3 Key IT Trends That Will Drive Information Security Evolution

Information security is defined by emerging IT trends. I group the past information security focus timeline into three eras, with each era evolving the past era's contributions.

  1. Physical Access Era (pre 1975): IT was air-gapped in most cases during this era. If you had physical access to an IT asset, then you were trusted with full access to all information.

  • Security Controls Era (1975 to 2000): In 1976, IBM released RACF to provide resource access controls for different users or groups of users. As IT networking grew, security controls for networks (e.g., firewalls) were implemented. The Internet, and specifically e-commerce, brought additional security controls including federated identity, single sign-on (SSO), encryption and many others. Hacker attacks and viruses resulted in creation of additional security controls for anti-virus, spam-ware, intrusion detection, etc. Security was a reactionary model where IT responded to expected near-term or already experienced threats.
  • Security Risk Era (2000 to present): The new millennium ushered in more complex threats, but also a more strategic approach to security -- risk assessment. Whether forced by Sarbanes-Oxley or scared by Digital Pearl Harbor, IT management began a more proactive approach to security. Risk assessments focused on adversarial perspective (threats an adversary can exploit) and general defensive information security measures.
  • As in these past eras, information security evolution will continue to be defined by IT trends prevalent at the time. Current emerging IT trends, specifically cloud computing and Semantic Web, will impact information security in the future. Meanwhile, adversaries are implementing even more complex and multifaceted attacks that leverage their knowledge of the organization, its users and information. As a result, the information security evolution in the next 10 to 20 years will focus on three key areas: Infrastructure-Enhanced Security, Enhanced Threat Modeling and Semantic Security.

    Infrastructure-Enhanced Security

    Security will become more engrained in all levels of IT infrastructure and architecture, such as security enhancements in Internet Protocol V6 (IPv6). IT infrastructure will promote more comprehensive security solutions, from cutting-edge security enhancements created for cloud computing to hackers that leverage cloud to enhance attacks, while the decrease in the cost of disk storage will increase audit log retention and management. Cloud computing will likely reduce encryption and decryption times, promoting further adoption of these security controls, while likely demanding and promoting enhanced key strategies. Cloud computing is already having an impact on key strength assessment. Cloud computing will also promote cutting-edge, near-real-time analytics that mine vast amounts of security data to identify complex threats and detect intentional and unintentional information access and abuse for both internal and external users. Security will become more engrained in IT infrastructure, and advances in IT infrastructure will evolve information security.

    Enhanced Threat Modeling

    Current information security threat models primarily focuses on simple threats, such as defending against traffic on specific ports, virus detection, etc. However, adversaries are targeting organizations with complex attacks that appear completely legitimate but have devastating effects. For example, spear-phishing has an activation rate of nearly 20 to 30 percent, based on a December 2010 estimate. Current security controls might detect spear-phishing days after the final attack. To protect against these complex attacks, information security threat modeling will need to evolve. Cloud computing analytics developed for social network analysis will provide capabilities to analyze large amounts of data about users, network traffic and other interests to detect seemingly safe activities that match larger threats.

    Semantic Security

    Like IT, humans network to exchange information. However, information security works at a syntactic level, while humans work at a semantic level. Commonly implemented security controls can detect individual words or terms and can block entire traffic for certain ports or addresses. These security controls currently do not work at the semantic level. I may accept and trust news from a friend that "the Dow dropped 500 points today." However, I would not trust the same friend with the statement that "today's 500 point Dow drop proves the financial collapse of the United States will initiate Armageddon."

    There is a difference in the semantics of these two statements, even though the core transmission is that the Dow dropped 500 points. Advances in semantic technology in conjunction with cloud computing will promote security controls that simulate human cognition and can block and/or report untrusted communications in near real-time over Internet scale data. The Semantic Security evolution will address the adoption of semantic technologies and include software agents that act on behalf of end users. Some security systems and researchers already advertise ontology models and automated reasoning, and others will follow.

    A colleague reminds me that users are to security what location is to real estate -- the most important aspect of security is users, users, users, whether employees, partners, customers, adversaries or automated bots acting on behalf of one or more of these. These future information security enhancements will help IT organizations continue to focus on users and user interactions to ensure the availability, integrity and confidentiality of the organization's information.