Americas

  • United States

Asia

Oceania

roger_grimes
Columnist

Five security trends for 2011 and beyond

Analysis
Jan 04, 20116 mins
Data and Information SecurityHackingSecurity

System admins: Prepare for Web app domination, insecure mobile devices, universal single sign-on, and other headaches

You’ve likely seen plenty of articles lately detailing forthcoming IT security trends and defenses. I have a list of my own, but I bet it’s a bit different. It doesn’t include items such as cloud computing, virtualization, or mobile threats — been there, done that!

Rather, I’m going to share some thoughts on five other trends that will affect your security risks and change the way you design you defenses down the road: Web 2.0; the consumerization of IT; global SSO (single sign-on); advanced persistent threats; and the death of the DMZ. There’s a good chance you’ll face these challenges in the coming year.

[ Master your security with InfoWorld’s interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

Web 2.0: What isn’t Web will become Web I was consulting for a customer a few weeks ago, and the company’s developers asked me to perform a security review of a new database application. I found the normal SDL (security design lifecycle) bugs, but I was more concerned that the team was using a traditional programming language for the code — with absolutely no Web interface. I brought up this point along with my normal review findings.

The programmers’ answer was that the Web wasn’t right for all applications, and performance-wise, their software outperformed Web apps by a factor of 3 to 1. I agreed with the latter point but strongly disagreed with the former. Yes, the Web isn’t the best choice for all applications in a world where we can design programs in a stand-alone box or without consideration for the rest of the infrastructure — but we can’t. The whole world is going Web 2.0. Nearly every app is going Web 2.0. What isn’t Webified today will be tomorrow.

The future consumer will expect to be able to access your app through a Web browser or as a Web service, no matter what type of computer they’re using — PC, smartphone, tablet, and so on. Separate interfaces and VPNs won’t cut the mustard. If your app isn’t easily available on the Web, it won’t be used or will eventually be phased out or recoded. The writing is on the wall. Programmers, take note.

I don’t mean that the app should simply be available on the Web — you can’t merely offer it as a Web-based app, especially if the app itself isn’t Web-based. That will work for the short and midterm, but not in the long run. Today’s traditional virtualization technologies, non-Web VPNs, and application gateways are short-term shims. In the future, for the app to survive, it must be Webified to its core. I may agree with you that the app is faster and performs better when not accessed using a Web interface, but it doesn’t matter.

Consumer devices gone wild As I’ve discussed previously, IT security admins will have more personal devices and fewer computers under their control in the future. Smartphones and iPads are entering organizations more quickly than defenders devise protections. In many cases, admins will not have the opportunity to control the device.

I’m not simply referring to the fact that you might not be able to control minimum password length and complexity. You may not even know if users are using a password. Further, you won’t be able to control patching levels, installation of Trojans, and antimalware software or firewalls. You will be told that unmanaged devices can’t access the most critical and valuable information — but they will. You’ll be told that users will follow existing policy. They won’t. Welcome to our new reality: all the responsibility and none of the control.

Token protection The Web and all the cloud iterations — private, public, b-to-b, hybrid, and more — will require that you bring single sign-on to everything computing, even though it has never functioned 100 percent reliably within a private network. Users will want full-range access through one logon name and password/logon token.

As such, you will be asked to make that happen, even between systems you don’t control. You’ll do this by using Web-based federation standards, cloud gateways, and claims-based identity metasystems. Instead of being worried about authentication protocols and password hashes, you’ll be protecting XML-based SAML (Security Assertion Markup Language) tokens. If you’re not sure what all this is, visit identityblog.com for intro material.

Hackers become squatters In the past, the professional bad guys broke into a company, found the money, stole it, and made a quick getaway. Now they are in it for the long haul through advanced persistent threats.

The goal of these attacks is to steal all of a company’s intellectual property and secrets in perpetuity. The perpetrators want to swipe what makes your company valuable, for free, and use it themselves or hand it off to a competitor. They are likely to have all the master passwords and swarm the organization. If you catch them red-handed, they won’t do anything differently.

That’s because they don’t have to: They are working from countries in which you can’t prosecute them, and it’s nearly impossible to eradicate the claws they’ve sunk into your organization’s systems without significantly degrading your company’s operations. How I wish we only had to worry about the macro and boot viruses of yesteryear.

Death of the DMZ The DMZ has always been porous. We’re just officially recognizing it now. The bad guys break in by compromising a legitimate user’s desktop, then start exploring from there. They take everything they want out on port 443, using AES encryption, so that you can’t see what they’re doing.

Instead of creating one or two porous boundaries, you need to create fine-grained security domain isolation. If workstations don’t need to talk to other workstations, don’t let them. Most servers don’t talk to every other server. Don’t let them. Most admins don’t need to connect to every server — so don’t let them.

To build your defense, diagram all the legitimate network traffic connections and block the rest, using access control lists, routers, firewalls, proxies, IPSec, and whatever else you can use. It should always be this way.

What else does this mean for security defenders? Learn more about Web attacks, risks, and Web-service protocols. Learn about WS-Federation, WS-Trust, SOAP, SAML, and claims-based authentication. I said it above, but it bears repeating.

In the computer world, especially the computer security world, you’re only as good as what you know or did in the past two years. This is the future. Update your learning or prepare to become the next Cobol programmer.

This story, “Five security trends for 2011 and beyond,” was originally published at InfoWorld.com. Follow the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com.

roger_grimes
Columnist

Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author