This year was an interesting year in privacy and information security, and by looking back, we can clearly discern trends that will likely be a major part of the security management landscape in 2009.
More and more states passed breach-notification laws and several enhanced or extended existing legislation. Software-as-a-Service (SaaS) and virtualization really took off, and compliance's looming presence grew with PCI DSS version 1.2 and some actual enforcement of HIPAA.
Of particular note was Massachusetts' data breach law 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth. This is to date the most comprehensive law of its kind, setting a new standard for what breach-notification laws should look like; it covers both paper and electronic records, it mandates appropriate security awareness training as well as security and risk assessments and, most importantly, requires companies to make changes to their security programs in accordance with the findings of those risk assessments.
Similarly, California enhanced the well-known CA-1386 to include not just traditional financial information, but also health care and health insurance data as well.
With new mandates popping up all the time, it's no wonder compliance was one of the biggest focus areas for enterprise information security teams in the past year, and this trend will clearly continue in 2009; there will be more regulation on both the state and federal levels, and stronger enforcement of existing regulations. Fines and other penalties for violations of PCI DSS and HIPAA will continue to rise, along with the inevitable rise in discoveries of malfeasance. As a result, there will be an even larger focus on compliance by upper management, which also means decreased time and budget for necessary security controls that don't clearly fall under a compliance umbrella.
Two other major trends that will continue into 2009 are increased use of virtualization, particularly on the outsourcing side, and an increased focus on the security of Web-based applications. IT shops are always looking for ways to reduce costs and leverage the full value of their existing hardware investments. In 2008, many enterprises finally reached a comfort level with server virtualization in production environments. This trend will continue in 2009 until managers find creative ways of handling this technology dynamic, since there will be a corresponding drop in security as the traditional controls -- such as VLANs and firewalls -- prove less effective. For this reason, during the transition to a virtualized environment, security managers should pay particular attention to systems that contain critical data like corporate financials or source code.
Many IT organizations will avoid the hardware problem completely by going to third-party service providers, whether they be traditional SaaS providers like Salesforce.com and Qualys Inc., or fully Internet-based virtual servers, such as Amazon.com's AWS and Microsoft's Azure. Outsourcing to that extent, however, means losing significant control over data, and while this isn't a good idea from a security perspective, the business ease and financial savings will continue to increase the usage of these services. Proactive security managers should work with their companies' legal staff to ensure appropriate contract terms are in place to protect corporate data and provide for acceptable service level agreements.
Cloud computing and SaaS are also a huge potential source of compliance problems, particularly with regards to PCI DSS. Security managers must pay even more attention to how, where and when data flows into, through and out of their companies. This can be incredibly challenging from a technical perspective, though DLP tools can help to a certain extent. As a result, it's important for security managers to cultivate strong relationships with the data owners to understand not only the current state of the data flow, but also to be involved early in the process if things start to change.
Continuing into 2009, the focus on securing Web-based applications will continue to grow. Although this has been an issue for a small subset of businesses for a number of years, PCI DSS and its mandate to secure Web application data has driven many businesses to focus on the problem. Given the complexity of existing infrastructures and the speed at which researchers are creating new website exploits, this will clearly be an ongoing project. In 2009, even more companies will clamor for secure Web applications, especially given recent reports from a variety of organizations such as the Web Application Security Consortium (WASC), IBM-ISS and MITRE Corp., showing estimates that upwards of 87% of websites are vulnerable to attack.
While compliance is a huge initial driver for the Web application security effort, as more and more customers become savvy to security issues (issues that are now getting coverage in the New York Times and Wall Street Journal) they are pushing vendors to become more secure as well.
In general, many of the trends that drove security in 2008 -- cloud computing, SaaS, compliance issues -- will continue to gain momentum throughout the new year. So fasten your seatbelts, and get ready for the ride.
About the author:
As CSO-in-Residence, David Mortman is responsible for Echelon One's research and analysis program. Formerly the Chief Information Security Officer for Siebel Systems, Inc., David and his team were responsible for Siebel's worldwide IT security infrastructure, both internal and external. He also worked closely with Siebel's product groups and the company's physical security team and led up Siebel's product security and privacy efforts. A CISSP, Mr. Mortman sits on a variety of advisory boards including Qualys and Applied Identity and Reflective, amongst others. He holds a BS in Chemistry from the University of Chicago.
This was first published in January 2009