Upload
sumaguru
View
32
Download
1
Embed Size (px)
DESCRIPTION
An article on top security trends
Citation preview
This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved.
Ray Wagner
Managing Vice President
Secure Business Enablement
Top Security Trends and Takeaways for 2012
#GARTNER
Gartner at a Glance
775 Analysts
11,500 Client
Organizations
290,000 Client
Interactions
Vertical Coverage
in Nine Industries
5,500 Benchmarks
10,000 Media
Inquiries
World's Largest
Community of CIOs
55 Conferences
75% of Global 500
1,500 Consulting
Engagements
Clients in 85 Countries
70% of Fortune 1000
470 Consultants
This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2012 Gartner, Inc. and/or its affiliates. All rights reserved.
Ray Wagner
Managing Vice President
Secure Business Enablement
Top Security Trends and Takeaways for 2012
Top Security Trends - 2011
• The Threat Environment
Consumerization/Mobility
The Cloud
• Social Networking and Collaboration
• DLP
IAM Evolution
• Enterprise Security Intelligence
• Regulations and Compliance
• Metrics and Key Performance & Risk Indicators
Security Program Maturity
• Communicating with the Business
4
Top IT Related Risks - 2012
Legal and regulatory compliance
Lack of effective, mature governance /standards for IT systems and infrastructure
Not having a flexible organizational structure to support new drivers, constraints
Vendor risk management – third party connections, service providers, supply chain
Poor understanding of what data and systems are business critical
Poor project management
Lack of skilled workforce
Poor reporting and lack of metrics to demonstrate value
Lack of proper security ―culture‖
Poor threat and vulnerability management/targeted attack prevention
Consumerization of IT
Cloud Security
Lack of mature BCM/DR program
Lack of mature Identity & Access Management program
Lack of mature backup/recovery management
Top Security Trends - 2012
Network Security/Security Markets
Why Security Markets Remain Dynamic
Moore's Gains Threats
Environment Changes
New products Replacement and Upgrade
New technologies, Versions
Increased Depth in Two Dimensions
FW2 FW3 FW1 IPS1
Web Zone Application Zone
Database Zone
VM: Web
VM: ftp
VM: app1
VM: app2
VM: db1
VM: db2
ADC
WAF
Transport
Internet
Application
Link
WAF
FW
IPS
Host/OS HIPS
VA/M VA/M
HIPS
DAM
DLP
Data
DLP
DAM
Top Security Trends - 2012
Network Security/Security Markets
Data Security
A Basic Model for Enterprise Data Security
Process Data
Security
Functional Roles
Policy Data
Security
Drives
SIEM
DAP
Ensure
d b
y
Fraud Business Strategy
Governance
Compliance
IT Strategy
Risk Tolerance
Supp
ort
ed b
y
Content Aware DLP
Encryption Tokenization
Masking
Top Security Trends - 2012
Network Security/Security Markets
Data Security
• Security Monitoring
Focus on Minimizing Vulnerabilities and Better Monitoring
Through 2015, 80% of successful attacks will exploit well-known vulnerabilities and will be detectable via security monitoring.
Reasons why SPA will be true • Every environment has critical
vulnerabilities that are not mitigated for a long period of time
• Application vulnerabilities are easy to find and hard to fix
• The growing number of employee owned devices
• In hindsight, the log record almost always contains signals that a targeted attack is in progress
• SIEM vendors are beginning to expand profiling and anomaly detection capabilities
Reasons why SPA will be false • Some targeted attacks exploit
previously undisclosed vulnerabilities
• The signals of a targeted attack within the log record are typically overlooked because the exception condition had not been defined ahead of the attack
Better Monitoring and Detection Are Essential
After a breach:
External attack may look like internal activity.
Attack Source:
External
Early detection is essential.
Signatures are less effective.
Pattern recognition is more important.
Monitor:
User Activity
Data Access
Application Activity
Internal
Top Security Trends - 2012
Network Security/Security Markets
Data Security
• Security Monitoring
• Consumerizaton/Mobility
Strategic Planning Assumption
By 2018, 70% of mobile professionals will conduct all of their work on personal smart devices.
