What's on your enterprise security budget for 2013? Some experts are keen to push suggestions your way, even though high summer seems a tad early for minds to turn to list-making.
A brain trust convened by the Information Security Media Group, featuring "security practitioners, regulators, academics, and thought-leaders," came up with an interesting inventory. I abbreviate for convenience:
- Mobile security
- Multifactor authentication
- Behavioral analytics
- Cloud technologies
Interesting, as I said, but primarily because it comes down to a no-brainer, followed by a series of fond wishes.
Tackling the easy one first: Yes, in the age of BYOD, any enterprise that isn't already developing a strategy to handle mobile security is taking big a very big risk. As we've discussed repeatedly here, the velocity with which the mobile space is evolving, together with employees' increasing comfort with mixing work and play on their own devices, and the tsunami of mobile malware, creates a perfect security storm.
Each enterprise needs to find its own best approach to mobile security -- starting with principles and policies -- but it's certainly worth looking at cloud management models, which can swiftly deploy solutions for the latest devices.
Speaking of cloud computing, I should have thought technologies for cloud security would be higher on the list. Enterprises migrating key functions or confidential data to the cloud need to take cloud vulnerabilities seriously. It's too easy to fall back on the assumption that cloud security must at least be better than internal security, which is too easily breached in any case.
In the light of NIST's troubling evaluation of cloud risks, enterprises need carefully to consider the security provisions in service agreements, and examine vendors on the protocols and technologies they have in place. Beyond technology, cloud customers should make sure they understand what data breach notification procedures are in place and what happens to data on termination of contract.
Understand, though, that diligence cannot eliminate cloud security risks.
One reason for this is that trusted identities in cyberspace remain a pipe-dream; which brings us to authentication and behavioral analytics. Even multi-factor identification -- e.g., something you know (a password), plus something you have (a token) -- is evidently not risk-free.
While behavioral analytics may provide the solution to trusted identities, it's an infant science. The idea, put simply, is that users are identified by how they interact with devices: the speed, pressure, and acceleration, for example, with which they execute a series of keystrokes.
This is an area of ongoing research. With due respect to vendors in the field, good luck to any enterprise that plans to bet the bank on it in 2013. It's easy to imagine conditions under which a valid user will be denied access to accounts (fatigue, injury, or variations produced by switching between devices).
Truthfully, despite the urgent attention demanded by the mobile revolution, enterprise security is in the same place it was last year, and the year before. Until it's possible to confirm the identities of users with consistent certainty, look out for the bumps in the road.
— Kim Davis , Community Editor, Internet Evolution