As one of the world's leading security vendors, VeriSign has been asked to discuss the top 10 most important security areas for 2010. So, ahead of my new year's resolution, I decided to indulge (after a year working heads down on a single product, it is a fun exercise to think of all the things that you have been missing out on). Although the list is far from complete, it is clear to me that there is no recession for the bad guys. In fact, it has probably never been a more interesting time to be in the security business.
Security Prediction #1:
Cloud Security (Securing the Next IT Infrastructure)
Call it cloudmania or software as a service (SaaS) hype, data, applications, or networks: The whole IT infrastructure is shifting to the cloud. With it, a large chunk of today's IT budgets will be redistributed to the next Google of the cloud. In 2010, SaaS security will be in the forefront as chief information officers ponder their increasing reliance on external business applications: "Is my data safe? Is my security policy enforced? Am I still compliant?" Federated identity and access management services across SaaS will start providing some answers, and strong authentication will bolster identity services. Cloud platforms such as Microsoft Corp.Â® Azure and Rackspace will lead the industry to redefine key and certificate management within cloud environments.
Security Prediction #2:
Website Security (the Growing Threat of Web Malware)
Security Prediction #3:
Virtualization Security (Protecting the Cloud Operating System)
Securing virtualized environments is an absolute necessity. After all, virtualization is to the cloud what the browser is to the Web. Some see the hypervisor as the ultimate rootkit. We see virtualization as an opportunity to improve security through end-to-end automation. Combined, virtualization and the shift to the cloud provide a unique opportunity to transform the way we do security today. Virtualization enables security automation. Automation will streamline security deployment and ongoing management, taking us to levels that we simply could not achieve before. As virtualized switches reduce networking cost and complexity, virtualized security appliances and virtualized component certification will reduce the difficulty of deploying secure environments. For now, many questions remain: How do I secure my virtual images? How do I ensure the integrity and confidentiality of my enterprise servers, my employee desktops, and mobile phones templates and images? How do I make sure that all the data that these edge-deployed images consume and produce are protected by keys to which no one else has access? As end-point deployment converges to an automated assembly of virtualized software components (operating system, applications, firewalls, anti-virus, intrusion prevention system, intrusion detection system, load-balancer, policy servers, etc.), how do I make sure that these elements are authentic, patched, and selected according to my security policies? For many years, we have been securing code for Active X and Java applications. The next generation of trusted software may well be virtual images.
Security Prediction #4:
Mobile Security (From Mobile Phone to "Security Remote")
Thieves steal a laptop every 53 seconds, and authorities never recover approximately 97% of these devices, according to the FBI. Worse, thieves will steal one out of every 10 laptops within 12 months of purchase. With the explosion of smart phones around the world, the new mobile platforms are about to become a hacker's dream and a corporate IT nightmare. It is no coincidence that 2009 saw the first iPhone worm. In a world of untethered devices (laptops, net books, smart phones, tablets), personal and corporate data must be encrypted, remote mobile access must be strengthened, and mobile end-point security must be deployed. Over time, mobile devices and the alternate digital channel that they enable will turn into a "personal security remote control". Indeed, we all need the choice of stronger security that does not impact the convenience of our digital lives.
Security Prediction #5:
Social Networks Security (Bringing Trust to Social Communities)
There are clear and obvious dangers associated with social networking including personal data theft,malware, and scams. The most prevalent threats often involve online predators or individuals who claim to be someone that they are not. A December 2009 study from Sophos Plc. showed that 41% to 46% of contacted users "blindly accepted" friend requests from fake Facebook users created by the security firm. As businesses increasingly start leveraging social media to interact with consumers, business authentication, reputation, and trust marks should have an important role to play in the social neighborhood. Because trust is essential to any form of business, in 2010, social applications and games may seek trusted third parties to identify, certify, and signal legitimate business that comply with industry best practices.
