Again, it's the time for the annual “doom and gloom” security outlook for the coming year. Understandable, when after a busy season of attacks it seems likely that next year will only bring worse. It is certain there will be vicious attacks that steal data, cause disruption, and garner headline coverage in 2014 – but the outlook isn't all bad. If you take a look at a few of the current technology trends, there are bright spots that demonstrate how to better prepare for security in 2014.
Encryption goes mainstream
Next year will be the year that encryption really goes mainstream. Encryption technology has existed for hundreds of years, but 2013 saw its use blossom. Encryption advancements and greater use were spurred by things like cloud adoption, revelations about the National Security Administration (NSA), and well publicized data breaches. Search providers started the trend by using SSL for searches – and now they, along with email providers and applications, are all moving to use SSL. Why? It's a simple way to protect data from those who might be trying to see or steal that data.
This increased use of encryption may make users and organizations feel safer or better protected, but what about the effect on the network and applications? The data has to be encrypted and decrypted at the endpoints, and then has to traverse gateways and proxies. If an organization has policies for inspection and logging, traffic needs to be inspected to enforce those policies or monitored for improper data leakage. An organization must also inspect encrypted traffic to make sure it isn't carrying hidden attacks. This broader use of SSL encryption makes testing key in ensuring high application performance. Testing also validates your networks against malicious attacks, as hackers may try to take advantage of the increased use of encryption.
Going beyond the username and password
2014 will be the year we see more pervasive use access control going beyond just the username and password. These have been around forever (although, not as long as encryption and ciphers), and it is clear they are showing signs of fatigue and vulnerability. Humans always have trouble creating usable (read: memorable) yet secure passwords. With the number of passwords they must manage, password hygiene continues to deteriorate. Rainbow tables for cracking passwords, the use of the same password across many sites and applications, and weak encryption for stolen passwords is driving the need for additional authentication factors.
Today, two-factor authentication is being used for some applications – requiring an additional input that only the user knows, or employing a “token” of some kind. But unlike hardware tokens which are not integrated into our every day lives and are easy to misplace, the smartphone is ubiquitous and a great way to provide two-factor authentication. The authentication can be an automated text message or phone call, or even an application or a virtual token that resides on the device.
Using smartphones for two-factor authentication, however, can have side effects. Attackers may shift more energy to mobile malware or attacking mobile devices. Up until now, attacking mobile devices may have been harder than attacking a personal computer, but that is changing.
Taking BYOD to the next level
In 2014, bring-your-own-device (BYOD) will push organizations to adopt a major IT policy shift. Mobile devices have been rolling into the enterprises for years, fueled by the consumerization of IT – the latest devices show up at home first, then to the office. To ease this shift, some organizations have deployed mobile device management (MDM), some have deployed overlay technologies to do encryption and data protection, and some have deployed web security in the cloud to protect users and devices from the internet. Some have just said “no.”
Many organizations have started developing policies on what devices will have access, what they can access, and what kind of network connection they can establish. Organizations must embrace some level of BYOD in 2014, and for most it will mean allowing a diverse set of devices onto the network. The good business reasons for this include shifting the device cost to users, allowing access to business critical applications to get work done more productively, and improving employee morale and retention. But the BYOD shift puts two challenges on an organization: defining a BYOD policy for some level of control, and making sure that applications can be delivered reliably over both wired and wireless networks.
If the three trends are not enough to keep you busy in 2014, rest assured that attackers will continue to develop clever malware techniques that target the increasing use of new IT technologies (new devices, cloud, social media, web applications). Information security just works that way, whether you call it a game of cat-and-mouse or measure-countermeasure.