Sercurity Trends

This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved.

Ray Wagner

Managing Vice President

Secure Business Enablement

Top Security Trends and Takeaways for 2012

#GARTNER

Gartner at a Glance

775 Analysts

11,500 Client

Organizations

290,000 Client

Interactions

Vertical Coverage

in Nine Industries

5,500 Benchmarks

10,000 Media

Inquiries

World's Largest

Community of CIOs

55 Conferences

75% of Global 500

1,500 Consulting

Engagements

Clients in 85 Countries

70% of Fortune 1000

470 Consultants

This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2012 Gartner, Inc. and/or its affiliates. All rights reserved.

Ray Wagner

Managing Vice President

Secure Business Enablement

Top Security Trends and Takeaways for 2012

Top Security Trends - 2011

• The Threat Environment

Consumerization/Mobility

The Cloud

• Social Networking and Collaboration

• DLP

IAM Evolution

• Enterprise Security Intelligence

• Regulations and Compliance

• Metrics and Key Performance & Risk Indicators

Security Program Maturity

• Communicating with the Business

4

Top IT Related Risks - 2012

Legal and regulatory compliance

Lack of effective, mature governance /standards for IT systems and infrastructure

Not having a flexible organizational structure to support new drivers, constraints

Vendor risk management – third party connections, service providers, supply chain

Poor understanding of what data and systems are business critical

Poor project management

Lack of skilled workforce

Poor reporting and lack of metrics to demonstrate value

Lack of proper security ―culture‖

Poor threat and vulnerability management/targeted attack prevention

Consumerization of IT

Cloud Security

Lack of mature BCM/DR program

Lack of mature Identity & Access Management program

Lack of mature backup/recovery management


Network Security/Security Markets

Why Security Markets Remain Dynamic

Moore's Gains Threats

Environment Changes

New products Replacement and Upgrade

New technologies, Versions

Increased Depth in Two Dimensions

FW2 FW3 FW1 IPS1

Web Zone Application Zone

Database Zone

VM: Web

VM: ftp

VM: app1

VM: app2

VM: db1

VM: db2

ADC

WAF

Transport

Internet

Application

Link

WAF

FW

IPS

Host/OS HIPS

VA/M VA/M

HIPS

DAM

DLP

Data

DLP

DAM



Data Security

A Basic Model for Enterprise Data Security

Process Data

Security

Functional Roles

Policy Data

Security

Drives

SIEM

DAP

Ensure

d b

y

Fraud Business Strategy

Governance

Compliance

IT Strategy

Risk Tolerance

Supp

ort

ed b

y

Content Aware DLP

Encryption Tokenization

Masking



Data Security

• Security Monitoring

Focus on Minimizing Vulnerabilities and Better Monitoring

Through 2015, 80% of successful attacks will exploit well-known vulnerabilities and will be detectable via security monitoring.

Reasons why SPA will be true • Every environment has critical

vulnerabilities that are not mitigated for a long period of time

• Application vulnerabilities are easy to find and hard to fix

• The growing number of employee owned devices

• In hindsight, the log record almost always contains signals that a targeted attack is in progress

• SIEM vendors are beginning to expand profiling and anomaly detection capabilities

Reasons why SPA will be false • Some targeted attacks exploit

previously undisclosed vulnerabilities

• The signals of a targeted attack within the log record are typically overlooked because the exception condition had not been defined ahead of the attack

Better Monitoring and Detection Are Essential

After a breach:

External attack may look like internal activity.

Attack Source:

External

Early detection is essential.

Signatures are less effective.

Pattern recognition is more important.

Monitor:

User Activity

Data Access

Application Activity

Internal



Data Security


• Consumerizaton/Mobility

Strategic Planning Assumption

By 2018, 70% of mobile professionals will conduct all of their work on personal smart devices.

Analysis supporting the SPA:

• "Bring your own device to work" schemes are pervasive and accelerating.

• The majority of IT-enabled users already carry tablets whenever possible.

• The shipment numbers and forecasts are indicative.

Analyzing the alternative view:

• Pressure in favor of compliance reviews and mobile data breaches will backfire against personal devices.

• The costs and complexities of MDM will favor reinstitution of company-owned devices.

• Competitive differentiation will introduce too much chaos – diversity will cancel productivity and user satisfaction.

Mobile Technologies Affect Mobile Policies

Trust The Platform

Trust The Settings

Trust The App

Trust The Filesystem

Trust Nothing

Mobile

Device

Mgmt

(OEM or

ISV)

Mobile

VPN

Mobile

Device

Mgmt

(ISV)

Dual-

mode

User

Interface

Secure

Web

Gateway

Trusted/

Curated

App Store

Self-

contained

Secure

App

Runtime

Security

Wrapper

Container

File

System

Virtual

Machine

Server

Portal

Web

Portal

Trust The Cloud



Data Security



• Identity and Access Management

The IAM Market Evolution to Cloud Computing

By the end of 2014, IDaaS will account for 25% of all new IAM sales, compared with less than 5% in 2012.

