Consultants at Systems Experts recently released their version of security management trends for 2006. (You can read last year’s version of this report here.)
A rundown of their list of key trends, reached from their analysis of corporate security projects, follows:
Security Used as a Marketing Tool
Security is increasingly being used as a marketing and competitive tool. After an assessment, organizations seek to document the scope of the project, the methodology, and a statement about their security that they can share with prospective clients, auditors, and regulators. Some go even further and issue press releases to assert a competitive edge.
In an interview, Jonathan Gossels, president of System Experts, said this trend is "a measure of how mainstream security has become. It's not a hidden topic, it's something that is discussed in the board room." Security, once a defensive function has become a strategic center for innovative executives, he added.
Identity Management and Access Control
Identity and Access Management has become increasingly important to all organizations, particularly those that have regulatory compliance requirements. Sarbanes Oxley has led many larger organizations to deploy identity and access management systems for accountability and control over their financial systems, and use these systems to automate, workflow processes, centralize management and reporting. Three issues to watch out for when deploying such access management systems:
• Underestimating the time and effort it takes to integrate these systems with the underlying applications and identity systems.
• Assuming these systems are secure. They must be carefully configured to be secure.
• Overestimating the ability of these packaged systems to solve all access control problems. The packages tend to handle web applications well and are good for managing groups. But there is still a long way to go before these systems can manage access to proprietary applications and system resources.
More Frequent and Standardized Security Assessments
The motivation for security reviews and assessments is changing and consequently, the nature of security assessments is changing. Today, many organization are interested in demonstrating due diligence in the security realm, and they are embracing ongoing periodic independent assessments and audits that are standards-based (often ISO, COBIT, and OWASP top 10) and cover likely problems. In particular ISO 17799 (now ISO 27002) is gaining significant traction.
Traditional Web Development Fails to Protect Sensitive Data
Web applications continue to be the fastest growing exploit area. Many of these applications are fundamentally flawed in both their design and their implementation. Sensitive information is often accessible during web application testing, even prior to logging in as an authenticated user. Once logged in, applications make invalid assumptions about a user that allow inappropriately high levels of access, including back-end databases. While regulators push for stronger authentication in certain industries, such rules can’t overcome flawed application design or an insecure implementation.
Rising Use of Outsourced Services Equals More Rigorous Security Controls
It is commonplace to see functions such as payroll, human resources, and accounting handled by external firms. Service providers have more recently, moved into hosting and managing e-mail, websites and even corporate IT infrastructures. This model, while cost effective, requires more stringent legal, process, and technical controls to ensure that the service provider does not exploit the powerful access it is given. Prudent organizations are evaluating the security risks associated with outsourcing and are designing process controls and implementing technology configurations that provide transparent administration and audit records.
Securing Service Oriented Architecture: A Long Term Challenge
Service Oriented Architecture (SOA) offers the promise of reduced development cost and faster time to market, primarily through code reuse, characterized by service virtualization, service reuse, and service brokering. But security is the critical topic lost in discussions of its promise – and securing an SOA environment is challenging. Big issues that need to be resolved include data confidentiality when data is communicated between services and stored within a service; trustworthiness of services; how different levels of services are segregated; how services authenticate one another; and whether it is important to track various services’ changes to transactions as they flow through a system that has no defined beginning or end.
Trends Carried Over From 2005
These include: regulatory compliance, the commoditization of security tasks, the evolution towards standards-based assessments, and the need to manage complexity. Also still with us in 2006 were the Federal Financial Institutions Examination Council’s requirement of two factor authentications, and the need to establish secure connections with business partners.
-- Michael Goldberg
Very interesting information. Thanks to the author.