Looking ahead at security trends for 2009

The recession might slow innovation and business in many sectors, but information security will continue to be a dominant priority for tech companies in 2009.

Jon Oltsik
Jon Oltsik is a senior analyst at the Enterprise Strategy Group. He is not an employee of CNET.
Jon Oltsik
4 min read

In spite of the global economic recession, information security will continue to be a dominant IT priority in 2009. Why? There are simply too many threats and vulnerabilities creating a perpetual increase in IT risk.

With that, here is my top-10 list (in no particular order) of technologies and trends to watch for in the new year:

1. The evolving definition of endpoint security: Some analysts have declared that, antivirus software is dead. I disagree and submit that endpoint security is simply evolving as a function of the changing threat landscape. This is the primary reason why Sophos (a legacy antivirus company) bought Utimaco (a data security company) in 2008. Look for traditional antivirus, anti-spyware, and firewall software to merge with endpoint operations, data loss prevention, and full-disk encryption in 2009.

2. More emphasis on cybersecurity: This year began with the establishment of the Comprehensive National Cybersecurity Initiative (CNCI), an effort to strengthen government networks. While well-intended, CNCI has received minimal funding and support. In December, a Center for Strategic and International Studies report, further described the sorry state of cybersecurity and called for drastic improvements. Look for President-elect Barack Obama to get behind this effort in a big way with funding, a real public/private partnership, and cooperative intelligence and law enforcement with a growing list of foreign nations.

3. Increasingly stringent privacy legislation: Privacy advocates like the American Civil Liberties Union and the Center for Democracy and Technology are hopeful that the change in administration will finally lead to more comprehensive national privacy legislation in 2009 and beyond. This momentum should persuade the Senate to finally push the Personal and Data Privacy Act of 2007 (S.495), which has been dormant since May. In the meantime, look for states like Michigan and Washington to follow the lead of Massachusetts and Nevada in mandating data encryption.

4. Security in the cloud: While "cloud" has turned into a vague industry security blanket term, I do believe that 2009 will be a strong year for managed security services. Many organizations simply don't have the capital budget dollars or security skills to take on the increasingly sophisticated bad guys themselves--good news for IBM and Symantec. Additionally, companies like Blue Coat, Cisco, and Trend Micro will supplement on-site security equipment with scalable reputation and update services in the cloud.

5. Virtualization security: As server and desktop virtualization continues to proliferate, we will need better security tools for things like role-based access control, virtual server identity management, virtual network security, and reporting/auditing. Citrix, Microsoft, and VMware will lead this effort with partnering support from others like IBM (Project Phantom), McAfee, and Q1 Labs.

6. Secure software development: In 2008, the majority of malicious code attacks targeted applications, not operating systems. This fact combined with growing focus on cybersecurity will force software companies to embrace secure software development efforts such as the Open Web Application Security Project (OWASP) or the SANS Software Security Institute. Ironically, Microsoft and its Pro Network partners like Security Innovation are best positioned to bring secure software development best practices to the masses.

7. Information-centric security: The recent Microsoft/RSA announcement is a sign of things to come. Organizations large and small need to be able to discover and classify sensitive information, apply security policies, and then enforce these policies throughout the network. This will continue to become a reality in 2009 as documents and file systems are integrated with data loss prevention and enterprise rights management systems. Look for further progress like the introduction of PKI in the mix along with discussions about metadata standards for data classification and security rules enforcement.

8. Ubiquitous encryption: Encryption technologies are more often becoming "baked in" rather than "bolted on." Tape drives now contain cryptographic processors as do hard drives from Fujitsu, Hitachi, and Seagate. And Intel will ship a version of its vPro chip set in 2009 that also supports on-board encryption. In 2009, we will start to see multiple layers of encryption technologies running on top of each other. Good for data confidentiality and integrity but this will also highlight the need for enterprise-class encryption key management--another technology on the 2009 "watch list."

9. Entitlement management: Authentication gets you in the network door, while entitlement management governs what you can and can't do. Entitlement management is currently done on an application-by-application basis but this doesn't scale, is ripe for human error, and is nearly impossible to audit for compliance. Enter centralized entitlement management brought to you by Cisco, IBM/Tivoli, Rohati, and RSA Security. Look for lots of buzz as well as pilot projects by the summer. By the end of 2009, IT professionals should be intimately familiar with XACML (XML Access Control Markup Language).

10. Business process security: Securing all IT assets across the enterprise is a daunting task--too big for risk-averse business managers. Rather than rely on IT reports and security point tools alone, line-of-business executives will want more visibility and oversight into their exclusive domains with detailed and succinct portals, reports, and auditing systems. Ultimately, CEOs will support this effort as it forces individual business units to build security into their P&Ls. This trend favors big services vendors like Accenture, CSC, and HP with vertical industry tools, business process expertise, and executive relationships.

I'm generally an optimist, but I do have one additional, more gloomy prediction. Given the alarming state of disarray, look for some type of security breach in 2009 that exceeds the TJX incident.

On that cheerful note, happy holidays.

For a look back at security in 2008, check out Elinor Mills' year in review.