May 29 2007
By Jim Reavis
The people who own corporate information security programs have spent the last few years playing a game of regulatory catch up, while for the most part spinning their wheels when it comes to implementing new and actually useful concepts to mitigate evolving threats and justifying their existence. Meanwhile, exploiting information security vulnerabilities for financial gain has never been easier and is now big business, with sophisticated tools, mature distribution channels, stable malware pricing and even some slick marketing. The gap between good and evil is as wide as I can recall in my years in the business, and if it turns out that the recent Estonia bashing business was actually coordinated in part by the Russian government, well, it ain’t getting prettier. Yet, with all the bad news, you do hear about a lot of good ideas being bandied about to make changes in the way we protect information assets. Ok, I am also hearing a few bad ideas as well, but at this point I think change for change’s sake isn’t necessarily the worst thing to do. Here, in no particular order, is my list of Ten Ascendant Trends for the Next Chapter of Information Security:
Whitelisting – Remember Internet2, the next generation of the Internet that was going to be free of all of the vile limitations of the version Al Gore invented? Well, turns out the universities and other elites are still working on it, and when it finally hits prime time, you will be able to have 64 simultaneous YouTube videos streaming to your PC. Whatever becomes of the Internet, it will always have all of the good, bad and ugly that comprises humanity. However, corporations today have reached that breaking point where they are beginning to put significant time into whitelisting – configuring their business to only work with the parts of the Net they already trust and in essence cut down the Internet into the servers, applications, processes and protocols they know and will tolerate. This is not easy, maybe it will ultimately fail, but we are going to give it a try and expect to see more whitelisting built into security policies and the products that support them. Several security companies in stealth or startup mode have whitelisting as a core feature.
Metrics based on Derivatives – I have seen many a pleasant security event devolve into a shouting match where corporate security bean counters scream, “HOW MUCH MONEY DID I SAVE MY COMPANY BY HIRING THAT LAST CONSULTANT TO DO A PEN TEST OF OUR NEW CRM SYSTEM ROUNDED TO THE NEAREST PENNY PLEASE?”. I actually think there are a few people in the industry who have literally gone insane trying to quantify their existence and too many of them have my phone number. While many will still look for the Security Metrics Holy Grail, the winners are measuring what they can and are looking for the meaning within over time. A derivatives model that provides an indirect but consistent approach to quantifying security is what will ultimately provide value. In economics, a consumer confidence index is a long way from a hard number on factory output, quality defects, etc., but has real meaning and moves markets. We have a lot of public data about security that can be measured in this way and provide meaningful guidance to the bean counters. I know some smart people working on this, look for some interesting announcements this fall – drop me a line if you can’t wait.
Self Classifying Data – Understanding where our information is, its sensitivity and who needs to use it are all fundamental to protecting it. But how do you do that on the petabyte scale? One strategy being employed is to create security zones, with data automatically being labeled with the appropriate sensitivity (Secret, Confidential, Internal, etc.) depending upon which zone it resides in. It is much simpler to design and implement controls en masse based on a zone rather than obsessing about each data element.
Security Software as a Service, Outsourcing – If we are going to be entrusting our data to more and more ASPs outside our organization boundaries, why not outsource the security assurance of said assets? The more headlines we see about data breaches caused by a breakdown in internal corporate controls, the more likely this becomes. Given the right contracts and SLAs, why not have EDS, Wipro or CSC sign your CISO’s paycheck?
Standards inside Regulations – We have to move into this direction, don’t we? Businesses are being crushed by too many regulations that require their own checklists and audits that are essentially trying to accomplish the same thing. Regulators can define the sanctions and other consequences, but should be able to point to various standards to define the level of due care required. This will be a boon for organizations that standardize once and comply many. Notably, Japan has mandated ISO 27001 for government IT service providers.
Certification – The explosion of the numbers of CISSPs and CISAs, gets derided by many, but it raises the bar of security awareness if nothing else, and gives us another objective number to measure. We are going in the direction of certifying much of the industry: SANS is certifying developers, the above noted adoption of ISO certification by Japan, Webtrust, Systrust, CMM Level 5, etc. I think we can expect to see the software itself certified to a security standard (a more agile Common Criteria).
