De-perimeterization of security: Security can’t just stop at the perimeter--there are growing concerns about insiders, more sophisticated attacks that penetrate through the outer walls, and recognition that it’s too late to keep the bad stuff out because it’s already inside (according to Gartner, for example, 75 percent of enterprises will have been infected with malware by the end of 2008). This is not to say that the perimeter is going away--it isn't, but it will become the first line of defense rather than the last one.
Insider threat: The DBA at Certegy who stole 8.5 million credit card and bank account records became the poster child for what a malicious insider can do in 2007, and this is still sinking in. In 2008 companies will start taking the insider threat more seriously, not only against blockbuster crimes like the Certegy incident, but also against the much more numerous smaller infractions that cause a lot of financial damage with less fanfare.
Security gets intimate with the application: Security as an afterthought was OK for perimeter defense, but more sophisticated attacks and a great attack surfaces in applications mean that security tools need to get closer to the applications they protect. They need to understand specific vulnerabilities, hardening issues and exploits.
Security permeates through the organization structure: Just as security architecture is being absorbed throughout enterprise-wide systems, the variety of expertise required to manage security at different levels is going to drive organizational change. While this will take different forms in different organizations, there’s no doubt that the degree of specialization needed in various areas of security is increasing, so more cross-functional positions will be created.
Regulations go from "rough and toothless" to "tough and ruthless" (courtesy of Kentucky Fried Movie): With PCI DSS maturing and the credit card companies beginning to impose hefty fines on non-compliant merchants and processors, and with SOX getting into its second, deeper iteration of compliance processes and tools, compliance is being taken more seriously not just on the façade, but is being leveraged to enhance business processes and security as enterprises realize that it’s not just about not being caught. The exception is HIPAA, which is likely to get an enforcement boost only after the US elections as health reforms--currently a high ticket agenda item for many candidates--start becoming policy.
Security as a managed service: Managed Security Providers will increase the coverage they give to customers and their business will grow. Why? Because it’s a cost effective way to get security, and because not all organizations will have expertise in-house to deal with the variety of threats and issues.
Effect of virtualization/grid computing: Coupled with the managed service trend, this could prove a trend that would change the security landscape significantly. With servers and processors becoming increasingly powerful, architectures will change to allow for several applications to run on virtual machines on the same hardware server. This turns network traffic into host traffic, and will render many network-based tools useless in such environments. Backed by a green agenda of power consumption savings as well as reduced costs, this is too compelling for it not to start happening.
Slavik Markovich is the CTO of Sentrigo.