In this article, security expert Carol Woodbury discusses technologies in the security world that are hot and some that are not so hot.
I'm sincerely hoping this article doesn't just appeal to my fellow security geeks. In other words, even if you couldn't care less about security or perhaps even loathe the role that security plays in your day-to-day life, I hope that you can appreciate the technology described in this article.
This article is based on what I see happening (or not happening) in our (SkyView Partners) clients' organizations as well as what's appearing in (or disappeared from) the security-related press. Others may have opinions about what's hot and what's not, especially if they happen to work on a particular technology. I'm not trying to promote a technology or play favorites. My definition of "hot" is that the technology is either being implemented or considered by the majority of our clients and/or is receiving significant press in the security world. In other words, this is my experience as to what's going on in the security world today.
Here's what's steaming!
One of the hottest technologies in the security world today is encryption. I didn't say new technology; I said hot technology. How can a technology that's admittedly only interesting to true security geeks be so hot? One word: compliance. The widespread use of encryption is due to the fact that regulations such as the Payment Card Industry's Data Security Standards (PCI DSS) require that data in motion as well as data at rest (that is, information in a database) be encrypted. Couple that with state breach-notification laws that allow organizations to skip notifying individuals that their data was lost or stolen if the data was encrypted, and you have a technology that is hot.
One would think there could be few advances in the area of encryption since it's such as mature technology, but that's not the case. Most encryption vendors are now touting the use of tokens as a means of further protecting the security of data at rest (in addition to the act of encrypting it.) When using tokens, the data is encrypted and stored on a separate server typically known as a vault. Using tokens allows you to work with the transaction associated with the use of a credit card without having to work with either the cleartext or encrypted version of the credit card number. As an added benefit, if an application needs this association but doesn't need the cleartext credit card number, using tokens may allow the system to be removed from the scope of PCI compliance. Tokens aren't right for every situation where data at rest is encrypted, but they're worth investigating.
Another area of encryption to watch for is the requirement from laws or regulations like the PCI DSS to use encryption algorithms that have been certified as meeting specific standards, such as the NIST encryption standards. While they're not yet required, it is widely believed that the PCI consortium will require the use of certified encryption algorithms at some point. This will eliminate encryption implementations where developers have "rolled their own" solution and where less than optimal (i.e., weak) key management processes/implementations are in place.
Data Loss Prevention (DLP)
Another area of hot security technology is data loss prevention (DLP.) Data loss prevention in the IT world (versus physical measures designed to help deter theft) is a rules-based technology that prevents data from leaving your network or computer systems. Compared with event-management software, which notifies you after an event has occurred, the focus of this technology is prevention of the event. It does so by inspecting the data as it travels through the network or while it is sitting in a database file, recognizes when it matches one of the rules you've defined for that type of data, and prevents the action that's about to be taken. For example, you could prevent files containing private data from being FTPed to an external Web site or from being copied to a USB. Or you could stop emails containing confidential corporate information (such as pricing or vendor lists) from being sent to an external email address.
While the emphasis of this technology is prevention, you can also implement it in log-only mode. Or, if you intend to implement the technology in prevention mode, you can start out in log-only mode and send warning messages to the users to warn them of their "infraction."
DLP can be annoying to end-users who are prevented from doing tasks that are part of their job, but many organizations are either considering or have already implemented a DLP solution—at least in log-only mode. The key to a successful DLP implementation is finding the balance between being too intrusive (that is, preventing too much movement of data) and not intrusive enough.
Security Information and Event Management (SIEM)
The implementation and use of SIEM technology is another technology that is driven by compliance. SIEM started out as a log aggregator used primarily to gather all log or audit information within an organization and consolidate into once place. This allowed all log information to be backed up and protected from modification. While not an issue on IBM i, the integrity of log files (audit journal to the i world) comes into question on other systems if additional measures aren't taken to protect the logs. While the protection of log information was the initial reason for log collection, it was quickly realized that having all information in one place allowed for the correlation of the logs. This holds great benefits when investigating an incident as well as analyzing activity to detect incidents. In addition, depending on the implementation, events can be sent to the centralized log server in real-time, providing the potential of real-time event notification.
Content Classification and Email Retention
Another technology that's hot is the analysis and retention of email. Why is this a security technology? Because the retention policy is based on the classification of the data. In addition, appropriate use of the data as well as the use of email are typically two issues documented in an organization's security policy. Content classification and email retention is another technology being driven by compliance requirements as well as legal requirements to produce documentation when demanded by the courts. Products based on this technology archive and catalog the electronic data (including email, chat logs, and all other forms of electronic communication) that is discoverable and, therefore, admissible in court. After the defined retention period, the data is destroyed according to the requirements defined by the classification of the data.
Not So Hot
And these, well, they're a bit "chilly."
Digital Certificates for User Authentication
The use of digital certificates for user authentication is a technology that has definitely "cooled off" from the height of its popularity. That's not to say that digital certificates aren't widely used; they are. Every time you connect using an encrypted session (such as through a VPN or HTTPS), you are using a digital certificate. What's cooled is their use for authenticating individuals. Then they and the technology they enable (public-private key encryption) were first introduced, it was thought that every man, woman, and child was going to be issued at least one digital certificate, and we were going to use them for authentication to every application known to man. (Perhaps a bit of an overstatement, but you get my point.)
While there are some applications that have utilized digital certificates for user authentication (that is, using digital certificates to prove users are who they say they are), the adoption rate for digital certificates as a means of user authentication is significantly less than originally anticipated. Why? The overhead of maintaining large numbers (over 100) of digital certificates has proven to be non-trivial. Certificates have to be issued to new employees, renewed when they expire, and revoked when they leave or lose the device in which they've been stored. Operating systems and applications have to be re-written to accept a digital certificate instead of or in addition to a user ID and password. These changes have been slow in coming, and this has also led to the slow adoption rate. The bottom line is that the cost to the organization of implementing and maintaining digital certificates for all employees as a means of user authentication has outweighed the benefits.
Another technology where cost has outweighed the benefits for many organizations is the use of biometrics for user authentication. This very cool technology is, unfortunately, not practical for most organizations. While I think that every organization would like to use biometrics for authentication (who wouldn't want to use the technology that great movie scenes are made of? Think Tom Cruise in Mission: Impossible), many can't afford the additional cost. Biometrics requires hardware. For example, say an organization wants to have users authenticate to the network using their fingerprints. This requires a fingerprint reader, the cost of which is at least a few dollars to tens of dollars, per instance of implementation. depending on the model. In many cases, to get a reliable reader, you need to spend more than a few dollars. Multiply the cost of the reader times the number of employees, add in the cost of debugging and replacing hardware and don't forget the programming changes required to authenticate to the network via a fingerprint rather than a user ID and password. While by no means a huge programming effort, it does require programmers be allocated to the project. All told, many organizations make a business decision and don't feel the benefits justify the additional costs. However, if the cost of reliable hardware becomes more affordable, watch for this technology to heat up.
Put on Hold: Single Sign-On
Single sign-on is an interesting technology. It was hot a few years ago but has definitely cooled. But unlike an organizational roll-out of digital certificates or biometrics, I see single sign-on projects more being put on hold than cancelled. Organizations have had to put many projects on hold as they implement compliance requirements, but I still hear about and get questions from organizations interested in single sign-on. When organizations get caught up with their compliance requirements, this technology may heat back up.
Hot or Not?
I hope you've enjoyed this discussion of "what's hot" and "what's not" in the field of security technology.
as/400, os/400, iseries, system i, i5/os, ibm i, power systems, 6.1, 7.1, V7,