It's Time to 'Take Security Out of the Closet'
"They have to take security out of the closet," says Jonathan Penn, VP and senior analyst at Forrester. "[Vendors] don't just need more security; they need to be more transparent."
In an exclusive interview, Penn discusses:
- The hottest emerging technologies;
- Why service providers need to market their security better;
- the greatest security vulnerabilities and how to address them.
Penn advises tech industry vendor strategy professionals, predicting and quantifying growth and disruption in the technology industry. He provides advice and support about IT security technologies, services, and requirements to vendors and service providers, helping to shape their overall strategies and market positioning, as well as their product, services, sales, and partnering plans. Penn also researches enterprise security strategies and implementations, with a particular emphasis on data protection, online consumer security, and identity management.
Over the past 10 years, Penn has written and spoken extensively on security in many business and IT venues, focusing on trends, innovations, and challenges in security solutions and practices. He has been widely quoted in publications like CSO Magazine, Information Security Magazine, the Financial Times, The Economist, and The New York Times, and has appeared on CNBC and National Public Radio.
TOM FIELD: What are some of the emerging technologies that we need to be paying attention to in the second half of 2010?
Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today about emerging technologies with Jonathan Penn, Vice President and Senior Analyst at Forrester Research.
Jonathan thanks so much for joining me today.
JONATHAN PENN: My pleasure.
FIELD: Just to get us started, why don't you tell us a little bit about your current research?
PENN: Sure. Well, I look at the security market quite broadly, and my focus is really on the disruptive trends that are transforming the market. So, new vendors, new technologies, changes in market needs -- of course also what the hackers and criminals are up to, as well, have an important impact there. So, some of the things I am looking at now: cloud security, cybersecurity and critical infrastructure protection, which is up on the ladder of new spending and attention as well. Some of the things in consumer security and some of the needs there that are being addressed by some emerging players in that market.
FIELD: When you look at all of these different marketplaces, what would you say are the hottest emerging technologies?
PENN: There is actually a lot of innovation happening in security. It continues to be quite a vibrant area of investment and start-up activity. Some of the areas I see: Network security is an area of continuing innovation. Right now the focus has been on getting deeper inside and doing more analysis on the network activity. We have seen security information event management, but that is really moving towards deeper inspection of the network activity. Companies like NetWitness, Packet Motion, Solera and others that are giving much better understanding not only from a forensic perspective, but also real-time analysis of what is going on in your network, and that is very useful as well from a cybersecurity perspective.
On identity management, federation, which is really verging the identities that are being managed in your enterprise with SAAS environments -- that is really what is driving federation there is to most seamlessly link the enterprise SAAS from an identity perspective.
Application security and vulnerability management, as well, is another area; this is really the front line of attacks. Fraud is a big area as well for banks, but also retail, insurance. We are seeing a lot of activity and innovation there like profiling and device reputation, as well as deeper transaction analysis.
There is a lot happening in data security. DLP adoption continues to grow (that is Data Leak Prevention technology), but there are also things happening in database security, data masking and database monitoring. Tokenization is a big issue. Basically trying to make the information that is such a prime target for identity thieves that much more meaningless by turning it into something that isn't directly useable by them.
And finally Web 2.0, there is a lot happening here as employees are adopting social networking and other tools that are out there on the internet that they are using consumer-wise, and they are bringing those into the enterprise.
FIELD: You talked about cloud computing a few minutes ago, and we know that's the big buzz in the marketplace. Everybody -- the vendors, the practitioners -- they are all talking about it, and some of the talk gets confusing. What would you say are some of the myths and realities about cloud computing as we know it today?
PENN: I think one thing is perspective. Now security is certainly a big concern. Security though, when you look at any new technology, be it cloud computing, we see it with Web 2.0, we see it with mobility, we see it with collaboration in general, security has always been the issue that people bring up.
The fact is that we always get over that at some point, right? The industry rises to the occasion, or people get more comfortable with the technologies. So I think of putting it in the perspective: Yes, we have concerns today, but obviously cloud computing is being adopted at a fairly brisk pace at this point anyway.
Yes, there are concerns to think about. A lot of what I see also is that the security concerns, actually there are data security concerns especially, but a lot of the concerns are really about compliance and ultimately really about stability that even when the cloud providers start to embed more and more security technologies into their offerings and make them more functional from that perspective, it is still very difficult for an adopting company to really have the assurance that the controls are in place and functioning properly, right?
That visibility into what is happening in that environment is still too much of a black box, and things like SAAS 70 and ISO 27001 audits are completely inadequate for this kind of environment. We really move to different kinds of solutions and certifications as well as a way of opening up the operational side of the cloud environment, in a limited way, to customers so they can see what is going on. That is really one of the big issues is the trust level isn't there and there is no way any kind of verification.
One thing that I am noticing is that I am hearing more concerns coming from cloud providers themselves about them being targets of attacks. The fact that cloud provider's data centers have multiple customers running in them, running high-profile applications and sharing services makes them a fatter target. This is pushing the providers to put more security in place, because it makes sense. It's just like robbing a bank is more lucrative than snatching a purse. The potential payoff from a potential attack on a cloud provider is bigger than attacking just one business.
