “trust but verify”. When it comes to the human factor, the military, government agencies and financial services firms know the drill: a trusted insider can use legitimate network access, often in offices and on official time to exploit holes in policies or practices - or by using social engineering.
In the first part of 2010, according to Verizon, the proportion of incidents with an insider agent doubled to 48%. Now distinguishing someone who has gone astray that is not exhibiting any obvious “rule breaking” behaviour is non-trivial.
At the same time, you'd prefer not to wait and catch someone in the act. The grand challenge is to avoid casting an unwarranted suspicion on your employees as you spot those individuals that intentionally exceed or misuse authorised level of access.
Engineering security safeguards into your infrastructure.
As the digital footprint of a company expands (web sites, networked systems, business applications, etc.) so does the opportunity for an external "someone" to break in, lurk around, and walk away with the goods.
A networked machine left unguarded even for a couple of minutes on the open Internet will, in short order, get hacked and "owned". Pesky hackers have given way too advanced persistent threats. The good news is that with any intrusion there will likely be tell-tale traces. Files will be tampered with, audit trails modified, and system configuration settings trampled.
So the idea is to make it tough for the attacker not only to get in, but also to make it difficult to do so without getting noticed. That starts with basic cyber hygiene like regular software patches.
But the reality is that the average time before an intrusion is discovered is about 28 days. Patching software is usually done in bulk to fix a group of vulnerabilities (unless it’s a critical update). In either case "Patch Tuesdays" is not fun nor timely. So enter smarter intrusion "tolerance" techniques that are paving the way for IT architectures that can with-stand the brunt of an attack and survive.
The doctrine is to accept the idea that your systems will inevitably be attacked and put in place safe-guards that evade, disrupt and resist (anyone a fan of Star Trek?).
Staying current about cyber threats.
Why are we getting bombarded by malware? Recent studies suggest that anti-virus products are struggling to keep up. Symantec documented around 500,000 new malicious code signatures in the first quarter of 2010. The malicious code writer seems to be always two steps ahead of virus detection vendors.
What to do? Another philosophy is to look beyond known black-lists of nasty web sites and worrisome software downloads. So-called threat intelligence services collect "zero-day" indicators and warnings from: social networks, fraud and phishing schemes, malware distribution sites and the cyber underground.
The information is then used to inform policy enforcement points, network security and incident response teams. White-listing technology is also receiving added attention as a means to ensure each application is certified and accredited to be pristine (i.e. squeaky clean) prior to installation on a laptop, server or smart-phone.
Security in the "cloud".
The resources-sharing model of cloud computing will be the default moving forward. Not for all applications, but for a tidy few. Do you trust the network or database administrator that has yet to complete a minimum background check? Are you comfortable having your sensitive data intermingled with your competitors on the same server?
Cloud computing puts disciplined risk management in the spot-light. Mobility is also part and parcel of the cloud where smart-phones and web devices live in a constellation of connectivity. There are clearly smart-phone security holes to be plugged as un-vetted and un-trusted applications are downloaded on a choice of mobile operating systems.
Outsourced and managed security services.
We are already outsourcing HR, payroll and customer services. Why not outsource security? There are pros and cons. Forrester Research indicates that today's organisations face aggressive cost-cutting and efficiency pressures that are driving businesses to consider cloud sourcing solutions.
Why install security tools and appliances when you can get the same functionality delivered over the network? The SaaS (software-as-a-service) or hosted services market is growing at a 20% CAGR and stretches managed compliance, security event management, vulnerability scanning, incident management, log management, identity management, application firewalls, content filtering etc.
With an outsourced security model in full swing, there exists an exciting opportunity to create "situational awareness" hubs that make use of mounds of security data to generate forecasts and recommendations that can help avert subtle or emerging cyber threats.
Blog post by Walid Negm, Accenture Senior Director, Security Products & Offerings