Reasons why SPA will be true:

• The maturity of cloud-based options for IAM access, administration and intelligence will grow to internal IAM deployment levels, but will cost less to deploy and maintain.

• Cloud-based IAM solutions will grow in availability and flexibility, allowing more-granular deployment options and more control by the enterprise regarding how much to buy.

Reasons why SPA may be false:

• The large installed base of legacy IAM software supporting legacy-architected applications will make enterprises reticent to pay for IDaaS.

• Traditional IAM suite and product vendors will incorporate service-oriented functionality into existing products, and offer price-competitive options to be competitive with cloud-based options.

The Socialization of Identity 2012-2022

2012 2022

Enterprise Social

Network Business Partners

Enterprise Social

Network Business Partners

Workforce

Retail Customers

Business Partners

Identity provider Identity provider

Relationship of identity

to the enterprise



Data Security




• Cloud Security

Security Responsibility by Cloud Model

Software as a Service

• Vendor provides security

If a vendor controls your destiny, then you do not.

Infrastructure as a Service

• You provide security

Platform as a Service

• Vendor and customer share security responsibility

You Control It

They Control It

Three Styles of Securing Public/Private Cloud

Public Cloud

Private Cloud

Low Medium High

• Security built into VM is used

• Accept vendor security claims

• Third-party security running on VM is used

• Certification/ accreditation of system

• Security is performed outside the VM

• Security product certification

• Security built into cloud is used

• SAS 70 sufficient

• Third-party security running in cloud is used

• Custom/industry security assessment

• Security is performed outside the cloud

• No trust of the cloud

Security "Pressure"

Trust of the Cloud



Data Security




• Cloud Security

Business Continuity and Disaster Recovery

2006

2002

2004 1999

BCM Evolution: From Disaster Recovery to Business Resilience

2008

2007 2009

1990

1995

2000

2005

2010

Disaster Recovery RTO = Three Days Scenarios Limited

Y2K and BPR Contingency Planning

RTO = <24 hours

Business Recovery For Critical Work

Processes

Internet and BPR RTO/RPO ~ 0 Hrs.

New Scenarios

Regional Events

Public/Private Partnerships

Operational Risk

Global Financial Crisis Pandemic Planning

IT Modernization

Cloud Computing Virtualization

SaaS

2011

2012

Enterprise Risk Management Risk Profile

Business Alignment

Global Financial Crisis

Business Resilience Globalization

Supply Chain Risk

Aftermath of Sept. 11 Crisis Management

New Scenarios

Crisis Management

Crisis Communications Emergency Notification

Hurricane Katrina

High Availability 24/7

Insourcing

Pandemic Planning

Regional Events

Earthquakes Volcanic Ash

Tsunamis Cyclones

Social Media

Regional Events Hurricanes

Earthquakes Tsunamis

Cloud Outages

ITScore BCM: Discipline Mean Scores (N = 90 End Users Cumulative, N = 12 January Quarter) N = 90 end users cumulative, n = 12 January quarter

2.53

2.33

2.54

2.46

2.70

3.00

2.62

2.89

2.55

2.22

2.37

2.36

2.48

2.88

2.49

2.78

2.00 2.50 3.00 3.50 4.00 4.50 5.00

BCM Overall Score

Architecture guidelines and framework

Awareness, Training & Exercising

Budgeting & Investments

Governance

Program organization

Processes and controls

Program scope

Jan-12 Cumulative



Data Security




• Cloud Security


Privacy

Privacy in 2012

From data- to people-centric

From „what?“ to „why“?

New laws in the U.S. and in Europe

Cloud is storage controversial

Breaches and losses heighten public awareness

Mobile means tracking

Social can be creepy Re-identification

Your steps are harder to protect than your data

Cross-border privacy management

Increased government inspection

Evolving expectations

Evolving technologies Evolving capabilities

Evolving best practices

Growing amounts of data



Data Security




• Cloud Security


Privacy

Information Governance and IT Security

• Information governance is…

- A commitment to extract business value

from information

- An accountability framework

• The scope includes…

- Specification of decision rights

- Change management to ensure

information life cycle management

- Processes, roles, standards and metrics

• Information governance is NOT …

- a technology project

- about "control‖

What is Information Governance? Why Should IT Security Care?

Business units

Technology

Information

Information

IT Organization

Domain expertise

Applications

While information is a business asset, without IT nobody could use it, so this needs to a be a team effort

1. Security is not part of the

enterprise’s strategic vision.

2. Data classification is not tied

back to business value.

3. Business stakeholders don't

understand the data

4. Security has a lack of influence

in IG decision making.

5. There is no high level view of

the impact of fines, sanctions

and litigation

6. People want open access —

it's mine, why can't I do with it

what I want?

7. Senior business leaders don’t

have it in their consciousness.

