Play Offense On Security In 2013: Gartner

Threats to enterprise data intrinsically evolve faster than defense mechanisms, said three Gartner analysts Monday during a security presentation at the research firm's Symposium/ITxpo in Orlando, Fla. The result, they argued, is that businesses must adapt by dropping reactive measures in favor of offensive-minded, proactive methods.

Research VP Greg Young began the presentation by saying enterprises can protect sensitive content by focusing on three main areas: infrastructure protection, or "keeping the bad guys out"; identity and access management, or "letting the good guys in"; and business continuity, compliance, and risk management, which he characterized as the policies that "keep the wheels on."

Young's portion of the talk focused on the first area, infrastructure, and also provided context for the later segments. Changes in technology, he asserted, necessitate changes in security--and not just because advances mean that attackers have gained access to more sophisticated methods. Emerging trends around software-defined networking (SDN), virtualization, and cloud computing, for instance, have rapidly changed infrastructure such that threats can hide "where we're not looking."

[ IT leaders will preside over a transformation marked by a focus on growth rather than cost. See Gartner: CIOs Begin 3-Year Shift In Responsibilities. ]

The difficulty, he said, stems from monitoring and security intelligence--that is, to spotting not only the blacklisted and whitelisted elements but also the "graylisted ones." These nebulous spots might be hints of a significant attack but can also be--in, say, the case of an authorized user attempting out-of-policy network access--false alarms. He mentioned the limitations of signatures and other traditional approaches in detecting new threats, arguing that security data must be collected outside "a single point of inspection." Young said reputation-based and user identity-oriented tools can "help make better sense" of what is going on in the network.

Mobility further complicates the equation, Young remarked, noting that within the next few years, 70% of mobile professionals are expected to conduct all their work on mobile smart devices. "This is inevitable," he stated, adding that BYOD is going to remain an enterprise fixture "whether you like it or not." Most risks, though, involve lost devices, not targeted attacks. Mobile device management (MDM) tools and similar controls, Young said, are consequently of the utmost importance.

Strategic infrastructure planning, he concluded, doesn't involve security that tries to take on all threats. Rather, it demands a carefully considered user-access policy to which security mechanisms can be aligned.

Gartner VP Earl Perkins focused on identity and access management. He began by citing the "Nexus of Forces," a theme introduced in a keynote earlier in the day that asserted four agents--social networks, cloud computing, mobility, and big data--are converging to shape the future of IT.

On the social networking front, he remarked that customer identities are playing an increasingly large role in the retail space, and suggested that enterprises could likewise harness this trend to improve user access management. Calling the process the "socialization of identity," he said most enterprises already build identity management programs to define entitlements and permissions. Perkins said that "maybe identities can come from somewhere else," elaborating that if these social media profiles can be encased in "an enterprise-class shell," they may become a step in enterprise security mechanisms.

Perkins spoke somewhat speculatively on this topic, referring to outcomes that might be a decade away and qualifying that they "depend on social media environments, construction, and infrastructure." Even so, the human capital management arena has already started to integrate social media for more effective user management.

The contentious matter of business access to social media content was not addressed, but possible advantages became clearer when Perkins discussed another nexus force, data. He mentioned the retail powers that Google has gained by mining user identities linked to searches, and predicted that by 2015, 80% of successful identity and access implementations will not only drive processes but also deliver intelligence. He called this trend "identity indexing" and stated that, in terms of security, "you only have control because you have the intelligence to know what you control."

As for clouds, Perkins stated that they simply involve "an end point consuming some service somewhere ... [through] an identity." This results in multiple access points, which he linked to the nexus force of mobility, and requires that user authentication keep pace. He said that identity-and-access-management-as-a-service (IDAAS) would account for 40% of cloud service sales, though, due to a high volume of small and midsize business buyers, not 40% of revenue, by 2015.

Closing with a direct look at mobility, Perkins said that user verification has grown to include not only passwords or access cards but also biometrics, and that phone-based authentication has allowed businesses to consider using one device for all three methods.

Gartner VP Paul Proctor presided over the final segment, which not only addressed risk management but also looped back to some of the policy decisions Young had outlined earlier.

He argued that risk management must be driven by processes, not a team of smart "security heroes." "Processes are cool [because they are] measurable, repeatable, and survivable," he said.

Proctor explained that these processes should not attempt to protect against everything. Such control is impossible, he stated, countering that an increased focus on employee training could mitigate the majority of problems. He echoed Young's assertion that BYOD is here to stay and said that behavioral changes are part of the solution. "The trend is becoming security as a social science," he stated.

Bringing up another behavioral shift, he argued that businesses must stop simply tallying security incidents, as the metric has no contextual value, and should instead focus on identifying protection levels appropriate to their needs. Part of this, he suggested, is based on the business's industry. Manufacturing companies possess intellectual property but relatively little personal data, he said, so they might be able to "get away with a little less protection." A bank, however, requires more protection because it is more likely to be targeted by attackers.

Nevertheless, decision makers must also consider the complexity of an organization's activities. Proctor said that a one-doctor office will need security for regulatory reasons, but that it cannot be lumped into the same category as a large hospital. "The point is," he said, "as you get more complicated, as you have more customers and more types of activities, more regulatory scrutiny and more risk--you're going to have to spend more money."

He sympathized that security officers sometimes struggle to make the case for such expenditures to the corporate powers-that-be. The key, he said, is to avoid abstract tech talk and to link needs to the profit concerns that non-IT decision makers are more likely to understand.

Proctor said this task is easier said than done, and declared that credible reports must outline causal links between a security problem and a business outcome. He suggested that the risk of outdated application patches might be self-evident to IT professionals but countered that managers typically don't understand why this issue necessitates action and expense.

An optimal approach might connect poor patching to faults in critical systems, such a slowdown in the supply chain. "That's a leading indicator that execs can understand," Proctor said.