2013 was the year of Edward Snowden and the NSA spying revelations. We also faced a deluge of data breaches with an increasingly large amount of information compromised. The emerging trends that appeared on the radar in 2012 such as Cloud, Mobility, Social and Big Data became key challenges for organisations in 2013. These will continue to be important in 2014, but what will they evolve into? What other things do we need to consider?
Here are 10 trends to watch:
1. The Internet of Things (IoT) will be 2014’s big data
The best quote I came across in 2013 about big data was: “Big data is like teenage sex; everyone talks about it, nobody really knows how to do it, everyone thinks everyone else is doing it, so everyone claims they are doing it.” 2014 will be the year of IoT hot air and I don’t mean that as a reference to the Nest thermostat. There will be an increased number of potential security threat vectors as a result of more things being plugged in, but until this becomes the norm, we’re neglecting the more plausible ways organisational security can be breached. But because articles with “IoT” in the headline will attract more eyeballs, we will not be able to escape the term.
2. Privacy will become a major concern in the mainstream
The data monitored by the US government includes our personal information, a vast majority of which is sensitive. We already knew one could be placed on the US Department of Homeland Security’s watch list if deemed to be making public statements “not in the best interests of national security”. But we now know we can commit “thought crime” (another reference to Orwell’s 1984) on supposedly private channels.
Also, due to the number of data breaches in 2013, we are more susceptible to identity fraud. Factor in the inability to control how our information flows after we disclose it to an initial party and we have quite a number of privacy issues to deal with. New or amended privacy legislation comes into effect in some countries in 2014 (e.g. Australia) and this will raise the profile of privacy further.
3. Security departments will shift their focus from incident identification to incident reaction and management
The focus when dealing with threats up to this point has been on the identification of them. Vendors spend large sums of money expounding the wonders of their tool’s collection and analytical abilities. It has become a game of “my feature is better than your feature” and “my analytics are better than your analytics”. Ultimately, it is pointless identifying a threat when there is no path forward to manage the incident, deploy the appropriate responses and counter the threat through remediation.
4. There will be an increased focus on privileged users
Edward Snowden gained access to the infamous NSA documents through his administrative rights to systems in addition to accounts he possibly garnered through social engineering of colleagues. Those with privileged access can potentially do a lot of damage. This is not a new concept nor concern, but the Snowden incident puts privileged users back in the spotlight in 2014.
5. The number of authentication alternatives to passwords will increase noticeably and be driven by the consumer market
Although we have come to accept passwords as a necessary evil, they are inherently insecure. Consumers want to be identified using more secure, usable means and consumer-focused companies are taking note. Apple’s release of the Touch ID sensor on the iPhone 5S was the highest profile example of this in 2013. There are variants from other consumer technology companies relying on everything from our heartbeats to facial recognition scheduled for release in 2014.
6. We are at the dawn of an encryption renaissance
Snowden’s NSA documents and the realisation that data residing in the cloud is readily accessible by the US government will force organisations to re-examine where their critical data resides and encrypt as much of it as they can. Even this is not a complete solution as one of Snowden’s leaked documents showed that much of the weaker encryption methods are easily bypassed by the US government. Organisations must use stronger forms of encryption to reduce the chances of their data being decrypted.
7. Data security, resilience, availability and recovery; the next step in the consumerisation of IT
As consumers, we know to back up critical data. But we do not ensure we have multiple backup sources and can recover from failure or loss of data. We are also notoriously bad at ensuring data is secure and cannot be stolen. This will change for one reason: digital currency, more specifically, Bitcoin. With its price, popularity and profile at an all-time high, consumers will begin to take more care of personal data. The Bitcoins that one possesses reside within a digital wallet on disk. If you lose that data, you lose your Bitcoins forever.
8. The deluge and size of data breaches in 2013 will tip the scales in favour of spear phishing
Due to the large number of data breaches, criminals now know more about us than they ever have. The best phishing emails are the ones that contain personal information and are targeted at the recipient, commonly referred to as spear phishing. These emails are difficult to identify at the best of times as they use real information and thus have a higher rate of success. The more secrets a phishing email documents about us, the more likely it is to succeed. The only way around this is to assume a default state of distrust when dealing with emails.
9. There will be a noticeable increase in the number of Managed Service Providers (MSP) expanding into the Identity-as-a-Service (IDaaS) market
Identity became a core part of IT and business in 2013. MSPs that previously would not have entertained the thought of bringing an IDaaS offering to market are now seeing the demand and scrambling to meet it.
10. Organisations will get serious about their own on-premise private cloud
Trust in public cloud providers has decreased significantly, largely due to the impact of the NSA spying revelations. For organisations to enjoy the cost and productivity benefits a cloud infrastructure brings while maintaining full control over critical and sensitive data, they must deploy a private cloud. While many were merely exploring private cloud in 2013, the Snowden incident has become the compelling reason to act.
Ian Yip is the product and business manager for Identity and Security Management across the Asia Pacific region at NetIQ Australia. NetIQ, a business unit of the Attachmate Group, provides identity, access, security and compliance management solutions.