Virtualisation, the cloud will challenge security in 2009

2008 was an interesting year in privacy and information security, and by looking back, we can clearly discern trends that will likely be a major part of the security management landscape in 2009.

Software-as-a-Service (SaaS) and virtualisation really took off, and compliance's looming presence grew with PCI DSS version 1.2 and some actual enforcement of HIPAA.

It's no wonder compliance was one of the biggest focus areas for enterprise information security teams in the past year, and this trend will clearly continue in 2009; there will be more regulation and stronger enforcement of existing regulations. Penalties for violations of regulations will continue to rise, along with the inevitable rise in discoveries of malfeasance. As a result, there will be an even larger focus on compliance by upper management, which also means decreased time and budget for necessary security controls that don't clearly fall under a compliance umbrella.

Two other major trends that will continue into 2009 are increased use of virtualisation, particularly on the outsourcing side, and an increased focus on the security of Web-based applications. IT shops are always looking for ways to reduce costs and leverage the full value of their existing hardware investments. In 2008, many enterprises finally reached a comfort level with server virtualisation in production environments. This trend will continue in 2009 until managers find creative ways of handling this technology dynamic, since there will be a corresponding drop in security as the traditional controls -- such as VLANs and firewalls -- prove less effective. For this reason, during the transition to a virtualised environment, security managers should pay particular attention to systems that contain critical data like corporate financials or source code.

Many IT organisations will avoid the hardware problem completely by going to third-party service providers, whether they be traditional SaaS providers like Salesforce.com and Qualys, or fully Internet-based virtual servers, such as Amazon.com's AWS and Microsoft's Azure. Outsourcing to that extent, however, means losing significant control over data, and while this isn't a good idea from a security perspective, the business ease and financial savings will continue to increase the usage of these services. Proactive security managers should work with their companies' legal staff to ensure appropriate contract terms are in place to protect corporate data and provide for acceptable service level agreements.

Cloud computing and SaaS are also a huge potential source of compliance problems, particularly with regards to PCI DSS. Security managers must pay even more attention to how, where and when data flows into, through and out of their companies. This can be incredibly challenging from a technical perspective, though DLP tools can help to a certain extent. As a result, it's important for security managers to cultivate strong relationships with the data owners to understand not only the current state of the data flow, but also to be involved early in the process if things start to change.

Continuing into 2009, the focus on securing Web-based applications will continue to grow. Although this has been an issue for a small subset of businesses for a number of years, PCI DSS and its mandate to secure Web application data has driven many businesses to focus on the problem. Given the complexity of existing infrastructures and the speed at which researchers are creating new website exploits, this will clearly be an ongoing project. In 2009, even more companies will clamor for secure Web applications, especially given recent reports from a variety of organisations such as the Web Application Security Consortium (WASC), IBM-ISS and MITRE, showing estimates that upwards of 87% of websites are vulnerable to attack.

While compliance is a huge initial driver for the Web application security effort, as more and more customers become savvy to security issues (issues that are now getting coverage in the New York Times and Wall Street Journal) they are pushing vendors to become more secure as well.

In general, many of the trends that drove security in 2008 -- cloud computing, SaaS, compliance issues -- will continue to gain momentum throughout the new year. So fasten your seatbelts, and get ready for the ride.