London: It’s that time of year again when the IT security industry looks at how the year has developed and predicts what is in store for the industry. Venafi CEO Jeff Hudson, the leading provider of enterprise key and certificate management (EKCM) solutions, suggests that 2013 should be the year when you take control of your IT systems with the explosion of BYOD and cloud computing.
1. Flame and Stuxnet-style malware attacks will continue
“Many pundits, leading media outlets and even some security experts are reporting that enterprises needn't be overly concerned about Flame and Stuxnet-style malware attacks, citing the fact that they were executed by well-funded espionage intelligence groups whose target was hostile nation states and not businesses,” said Jeff Hudson. “However, our view is that companies should be concerned, as unfortunately the tools and techniques for executing these types of attacks are now in the hands of common criminals and rogue entities. In the coming year, these types of attacks are likely to increase especially against enterprise organisations, and are likely to result in significant and costly public breaches and unplanned outages. Therefore, companies should protect themselves against the likes of Flame and Stuxnet-style malware attacks.”
2. The 4G explosion must be managed sensibly
Many would argue that with BYOD and cloud computing, the IT department has less control than ever over how and from where employees access their data. The notion of “perimeter-based security” is gone, and information must be protected wherever it is accessed. This will be exacerbated with the explosion of 4G in the UK giving users for the first time a near-desktop experience on their mobile devices, thanks to the higher connectivity speeds. More users accessing data from their portable devices and from more unsecure networks also means many more security certificates to manage for the IT professionals. This could be a huge headache for those companies that have no idea how many certificates and encryption keys they have, where these are, or whose responsibility the management of these certificates falls under. Hudson advises: “Organisations must mitigate risk and have control over who has access to sensitive information, which means managing trust instruments for all users across the entire network - including mobile devices. If not applied, then 4G could spell disaster for many companies, instead of it being truly liberating for many staff out in the field.”
3. ICO will impose its first cloud computing data protection fine
In September of this year (http://bit.ly/UNwRqQ) the ICO issued specific guidelines relating to cloud computing – advocating that companies going into the cloud need to have total control, auditability and use encryption with robust key management. The data protection regulator says that businesses will need to comply with the law and has published a guide, which seeks to act as a source of best practice for those organisations considering and/or using a cloud-computing environment.
Based on the ICO's previous track record, Venafi believes these guidelines are a polite pre-cursor to the imposition of financial penalties against organisations that fail to protect their cloud-based data.
Against a backdrop of a specific reference in the confidentiality section of the ICO's cloud computing guidelines - which asks the pertinent questions: “Is all communications in transit encrypted?”, “Is it appropriate to encrypt your data at rest?” and “What key management is in place?” - Venafi advises IT security professionals within UK organisations that, in order to answer these questions - and meet the required levels of governance – organisations will need to define, and implement, a robust key management process with sound access and audit controls.
Venafi also warns that the guidelines – which extend to a fairly sparse 21 page document – leave the issue of key management, which is an integral part of corporate IT security and governance, as a potentially grey area.
Companies looking for optimum advice on good key management governance in this regard can visit www.venafi.com/best-practices/.
4. Cybercriminals to go after highest-value targets – trust instruments at risk
The use of Public Key Infrastructure (PKI), digital certificates and SSH encryption keys is ingrained within the modern enterprise. These security instruments are critical for securing data in transit, protecting ecommerce and providing system and user authentication. Yet a series of security events that have taken place over the past couple of years have exposed that third-party trust providers are high-value targets for the hacker community. Certificate authority compromises are no longer hypothetical, and are likely on the rise. Venafi warns that organisations should have business continuity plans in place in case of compromise – to quickly and easily switch from one trust-instrument provider to another.
In most cases hackers compromise systems to steal data. Intellectual property, financial data and personal data can all be taken and use to gain financial reward, expose secrets, and to harm reputations. Most security is involved in protecting the data from compromise. If the bad guys are on the inside, how can the data be protected? The best answer is to encrypt the data whether it is at rest or in motion