More Censorship, Data Breaches and Devices: Security Predictions for 2011
This past year has been a doozy in the security world. Here's what to expect in 2011.
Thu, December 16, 2010
Network World — This past year has been a doozy in the security world. We kicked off the year by discovering operation Aurora, saw the first national-industrial sabotage attack with Stuxnet and are closing the year with Wikileaks about to become a constitutional crisis between the First amendment and a 1917 espionage law. Reality has well and truly become weirder than fiction.
Let me dive in and make some predictions for security in 2011:
Device explosion: Continuing from 2010, consumer devices flood corporate networks with security professionals trying to come to grips with all the new risks introduced. The good old days of only worrying about Windows are truly gone. Tablets, smartphones and other devices will push the ratio of devices/people well past 1-to-1. Desktop virtualization will expand a lot beyond just laptops and thin clients if we want to secure data on mobile devices.
Internet censorship and control: The "free" Internet is annoying too many governments and corporations. In 2011, the U.S. government will try much harder to impose controls, censorship, prior restraint and eavesdropping on the Internet. Expect to see unconstitutional laws passed and then challenged. Freedom of speech is far less popular in practice than it is in the abstract and it will be up to a small minority to vigorously resist pressure to abandon principles of free speech, net neutrality and content neutrality.
Breach notification: Gradually and with little noise, breach notification has become the highest impact regulation. Forget fines - just buying credit monitoring and sending letters to the 500,000 people whose identities you lost can cost tens of millions of dollars and wipe out your business. Breach notification cost scales with the size of the database you lose, yet your security budget and controls do not. Your only hope might be to buy insurance. Expect more businesses to disclose massive losses and then face massive notification costs.
Cloud computing privacy: In 2011, cloud computing (IaaS, PaaS or SaaS) adoption becomes big enough that you have the first legal skirmishes over the "expectation of privacy" in such environments. The feds will try to grab data without warrants. Hopefully, the service providers will push back. Either way, the legal parameters around ownership, privacy and lawful search & seizure will become better defined through legal precedent. Let's hope the new parameters don't make cloud unusable for anything other than Farmville.
Identity: Identity management, federated identity and identity-based controls continue to rise in importance, eclipsing location-based security. Mobile users and systems demand this new paradigm and the market is gradually responding. Cloud computing will only make the need for robust identity even more obvious and pressing.