XACML – The web front end application is often the soft chewy center of the internal or supply chain network that lets insiders access information inappropriately. While still lightly used, the eXtensible Access Control Markup Language (XACML) has great promise to allow CIOs a way to provide granular application security without wholesale recoding.
Monitoring of Users & Activities – By and large, corporate users are subject to limited monitoring beyond what standard logfiles will contain. A URL filter may be blocking access to nasty websites and logging the offender, but overall it is quite rare for a corporation to audit file access, keystrokes, USB storage, etc. This is becoming more and more important as organizations are facing too much liability and plausible deniability becomes less plausible. We need to understand who is doing what and most importantly, the context of why they did it. A keylogger on every machine is a long way off, but we will see a lot more – put there on purpose by IT.
Federal Rules of Civil Procedure (FRCP) – The United States often seems to be driven by the pendulum swings of litigation. Last December, major amendments to the rules governing federal civil courts were made, dealing extensively with electronic information and related discovery processes. This is going to have a major impact on corporations, as those who have mastered FRCP will have an advantage in minimizing the fishing expeditions of the opposing counsel and maximizing their own fishing expeditions. The infosec department of the future? A bunch of lawyers with the odd firewall administrator thrown in for old time’s sake.
Enterprise Risk Management – It all comes down to understanding risk. One thing I noticed after Hurricane Katrina is that the Business Continuity & Disaster Recovery topics came up in increasing numbers at the information security conferences I attended, with Katrina referenced repeatedly. There are a lot of problems that can endanger an organization’s reputation and viability, hackers are but one, and for that reason we should be taking a comprehensive approach at risk-based decision making. A CISO with career growth aspirations should be looking at becoming the organization’s Chief Risk Officer. If your company doesn’t have one, you should be evangelizing about the need for one.
Related posts:
Posted by Jim.Reavis on Tuesday, May 29th, 2007, at 2:45 pm, and filed under Articles, Future Forecast.
Follow any responses to this entry with the RSS 2.0 feed.
You can post a comment, or trackback from your site.
Kip Boyle | 30-May-07 at 9:45 am | Permalink
Some questions/comments:
1. How do you know that “corporations today have reached that breaking point where they are beginning to put significant time into whitelisting”? How pervasive is this practice? Which services (e.g., email, http) are leading this trend?
2. How can data be self classifying? It’s a neat idea, but I don’t see how to do it.
3. Outsourcing the CISO is an interesting idea. However, the more information intensive your organization’s core competencies the less appealing this idea seems to me. Would you ever outsource the CIO if your business was very information driven?
4. “The web front end application” reminds me of the hole on the side of a jelly doughnut: There’s nothing stopping an attacker from either stealing or poisoning the inside.
5. What is a CRO? What risks are too far afield for the CRO to take on? Credit risk? Vendor/supplier risks? Investment risk? Operational risk? Will a CRO be in defensive mode all the time, or is there a way to perform enabling services for the enterprise?
-Kip
Frank K | 25-Jun-07 at 11:12 am | Permalink
On Kip’s questions, #2 I think he means do it yourself, not make the data classify itself. Classify the data yourself as it is introduced to your enterprise. Don’t wait until it piles up and then hire a consultant to come in and do it for you when you have a mess. Take a shot and categorizing them within the policies and standards you’ve built. You won’t end up with such a huge mess in the end.
#3 Companies are begging for outsourced security. They are tired of all the auditors running around with new projects for SOX, PCI, HIPAA, ITAR, FISMA, etc… They want to utilized best practices based on commonsense and commonsense usually rears its head when there are hard dollars attached to it. In large IT Outsourcing deals, huge companies don’t outsource the CIO function, but I bet most of them more closely resemble lawyers than heavy IT types. That’s because they have to manage the contracts and SLA’s and play interface with the business, not worry about whether the network or applications are up and coded correctly. In almost every Fortune 500 account I am touching these days, the whole discussion of Sec ITO is on the table and some of them are signing up…more to come.
As Jim has stated time and time again, Security is not just for Security People any longer. It has grown too large and it’s tentacles reach everywhere. Strong governance and delegation with accountability is what is going to solve the business problems and build in security from the onset.