FIELD: Well given that, how is your confidence in the security with the cloud providers?
PENN: Certainly there is a mix. Right now we are still at very early days in the market, and there are a lot of kind of bolt-on solutions that people are kind of looking to. Really. what I think ultimately has to happen, and we are starting to see this a bit from the big players like especially Amazon, is that the cloud providers not only have to improve their security practices, but they have to make these improvements more visible to the market.
They have to take security out of the closet, so to speak, and this is very analogous to what was happening in the banking sector about eight or nine years ago, when phishing attacks were happening. They were just saying 'Trust us, trust us, trust us,' but they weren't really explaining what they were doing to protect people.
And so to address these concerns, the cloud provider not only needs more security, but they also need more transparency about their processes, about their techniques in place, operational schedules and so forth.
FIELD: You talked about mobility, and certainly we are seeing a lot of mobile technology in banking, and we are going beyond talking about just mobile banking to talking to P2P payments. What are some of the mobile technologies that you are seeing that you are most excited about now?
PENN: Well, I think there is a lot of pressure on organizations to embrace mobility at a more rapid pace. Before. it was just about BlackBerrys and email, but we see with the iPhone and Android and iPads that these mobile devices are really - they have full range browsers, and there is a demand to get access to all corporate applications, not just email. So there is a need now to support them that the market is embracing when it comes to these devices, the need for VPN and authentication and more data security on the device as well.
Also, with these browsers and more web surfing that is going on, the mobile platform becomes a viable target for malware. We really haven't seen this before but those infections are coming through the browser from legitimate websites that have been compromised, and so the mobile phone is going to become more and more of a target of attack and a vector for attack into the enterprise.
FIELD: We've talked about a lot here Jon. We've talked about mobility, about cloud computing, about social networking, with all of these emerging technologies, and I think you have just touched upon this with your point about malware. Where do you see the greatest security vulnerabilities?
PENN: That's true; there are two places that people should be looking at. One is your applications and websites that the crooks and malware writers are trying to compromise your legitimate sites, and you need to monitor that.
The other is on the client side, when other sites have been compromised, that your client is vulnerable to attack, your employees' desktops. So looking at the browsers and the plug-ins and really shoring up what is happening there, and we are seeing the market move toward or really starting to embrace now the very rich client security set of services.
It is not just antivirus and anti-spyware, but host intrusion detection and personal firewalls and, of course, the data encryption and encryption side of things, so that the clients are becoming really much richer in the mechanisms that they use to protect the enterprise.
FIELD: One last question for you. We have just completed the first half of 2010. As we head toward 2011, what trends in threats would you recommend that business and security leaders keep their eyes on?
PENN: Well, I think one thing that is pretty different and an area to watch is really in terms of this scope and nature of responsibilities around data protection. We are really seeing privacy in the U.S. really start to take off, and this is not about the confidentiality of information and especially not about personally identifiable information (PII) and breaches.
But if you look at some of the regulatory actions and consumer uproar, the FCC just had a settlement with Facebook, and there are these Google missteps and things like that, this is not about personally identifiable information that is controlled under regulations. This is about personal information more broadly and it's not about breaches but about misuse.
This is really clarifying the difference between security and privacy that often is misunderstood by CISOs -- that it is not just about safeguarding the information against breaches, but it's about what is collected, how it is used, and this is getting a lot more regulatory scrutiny and also scrutiny by consumers.
Another is just on that notion of consumerization I have talked about several times now. There is a significant shifting balance between business users and IT. The businesses can go around IT, whether it is Web 2.0 and social networking on the application side, whether it's around mobile and personal PC's from the device side, or whether it's about cloud on the infrastructure side, less and less businesses really need IT.
IT security's typical MO has been to protect the business by impeding, right? You can't do this and you can't do that. That is not a sustainable approach, and they have to really be more responsive to business needs and work with them early on to collaborate and help them understand what the risks are. And security has to understand more about the business needs and be more adaptive to those.
I think one other area that actually I see a lot of activity is managed security services. We talked a lot about outsourcing and the cost effectiveness and removing a lot of the operational overhead, and there are certainly pressures, staffing pressure and things like that on the security group.
But what I see is that people are getting more alarmed for reasons of better security by the managed service providers. They are providing certain skills, and we have competency like many organizations either don't have or don't want to retain because that's just not strategic to them, and they provide things like 24x7 global coverage. And so the move and acceptance and embracing of managed security is becoming much more widespread and gaining momentum because it is better security, and it's not just for cost reasons.
So we shift a big shift there in terms of kind of the operational skills of security and the shift -- really what it allows is it allows security teams to really focus on more strategic issues, so that they are not burdened by responding to every security event that is going off in any particular product and managing an overload of data and dealing with a lot of technology integration and customization. They can push more and more of this onto a provider, who can then offer all the skills around this and offload a lot of the operational overhead.
FIELD: Jonathan, very good; I appreciate your time and your insights today.
PENN: My pleasure. It's been good speaking with you.
FIELD: We have been talking with Jonathan Penn of Forrester Research, and the topic has been emerging technologies. For Information Security Media Group, I'm Tom Field. Thank you very much.