Security threats: cloud, mobility and convergence
Three serious issues are likely to impact on the safety of data in 2011: mobile device security, safety of data in the cloud, and the global convergence of data security and privacy regulation.
The proliferation of sophisticated mobile devices like smartphones and tablets will have a substantial effect on application and data security. We will see organisations struggle to accommodate their increase in number and variety, while maintaining traditional data and application security practices.
Recent times have witnessed a dramatic surge in sophisticated mobile devices being used as access points to online services and enterprise networks. These devices also acquired more storage capacity and web technology adoption. Additionally, a growing variety of applications are being used as a gateway to enterprise systems, including CRM, ERP and document management. So missing mobile devices will become as big a pain point as lost or stolen laptops.
There’s another concern: as mobile devices become mainstream, online service providers must accommodate their offerings for these platforms, creating a special version of the applications to match each device’s capabilities. In this process, it is not uncommon to see older vulnerabilities resurface. We have seen publicity over online versions of well-protected mobile device applications display common vulnerabilities. Mistakes are made around identification and authentication, where application programmers mistakenly trust attributes of the data stream that can be forged by an attacker without the particular mobile device. So the applications become more vulnerable.
Furthermore, applications that use a one-time password (OTP) for validation of sensitive transactions, where the OTP is delivered through SMS to a phone number provided by the user, are at risk. If a user employs a smart mobile device for accessing the application, and that device is infected by a Trojan, then that Trojan can access the OTP delivered through SMS.
So we expect exponential growth in mobile device-related incidents. Organisations need to start planning to secure these devices and their interaction with the enterprise networks, while application providers need to exercise care in serving them, including vulnerability mitigation, re-evaluation of trust and incorporation of new authentication/authorisation channels.
Imperva predicts more cloud data security applications early in 2011, responding to private and public clouds that are either self-serviced or managed as a service. This trend is a late response to the move of applications and data stores to cloud technologies, and the industrialisation of hacking, which dragged many smaller online businesses into the threat zone.
The extensive increase in cloud technology use contributes a different set of data and application security challenges. Cloud applications (SFDC.com, Gmail, MS BPOS, SuccessFactors) challenge their operators to maintain a bulletproof partition between data sets of different customers. Customers are challenged with protecting data from the prying eyes of service administrators.
Private clouds - clustered servers running virtual machines - create a challenge by having the same application or database server operate from a different physical server at different points in time, making it harder to monitor a communication path to the application. Public clouds (hosting providers) challenge their operators to maintain partitions between applications and datasets of different users, and manage application and data security for a multitude of different applications.
Self-service clouds (aka ‘platform as a service’ or ‘infrastructure as a service’ such as Amazon EC2 or MS Azzure) challenge their users with a new virtual platform and the need to protect data from cloud administrators. Issues for all types of cloud form include:
- Maintaining bulletproof partitions between datasets of different customers
- Providing different levels of data security to applications sharing the same logical or physical platforms
- Protecting customer data from the prying eyes of cloud administrators
- Providing solutions that operate over a specialised infrastructure (VM, Amazon AMI)
- Managing application and data security for a large number of applications inside the cloud
Lately we have become aware of attempts by security and cloud providers to resolve application and data security. Traditional application security vendors are starting to provide their solutions over virtual platforms (VMWare, Amazon), while new vendors are creating cloud-based models for application security solutions.
We expect good technical solutions for application security in the cloud in 2011, although data security solutions (protecting data stores in the cloud) will lag behind. Scale of manageability and different levels of security for applications that share the same platform will remain a major challenge, while data security solutions will continue to struggle to create the right security model.
Convergence causes concern
As more companies are caught violating data privacy, and security breaches appear daily, government regulators will continue to tighten the legal screws on enterprises. Recently, Google CEO Eric Schmidt said that people who don’t like Google’s Street View cars taking pictures of their homes and businesses “can just move”. Typically, this executive bravado invites government regulation and scrutiny.
Continuing data breaches force more and more governments, and even private industries, to consider more in-depth security regulations to protect citizens. But another trend seems to be flying under the radar: as enterprises contend with additional data laws, consolidation will take place across borders.
Recently the US Federal Trade Commission reached out to the EU to begin investigating where they can jointly unify data security laws. Companies will comply, but will find the task of complying with multiple mandates across borders very difficult. Governments will respond by defining a common framework to make life easier for enterprises housing data. A recent White House announcement stressed the need for a worldwide effort.
By Amichai Shulman, Chief Technology Officer, Imperva
In our Tech Insights series, we speak with ICT leaders to get their view on what the year ahead...
As more and more enterprises finally ditch the PABX for the latest in unified comms, the benefits...
There are three key reasons why organisations with a contact centre should look to implement a...