Analysis supporting the SPA:
• "Bring your own device to work" schemes are pervasive and accelerating.
• The majority of IT-enabled users already carry tablets whenever possible.
• The shipment numbers and forecasts are indicative.
Analyzing the alternative view:
• Pressure in favor of compliance reviews and mobile data breaches will backfire against personal devices.
• The costs and complexities of MDM will favor reinstitution of company-owned devices.
• Competitive differentiation will introduce too much chaos – diversity will cancel productivity and user satisfaction.
Mobile Technologies Affect Mobile Policies
Trust The Platform
Trust The Settings
Trust The App
Trust The Filesystem
Trust Nothing
Mobile
Device
Mgmt
(OEM or
ISV)
Mobile
VPN
Mobile
Device
Mgmt
(ISV)
Dual-
mode
User
Interface
Secure
Web
Gateway
Trusted/
Curated
App Store
Self-
contained
Secure
App
Runtime
Security
Wrapper
Container
File
System
Virtual
Machine
Server
Portal
Web
Portal
Trust The Cloud
Top Security Trends - 2012
Network Security/Security Markets
Data Security
• Security Monitoring
• Consumerizaton/Mobility
• Identity and Access Management
The IAM Market Evolution to Cloud Computing
By the end of 2014, IDaaS will account for 25% of all new IAM sales, compared with less than 5% in 2012.
Reasons why SPA will be true:
• The maturity of cloud-based options for IAM access, administration and intelligence will grow to internal IAM deployment levels, but will cost less to deploy and maintain.
• Cloud-based IAM solutions will grow in availability and flexibility, allowing more-granular deployment options and more control by the enterprise regarding how much to buy.
Reasons why SPA may be false:
• The large installed base of legacy IAM software supporting legacy-architected applications will make enterprises reticent to pay for IDaaS.
• Traditional IAM suite and product vendors will incorporate service-oriented functionality into existing products, and offer price-competitive options to be competitive with cloud-based options.
The Socialization of Identity 2012-2022
2012 2022
Enterprise Social
Network Business Partners
Enterprise Social
Network Business Partners
Workforce
Retail Customers
Business Partners
Identity provider Identity provider
Relationship of identity
to the enterprise
Top Security Trends - 2012
Network Security/Security Markets
Data Security
• Security Monitoring
• Consumerizaton/Mobility
• Identity and Access Management
• Cloud Security
Security Responsibility by Cloud Model
Software as a Service
• Vendor provides security
If a vendor controls your destiny, then you do not.
Infrastructure as a Service
• You provide security
Platform as a Service
• Vendor and customer share security responsibility
You Control It
They Control It
Three Styles of Securing Public/Private Cloud
Public Cloud
Private Cloud
Low Medium High
• Security built into VM is used
• Accept vendor security claims
• Third-party security running on VM is used
• Certification/ accreditation of system
• Security is performed outside the VM
• Security product certification
• Security built into cloud is used
• SAS 70 sufficient
• Third-party security running in cloud is used
• Custom/industry security assessment
• Security is performed outside the cloud
• No trust of the cloud
Security "Pressure"
Trust of the Cloud
Top Security Trends - 2012
Network Security/Security Markets
Data Security
• Security Monitoring
• Consumerizaton/Mobility
• Identity and Access Management
• Cloud Security
Business Continuity and Disaster Recovery
2006
2002
2004 1999
BCM Evolution: From Disaster Recovery to Business Resilience
2008
2007 2009
1990
1995
2000
2005
2010
Disaster Recovery RTO = Three Days Scenarios Limited
Y2K and BPR Contingency Planning
RTO = <24 hours
Business Recovery For Critical Work
Processes
Internet and BPR RTO/RPO ~ 0 Hrs.