8. Security doesn't have access to

the right stakeholders.

9. It's hard to educate

stakeholders.

10.No one outside of security sees

the value of securing data.

29

Top Challenges to Convergence of Security and Information Governance



Data Security




• Cloud Security


Privacy


• Security Program Maturity

Kickin’ it old school

• Threat-based

• Tool focused

• Tactical

• Reactive

• Project oriented

• Ignored by business

• Take ownership of risk

The new paradigm

• Risk-based

• Processed focused

• Strategic

• Proactive

• Programmatic

• Engaged with business

• Educate about risk

New Goals of Information Security

The function of information security management is to support the business's ability to deliver on its goals in a risk resilient manner

Cost Center Value Add

Security Program Maturity: 2012 Information Security Program Maturity Timeline, 2012

Develop New Policy Set

Initiate Strategic Program

Process

Formalization

Track Technology and Business Change

Continuous Process

Improvement

Review Status Quo

Design Architecture

Conclude Catch-Up Projects

(Re-)Establish Security Team

Initial Developing Defined Managed Optimizing

Level of Program Maturity

1 2 3 4 5

Re

lati

ve

Pro

gra

m M

atu

rity

52% 43%

2%

Source: Gartner (April 2012)

4%

Service Levels MUST Drive Security Activities

Business stakeholders will

continue to demand better support

for business goals and objectives

• In order to justify budgets, security

leaders will need to provide clear priority

based on business criticality.

• The only appropriate way for security to

defend value and delivery abilities will be

to link activities to business goals.

• Without negotiated SLAs security will

continue to shoot in the dark and be

unable to enforce accountability for risk

decisions on system/data owners

Security will continue to report raw

metrics that are note tied to their

activities

• Security will continue to attempt to

bamboozle business leaders with a

mixture of jargon and overwhelming raw

data

• The economy will get better so quickly

that business stakeholders will throw

money at security just to get them to go

away

• Risk education and awareness will lag

and business leader will still not

understand the impact on business goals

of poor risk management

By 2016 Security leaders that do not clearly define SLAs for security services will find their funding and influence diminished



Data Security




• Cloud Security


Privacy


• Security Program Maturity

Your Action Plan

CIOs, CROs, and CISOs should:

In the short term (when you get back to your desk)

- Educate your IT delivery and executive stakeholders on cloud computing risks and the need to address them when planning and procuring cloud services.

- Assess the maturity of the major elements of your risk and security program and Decompose gaps into projects.

In the medium term (within six months)

- Map key risk indicators into business key performance indicators and use this to engage the business in risk discussions.

- Establish processes for estimating life cycle and effectiveness/efficiency of security controls.

In the long term (12 months and beyond)

- Develop a long-term strategy for continuous improvement.

- Develop and deliver an executive reporting scheme that addresses the needs of a business audience.

- Track program maturity metrics to continuously measure progress.

Related Gartner Research

Securing and Managing Public and Private Cloud

Computing (G00206019)

Eight Practical Tips to Link Risk and Security to

Corporate Performance (G00173779)

Why Communication Fails: Five Reasons the Business

Doesn't Get Security's Message (G00210798)

ITScore for Identity and Access Management

(G00201672)

For more information, stop by Gartner Solution Central or e-mail us at [email protected].

mailto:[email protected]

37

Events for Security & Risk Professionals

Experience live analyst expertise plus much more at a Gartner event.

Visit gartner.com/events

Gartner Identity & Access Management Summit

December 3 – 5, Las Vegas, NV

Gartner Security & Risk Management Summit

June 11 – 14, National Harbor, MD

June 11 – 12, Tokyo, Japan

July 16 – 17, Sydney, Australia

September 19 – 20, London, U.K.

Gartner Symposium/ITxpo: The world's most important

gathering of CIOs and senior IT executives

38

• Hundreds of analyst-led sessions, workshops, how-to clinics and more

• Role-based tracks designed to address your key priorities and challenges

• Immediately actionable take-aways—a clear action plan for the next three, six and 12 months

• Mastermind Interview Keynotes with industry leaders

• ITxpo exhibit floor with hundreds of top solution providers and exciting startups

October 29 – 31 São Paulo, Brazil

November 5 – 8 Barcelona, Spain

November 12 – 15 Gold Coast, Australia

August 28 – 30, Cape Town, Africa

October 3 – 5 Tokyo, Japan

October 10 – 12 Goa, India

October 21 – 25 Orlando, FL

Visit gartner.com/events

• Visit gartner.com/webinars

– Today's presentation will be available in

24 hours

– Check out the schedule of upcoming Gartner

webinars (plus on-demand webinars) and don't

forget to share these resources with your

colleagues

• Contact your Gartner account executive with any

additional questions, comments or for a

complimentary copy of today's presentation

Simple steps for increasing the value

of today's webinar experience

39

http://www.gartner.com/webinars

http://www.gartner.com/webinars

Documents

Sercurity Trends