Security Prediction #6:
Safe Navigation & Search (Surfing with Peace of Mind)
On today's Internet, clicking on a hyperlink may end up being the riskiest decisions for millions of Internet users. In a Web of phishing, drive-by malware and scams, what lies behind the link can indeed be deceiving. In 2010, Web navigation will need to get safer. Already, we are working with bity.ly to identify malicious shortened URLs. More global and impactful is the announcement to deploy DNSSEC across.COM and .Net in 2011. Because DNS is at the heart of Web navigation, the introduction of DNSSEC within the Internet infrastructure should have a profound effect on bolstering security across Web browsers, directories and search engines. Less obvious, DNSSEC could also change the way developers create secure APIs on the Web. DNS is a powerful directory protocol. Yet, most Web platform uses REST APIs over HTTP/HTTPS, and not DNS. This is due in part to the extra security and trustworthiness provided by HTTPS over DNS that is subject to MIM attacks. However, when it comes to scale and operational costs, large data lookup systems based on DNSSEC APIs could be more cost-effective than those based on HTTPS. As DNSSEC becomes ubiquitous, across the Internet fabrics, trust services, new directories and large dataset lookup systems based on DNSSEC could emerge. Someone just needs to invent the equivalent of JSON to encode key-value pairs over DNS. So could DNSSEC change the way Internet architects design open secure Internet systems tomorrow? Certainly, it will be up to the developer's community to decide, but 2010 may be the year when DNS becomes a viable alternative.
Security Prediction #7:
Network Security (Elastic DDOS Protection)
With Facebook and twitter in the bad guys cross-hair the increasing threat of distributed denial of service (DDOS) has reached unprecedented notoriety. Across the world, DDOS attacks have risen to unprecedented levels. Looking forward, our increasing reliance on public networks to support commerce, IT mission-critical applications, and communication will continue to drive the need for DDOS protection. Because DDOS protection is a game of scale, DDOS monitoring and mitigation cloud services should play a pivotal role in keeping public and private networks safe in 2010.
Security Prediction #8:
Consumer Identity Trust (the Emergence of User-Centric Policies)
The evolution of the world wide wed into a user-centric, real-time and distributed information system has never been so evident. In less than 15 years, our center of attention on the Web has already shifted from the highly centralized portals to the more distributed blogosphere, the more personal Facebook pages of our friends, and the more real-time Twitter streams of our specialized interest. Increasingly, the content and data that truly matters to each of us has become de-centralized, personal and real-time. As the Web continues this inexorable mutation into a user-centric, distributed and real-time information system, the imperative for a new identity system becomes blatantly clear. The necessity for each of us to control and protect our content and data across multiple service providers eventually drives the emergence of an open identity order that goes beyond the artificial locks imposed by large user and social communities. If the data and content that matter to us are personal, distributed and real-time, surely, these new identity services will need to ensure that they remain authentic, safe and private. In 2010, open identity systems will continue to garner momentum. Governments will begin deployment. Because Interoperability cannot be achieved with technology alone, an open policy framework emerges as a foundation for identity privacy security and trust will emerge.
Security Prediction #9:
Securing the Smart Grid (Safe Clean Tech)
Saving energy and improving management of energy is high in today's political agenda. With millions of individual homes, building apartments, offices, the network of things may will likely be larger than the World Wide Web. Securing the smart energy grid cannot be an after thought. The interconnection of consumer devices, meters, distribution transmission infrastructure, and energy providers into an intelligent network may not only be of country largest growth and innovation opportunity, it could also be its greatest liability. The network of things will have to be trusted from day one. This worthy endeavor will drive the deployment of next generation cryptography, embedded certificates and trusted computing for smart grid elements. It is still early, but there is no alternative: the smart grid will have to be secure or it won't be.
Security Prediction #10:
Browser Security (Stopping the Man in the Browser)
Browser security seems to be as much art as it is a science. As anti-virus companies and hackers keep on playing the cat and mouse game, new approaches for protecting users against malware are starting to emerge. Browser sandboxing is a promising area. Cloud based AV provides another innovative approach. Most corporate users are already familiar with AV web proxy. They process web page in real-time and filter based on signatures and blacklists. Real time updates and shared threat intelligence are some of the key advantages of cloud-base malware detection. The approach has merit since signatures can take days to be written while malware can morph in hours. Browser and plug-in vulnerabilities will keep on driving desktop threats in 2010. The VeriSign iDefense team will keep on publishing zero-day exploits and vulnerabilities ahead of attackers. If last year's trends are any indication of what the next year will look like, they have their work cut out for them.