Looking ahead for 2010
We launched this blog a year ago today, as an adjunct to our SecurityArchitecture.com website. It took us a few months to hit our stride, but in the past few months we’ve become not only more consistent in getting our observations and opinions posted, but also identified some key security and privacy topics to keep track of, and established a few recurring themes as well. Most of these were not just timely during 2009, but are likely to continue to be areas of interest in the coming year and beyond, so if you return to this space during 2010 here are some of the things you’re likely to see.
- Continued attention and increasing pressure on the U.S. government to commit more resources to cybersecurity and, possibly, consolidation of information security oversight and budgetary authority within the executive branch.
- More emphasis on securing data at rest, in transit, and in use, with relatively less emphasis on system and network security as environment boundaries become less and less well defined due to increased levels of information exchange, inter-organization integration and cooperation, and use of hosted services like cloud computing.
- Movement in the direction of proactive security, instead of the reactive posture that dominates security programs in both private and public sector organizations today. With any luck this will manifest itself in less security-by-compliance and more testing and validation that implemented security measures are effective.
- Without diminishing the importance of guarding against insider threats, a resurgence in intrusion detection and prevention, in conjunction with efforts to achieve greater situational awareness to combat increasingly sophisticated and persistent threat sources.
- A steady stream of breaches and other incidents to highlight the importance of backing up appropriate security and privacy policies with the means to enforce them.
- Creative approaches and new solutions proposed to address trust among connected entities, including areas such as claims-based identity management, federated identity approaches, stronger identification, authentication, and authorization assertion models, and means to negotiate, establish, maintain, and revoke trust among different entities with widely varying trust requirements in terms of regulations, standards, and risk tolerances.