Historians will label 2011 as the year when our IT security infrastructure failed us. The RSA and Sony breaches, attacks by Anonymous and LulzSec, even WikiLeaks drove home to the broad marketplace that when it comes to data security, cyber attackers can take down systems and steal data at will.
The worst thing is, we all saw it coming. We’re trapped in a reverse “Groundhog Day” scenario where things keep repeating but get worse instead of better. It brings to mind Winston Churchill’s adage, “Those that fail to learn from history are doomed to repeat it.”
I’m also reminded of the Maginot Line, France’s answer to World War I trench warfare that German tanks blitzed past on their way through Belgium in World War II. With both the Maginot Line and software-based IT security over the past several years, the establishment continued pouring resources into better, more expensive solutions for fighting the last war, instead of preparing for the next one. The difference, of course, is that the French abandoned the Maginot Line after it failed.
We’ve been fighting a new war with old weapons for a while now and our enemies – cybercriminals and Advanced Persistent Threats (APTs) – are breezing past our defenses and occupying our systems. We need a new strategy. We know what works – device-based security that ensures only known devices and users access networks and data. Protecting identity-authenticating encryption keys in hardware keeps the bad guys out.
Then as now, the problem isn’t technology, it’s the will to mobilize. Many vendors care more about quarterly profits and selling their entrenched (pun definitely intended) products instead of collaborating on new approaches to address a common mortal threat.
Eventually, the IT security industry will drop its myopic refusal to consider proven hardware-based security practices from other industries, such as telecommunications and cable. When was the last time you heard about cloned cell phones or stolen cable accounts?
Despite all the bad news this year, I’m still hopeful for 2012. Here are some of my thoughts on what we can expect in the coming year:
1. We will see a significant cyber attack on a major public utility or power grid of significant scope and size.
2. The actual “physicality” (size, type, etc.) of the mobile device will no longer define the device’s functionality. To explain further, whether you have a tablet, smartphone or laptop, the barriers to categorizing a device will blur.
3. Along the same lines, the BYOD phenomenon will continue to flourish and will put tremendous pressure on the software security model.
4. Other government agencies will follow the lead of NSA and DoD in promoting change as it relates to touting and deploying hardware-based security.
5. Major technology players will jump in with Intel (DeepSafe) and Microsoft (Windows 8) in embracing embedded security solutions and best practices.
6. Apple’s IT security model will gain more recognition as a model worth emulating. Surprised? Most people are so absorbed with Apple’s aesthetics and user interfaces that they miss how Apple has created a perfect example of identity-centric security for enterprise networks. As one of the biggest suppliers of consumer IT devices, Apple wants people to access networks securely. So they allow only known users and devices, only five devices per user, every device must run whitelisted applications on an approved OS, and they require DRM for content. Managing one endpoint on their device-centered security model costs a tenth of what many enterprises pay for ineffective network-based security systems. I’d love to see more organizations copy that.
Anyway, let’s hope in 2012 we see large-scale implementation of lessons learned from history’s mistakes and today’s good examples. We’re at a tipping point; it’s our choice now how history will label us.