Uncertain Future Adds to Security Concerns

As we enter 2009, enterprise IT managers will have even more work to do to focus strongly on securing data in the year ahead. The recession and the move to cloud computing, two seemingly separate issues, will both present challenges in the coming year, says one security expert.

Insider threats will increase as employees, disgruntled at being laid off, may attempt to strike back, Phil Dunkelberger, CEO of encryption vendor PGP Security, told InternetNews.com. Also, governments and enterprises will come under constant attack from cybercriminals who want to get to their data, and the number of data breaches will increase.

“Data is a currency, and, in tough economic times, there is always more fraud, and more people will steal data,” Dunkelberger said.

Meanwhile, the move to cloud computing will create more compliance and security headaches, while governments ramp up compliance enforcement. For all these reasons, enterprises will have to secure their data better. “Data is the heart of a business, and all compliance and risk revolves around data,” Dunkelberger said.

The focus will change from securing devices, such as servers and disks, to securing data, because the increasingly mobile workforce nullifies security perimeters. “Stuff on your laptop that’s encrypted with whole disk encryption is open when you go work on a wireless network in a café,” Dunkelberger said.

Dunkelberger suggested corporations implement training programs so employees understand they should focus on securing data, not just the physical devices. However, in tough economic times, training is one of the first areas to be cut.

It’s what’s inside that counts

The insider threat, always present, will get worse as the massive layoffs due to the recession begin to take effect. In November alone, 224,079 people were laid off, according to the Bureau of Labor Statistics while Rafe Needleman’s scorecard on CNET shows that high-tech companies laid off about 112,500, based only on those companies that provided actual numbers.

“Fully half the threats over the past 10 years came from insiders,”
Dunkelberger said. “IT staff will not be able to oversee them adequately as they are forced to do more with less, and people are cutting out training budgets for security, and these things will put more emphasis on the insider threat than ever before.”

Internal breaches, either on their own or in combination with external attacks, were cited as the reason for more than half the cases where
confidential data was lost, a survey sponsored by database security solutions vendor Application Security, found.

The security concerns of enterprises will be exacerbated by their increasing use of the cloud, Dunkelberger said. Research firm IDC has predicted that enterprise adoption of the cloud will accelerate in 2009.

As this happens, businesses will lay themselves open to more security headaches, Dunkelberger said. Not only will the cloud offer rich pickings for spammers, but questions of compliance and security will arise.

“Some of your data might be in a cloud in the U.S., some in Europe, some in Asia,” Dunkelberger said. “Think about all the different laws, compliance issues and security issues you’ll have to deal with on the worldwide Internet. If your e-mails are encrypted and stored in the cloud, how will you do key management? That’s going to be a real problem in the cloud.”

In cryptography, key management refers to generating, exchanging, storing, safeguarding, using, vetting and replacing the cryptographic keys that provide access to encrypted files or data.

Compliance laws vary between nations, and coping with them on the cloud will
become more difficult as governments will begin passing and enforcing more
compliance and breach notification laws worldwide, Dunkelberger said.

Europe, for example, does not have breach notification laws, he added. That
will complicate things for U.S. companies that store data or do business in
Europe as they have to deal with two sets of requirements.

Next page: Online attacks grow

Page 2 of 2

Online attacks will go up

As these legal issues enmesh corporations, they will have to face increasing attacks from cybercriminals. Security vendor McAfee has warned that next year could be a very good year for online crime if the economic
situation deteriorates.

“The local, state and federal governments, which are the largest depositories of data, will be under constant attack,” Dunkelberger said. “Viruses aren’t about infecting your computer any more, they are about trying to steal data.”

The security solutions of the future will take a multi-faceted approach, combining access control with network and data access security and user access security. This will all be done automatically through policies, encryption and other defense measures such as data leak protection, Dunkelberger said.

“You want to find the problem, remediate it and make sure the policy is enforced automatically, all done seamlessly so your end users won’t have to deal with the problem,” Dunkelberger said.

Other points Dunkelberger made were that government monitoring worldwide will increase and that the incoming administration will revamp our security laws to take into account civil liberties and privacy.

“There’s going to be this unhealthy tension between business and privacy on the one hand and governments looking for more data on people to combat terrorism on the other,” he said. There is no telling how this will play out.

The incoming Obama administration will emphasize cyber security for national security and businesses, but will look at the levels of security businesses and individuals need from a constitutional standpoint, Dunkelberger said.

“Every indication we’ve had is that they’ve very concerned about what happened in the past eight years of people going in without judicial approval and raiding people’s e-mail and listening to their voice communications.”

Update corrects comments by Dunkelberger.

News Around the Web