Phishing, pharming, spear phishing...a completely new lexicon of crime and a completely new set of challenges. Addressing these challenges is one of the big opportunities for the "Next Big Thing" in information assurance. While none of the products we looked at this month would fit the category of Killer App, these protective tools sitting in the background may protect the users of that much anticipated application. Why? Simply because the trend in applications is mobility, the cloud and universal access. When we look at apps in the various mobile device app stores, we see that most cost pennies compared to their full PC siblings. An executive of a security software company once told me that the app stores are legalized malware distribution.
Take all of these pieces and you have the real Wild West environment that we have accused the internet of being for years. In that environment we need some really solid protection. And since it's all on us - there is no sheriff on the internet - we need good tools.
What really surprised us as we looked at these products and talked to their developers, though, is that a significant percentage either originated internationally or were based outside of the United States. One or two of the developers with whom we spoke told us that they viewed the U.S. as their next market. However, even though most large-scale fraud likely originates outside our borders, U.S. organizations - many part of the critical infrastructure - are heavy targets. So what is the hold-up?
We couldn't get good answers to that so allow us to speculate. We in the United States, compared to other parts of the world, are not big on regulation. We have resisted every new regulatory requirement on the basis of cost, complexity, restriction and a host of other real and perceived reasons. In our experience, though, a lot of it comes down to not wanting to spend the money to do information security correctly. The result is that we pass the regulatory tests - what we refer to as the "check-in-the-box" syndrome - but we don't actually secure the enterprise. That would cost too much.
It is no accident that a large percentage of companies that are breached are PCI compliant, but vulnerable nonetheless. It is a true statement that compliance does not equal security. So what can we do to protect ourselves, keep the costs manageable and equate security and compliance? The emerging products that we looked at this month certainly are not silver bullets - there is no such animal - but they can really put a dent in your organization's vulnerability to attacks over the primary vector for breaches: internet browsing. We predict that as these developers bring their products online in the U.S., they will be successful.
The five products we examine this month address authentication, training, anti-phishing and other anti-fraud functions - all from the perspective of the internet. Many of these are what we would consider hybrid applications. They have a part at the customer site (or on the computers of the customer's customers) and the heavy lifting is done in the cloud. This is an intelligent extension of the client-server model with a few twists. In these hybrid approaches, the work done in the cloud is largely computational. This is not just splitting the application between a client and a server. It is offloading the compute tasks to heavier resources back at the developer site.
This also has some solid security implications. Much of the most sensitive data lives in a secure environment at the developer where access can be controlled. Also, the customer can be comfortable that the data that lives offsite is well backed up, reducing the risk of loss. Of course there are down sides, such as the potential of a breach at the developer site.
However, all of that aside, these are very interesting solutions to tough problems and they might well be a starting point for improving the security of one of the most difficult areas in any organization: internet activity by the organization's users.