The glum economy has put increased pressure on CISOs to cut costs while maintaining the same security defenses. Tightening budgets, coupled with increased compliance demands could have security professionals looking for answers next week at the 2009 RSA Conference.
"Security budgets are generally not being cut; we are finding that they are staying flat in many cases," said Andreas Antonopoulos, senior vice president and founding partner of Nemertes Research. "Given the increased threats and pressures on security, a flat budget with increased threats equals a cut budget."
Antonopoulos and two other industry analysts took part in a teleconference hosted by RSA Wednesday to discuss the top security trends that could resonate at the conference. Thousands of security professionals are expected to attend the conference, April 20-24, in San Francisco.
RSA Conference: A look back
RSA Conference 2007 special news coverage: The future of cryptography was discussed, Oracle CEO Larry Ellison went missing and Microsoft's Bill Gates talked about authentication and access management strategies at the 2007 RSA Conference.
RSA Conference 2006 special news coverage: Cisco Systems Inc. unveiled its self defending network strategy, Microsoft's Bill Gates unveiled the company's security vision and FBI director Robert Mueller asked for more cooperation at the 2006 RSA Conference
Virtualization security, which has seen increased interest in recent years, could get even more attention at this year's conference. The technology promises significant cost savings, according to early adopters, but its increased use with sensitive data has some security pros wondering how companies can maintain the same levels of security in a virtual environment. Antonopoulos said he expects a significant increase in security vendors touting products designed to protect virtual environments and secure data in the cloud.
"Virtualization is a great example of how technologies come along and disrupt the equilibrium that has been reached over the years," Antonopoulos said. "Virtualization is a great technology; it's only pointing out the flaws and mistaken assumptions we've made in our security paradigms and so we need to reevaluate those models."
Other firms are turning to Software as a Service (SaaS) to cut costs, including shifting some security programs onto managed security services. The analysts said many companies will take a look at cloud-based security services to cut costs.
The Cloud Security Alliance plans to start the dialogue on the issue of virtualization security and securing data in the cloud, officially launching at the event. The fledgling organization plans to release a whitepaper outlining 15 areas that need attention. Jim Reavis cofounder of the organization, said it would try to provide a big picture perspective of solid governance, risk management and technology mitigation around cloud computing.
"This is going to provide some solid information, but also define a lot more work that we all need to work together on," Reavis said.
Charles Kolodgy, research director for IDC's security products service said he expects some companies to pay more attention to encryption technologies and products that address application security. While many firms have encryption of data in motion under control, others are looking for efficient ways to encrypt data at rest, Kolodgy said. Encryption has gained momentum over the last several years. Seagate has produced enterprise-class encrypted hard drives. The company has been pushing to get encryption into the data center. More recently, Samsung developed self-encrypting solid state drives that automatically encrypt data saved to the drive.
"There's a lot of interest in data at rest encryption and it ranges all the way from a person's laptop and mobile devices up to large storage arrays and tapes," Kolodgy said. "Encryption is sometimes hard to grasp … but I think the real key is just understanding that it's required, why it's required and where people need to do it and how they're going about meeting these needs in different ways because there is no one single answer."
Meanwhile, attackers targeting Web application vulnerabilities to break into company systems have put the spotlight on application security scanning technologies to mitigate the threat posed by major flaws such as SQL injection errors, he said.
"The issue of having strong security at the application level is critical," Kolodgy said. "The real key is getting into making software secure before it gets deployed or being able to fix it quickly as it goes live."
Chenxi Wang, principal analyst at Forrester Research Inc., said a Forrester survey, conducted last November suggests that companies are cutting back on secure software development. Instead they're turning to compliance driven technologies such as application scanning and Web application firewalls to bolster defenses. Still, an increasing number of firms are deploying consumer-based technologies such as Web-based applications, which are frequently targeted by attackers.
"Today they're not investing as much in an end-to-end application security program," Wang said. "We're encouraging companies thinking about opening up their company boundaries to include collaboration oriented consumer technologies to think about their application security measures and their investment commitment level."
RSA Conference 2009
Vendors that address application security issues are beginning to gain more attention. One vendor that address application security is a finalist in the Most Innovative Company at RSA Conference 2009 contest. SafeMashups Inc. has produced a standard SSL protocol to secure bundled Web applications allowing them to authenticate each other securely when mashed together. Another firm, Mykonos Software, plans to launch at RSA. A spokesperson for the company said its software tools help developers build Web applications more securely. The new product addresses AJAX vulnerabilities at the code level.