New Scenarios
Regional Events
Public/Private Partnerships
Operational Risk
Global Financial Crisis Pandemic Planning
IT Modernization
Cloud Computing Virtualization
SaaS
2011
2012
Enterprise Risk Management Risk Profile
Business Alignment
Global Financial Crisis
Business Resilience Globalization
Supply Chain Risk
Aftermath of Sept. 11 Crisis Management
New Scenarios
Crisis Management
Crisis Communications Emergency Notification
Hurricane Katrina
High Availability 24/7
Insourcing
Pandemic Planning
Regional Events
Earthquakes Volcanic Ash
Tsunamis Cyclones
Social Media
Regional Events Hurricanes
Earthquakes Tsunamis
Cloud Outages
ITScore BCM: Discipline Mean Scores (N = 90 End Users Cumulative, N = 12 January Quarter) N = 90 end users cumulative, n = 12 January quarter
2.53
2.33
2.54
2.46
2.70
3.00
2.62
2.89
2.55
2.22
2.37
2.36
2.48
2.88
2.49
2.78
2.00 2.50 3.00 3.50 4.00 4.50 5.00
BCM Overall Score
Architecture guidelines and framework
Awareness, Training & Exercising
Budgeting & Investments
Governance
Program organization
Processes and controls
Program scope
Jan-12 Cumulative
Top Security Trends - 2012
Network Security/Security Markets
Data Security
• Security Monitoring
• Consumerizaton/Mobility
• Identity and Access Management
• Cloud Security
Business Continuity and Disaster Recovery
Privacy
Privacy in 2012
From data- to people-centric
From „what?“ to „why“?
New laws in the U.S. and in Europe
Cloud is storage controversial
Breaches and losses heighten public awareness
Mobile means tracking
Social can be creepy Re-identification
Your steps are harder to protect than your data
Cross-border privacy management
Increased government inspection
Evolving expectations
Evolving technologies Evolving capabilities
Evolving best practices
Growing amounts of data
Top Security Trends - 2012
Network Security/Security Markets
Data Security
• Security Monitoring
• Consumerizaton/Mobility
• Identity and Access Management
• Cloud Security
Business Continuity and Disaster Recovery
Privacy
Information Governance and IT Security
• Information governance is…
- A commitment to extract business value
from information
- An accountability framework
• The scope includes…
- Specification of decision rights
- Change management to ensure
information life cycle management
- Processes, roles, standards and metrics
• Information governance is NOT …
- a technology project
- about "control‖
What is Information Governance? Why Should IT Security Care?
Business units
Technology
Information
Information
IT Organization
Domain expertise
Applications
While information is a business asset, without IT nobody could use it, so this needs to a be a team effort
1. Security is not part of the
enterprise’s strategic vision.
2. Data classification is not tied
back to business value.
3. Business stakeholders don't
understand the data
4. Security has a lack of influence
in IG decision making.
5. There is no high level view of
the impact of fines, sanctions
and litigation
6. People want open access —
it's mine, why can't I do with it
what I want?
7. Senior business leaders don’t
have it in their consciousness.
8. Security doesn't have access to
the right stakeholders.
9. It's hard to educate
stakeholders.
10.No one outside of security sees
the value of securing data.
29
Top Challenges to Convergence of Security and Information Governance
Top Security Trends - 2012
Network Security/Security Markets
Data Security
• Security Monitoring
• Consumerizaton/Mobility
• Identity and Access Management
• Cloud Security
Business Continuity and Disaster Recovery
Privacy
Information Governance and IT Security
• Security Program Maturity
Kickin’ it old school
• Threat-based
• Tool focused
• Tactical
• Reactive
• Project oriented
• Ignored by business
• Take ownership of risk
The new paradigm
• Risk-based
• Processed focused
• Strategic
• Proactive
• Programmatic
• Engaged with business
• Educate about risk
New Goals of Information Security
The function of information security management is to support the business's ability to deliver on its goals in a risk resilient manner
Cost Center Value Add
Security Program Maturity: 2012 Information Security Program Maturity Timeline, 2012
Develop New Policy Set
Initiate Strategic Program
Process
Formalization
Track Technology and Business Change
Continuous Process
Improvement
Review Status Quo
Design Architecture
Conclude Catch-Up Projects
(Re-)Establish Security Team
Initial Developing Defined Managed Optimizing
Level of Program Maturity
1 2 3 4 5
Re
lati
ve
Pro
gra
m M
atu
rity
52% 43%
2%
Source: Gartner (April 2012)
4%
Service Levels MUST Drive Security Activities
Business stakeholders will
continue to demand better support
for business goals and objectives
• In order to justify budgets, security
leaders will need to provide clear priority
based on business criticality.
• The only appropriate way for security to
defend value and delivery abilities will be
to link activities to business goals.
• Without negotiated SLAs security will
continue to shoot in the dark and be
unable to enforce accountability for risk
decisions on system/data owners
Security will continue to report raw
metrics that are note tied to their
activities
• Security will continue to attempt to
bamboozle business leaders with a
mixture of jargon and overwhelming raw
data
• The economy will get better so quickly
that business stakeholders will throw
money at security just to get them to go
away
• Risk education and awareness will lag
and business leader will still not
understand the impact on business goals
of poor risk management
By 2016 Security leaders that do not clearly define SLAs for security services will find their funding and influence diminished
Top Security Trends - 2012
Network Security/Security Markets
Data Security
• Security Monitoring
• Consumerizaton/Mobility
• Identity and Access Management
• Cloud Security
Business Continuity and Disaster Recovery
Privacy
Information Governance and IT Security
• Security Program Maturity
Your Action Plan
CIOs, CROs, and CISOs should:
In the short term (when you get back to your desk)
- Educate your IT delivery and executive stakeholders on cloud computing risks and the need to address them when planning and procuring cloud services.
- Assess the maturity of the major elements of your risk and security program and Decompose gaps into projects.
In the medium term (within six months)
- Map key risk indicators into business key performance indicators and use this to engage the business in risk discussions.
- Establish processes for estimating life cycle and effectiveness/efficiency of security controls.
In the long term (12 months and beyond)
- Develop a long-term strategy for continuous improvement.
- Develop and deliver an executive reporting scheme that addresses the needs of a business audience.
- Track program maturity metrics to continuously measure progress.
Related Gartner Research
Securing and Managing Public and Private Cloud
Computing (G00206019)
Eight Practical Tips to Link Risk and Security to
Corporate Performance (G00173779)
Why Communication Fails: Five Reasons the Business
Doesn't Get Security's Message (G00210798)
ITScore for Identity and Access Management
(G00201672)
For more information, stop by Gartner Solution Central or e-mail us at [email protected].
37
Events for Security & Risk Professionals
Experience live analyst expertise plus much more at a Gartner event.
Visit gartner.com/events
Gartner Identity & Access Management Summit
December 3 – 5, Las Vegas, NV
Gartner Security & Risk Management Summit
June 11 – 14, National Harbor, MD
June 11 – 12, Tokyo, Japan
July 16 – 17, Sydney, Australia
September 19 – 20, London, U.K.
Gartner Symposium/ITxpo: The world's most important
gathering of CIOs and senior IT executives
38
• Hundreds of analyst-led sessions, workshops, how-to clinics and more
• Role-based tracks designed to address your key priorities and challenges
• Immediately actionable take-aways—a clear action plan for the next three, six and 12 months
• Mastermind Interview Keynotes with industry leaders
• ITxpo exhibit floor with hundreds of top solution providers and exciting startups
October 29 – 31 São Paulo, Brazil
November 5 – 8 Barcelona, Spain
November 12 – 15 Gold Coast, Australia
August 28 – 30, Cape Town, Africa
October 3 – 5 Tokyo, Japan
October 10 – 12 Goa, India
October 21 – 25 Orlando, FL
Visit gartner.com/events
• Visit gartner.com/webinars
– Today's presentation will be available in
24 hours
– Check out the schedule of upcoming Gartner
webinars (plus on-demand webinars) and don't
forget to share these resources with your
colleagues
• Contact your Gartner account executive with any
additional questions, comments or for a
complimentary copy of today's presentation
Simple steps for increasing the value
of today's webinar experience
39