Buckling Up for 2011?

Bangkok--19 Apr--Mind PR John Ong, Regional Director, South Asia Check Point Software Technologies Ltd. 2010 has been an eventful year, with its fair share of noticeable security events. The year opened with Operation Aurora, a cyber attack that targeted few dozen Fortune 500 companies, costing them several millions of U.S. dollars; followed by Wikileaks, one of the biggest data breaches ever seen, that exposed thousands of secret U.S. government documents; and was punctuated with no less than Stuxnet, one of the most sophisticated cyber-attacks ever engineered that was capable of bringing down several nuclear sites in Iran. More than any other year perhaps, 2010 demonstrated the importance of IT security to businesses. Besides the notorious cyber attacks and security breaches that made it to the headlines, several thousands of attacks are taking place on the Web every day — 69 attacks every second to be precise. And still, this is only the tip of the iceberg, as most attacks, in fact, go unnoticed or unreported. With this in mind, customers often ask us what kind of computing threat is likely to hit the global market in 2011, and how to anticipate them. While no crystal ball can forecast what the next big security risk will be, I would like to take a look at the current state of IT security and outline some of the major IT security trends that we have observed and will continue to shape 2011 security landscape. Here are ten of the most predominant IT security issues and concerns that are challenging businesses today. Trend #1: Virtualization — the rush continues Virtualization has been around for quite some time now, and has imposed itself as a mainstream technology within organizations, serving numerous purposes besides consolidation and cost-cutting. With no surprise, the rush towards virtualization continues in 2011. According to a Morgan Stanley study, CIOs will continue to massively virtualize their production servers in 2011, up to 55%, compared to 42% in 2010. An Information Week survey from June 2010 reveals that 28 percent of companies already have private clouds in place, and 30 percent of them plan to have one. Yet, as popular as it is, the virtualization trend still brings forth numerous security issues. The lack of specific, virtual network skills in security teams and the high cost of new information security solutions are two of the main obstacles outlined by decision makers. In addition, the regulatory compliance issues, the lack of security best practices for server virtualization and the fact that one can’t import the existing security tools from physical to virtual world, are seen as additional challenges holding back the move to virtualized environments. Trend #2: Cloud Computing A large percentage of enterprises and SMBs are anticipating the need to build an internal or private IT operated cloud in 2011. Simultaneously, the spectrum of cloud services is also expanding considerably, as more and more applications will be offered in the cloud throughout the coming years. Yet, cloud computing, like virtualization, represents a very big challenge for security, and enterprises should be warned from the risk of plunging too quickly into the trend. According to Morgan Stanley’s 2010 CIO Cloud survey, data security and the loss of control appear as enterprises’ greatest concerns when it comes to cloud computing — followed by data portability and ownership, regulatory compliance, and the question of reliability. After all, security is about control, and enterprises should be careful about giving up control of business-critical applications. Companies using in-the-cloud services don’t always know who they are sharing their environment with and that can create a lot of vulnerabilities. Trend #3: IT Consumerization & Mobility Many technologies that started in the consumer market have found their way into business environments. Consumer hardware, such smart phones (iPhone, Blackberry or Android devices, for example) and consumer services, such as online instant messaging, social networking and IP telephony (Facebook, Gmail, Twitter, YouSendIt, MSN Messenger or Skype) have now found new functionality in the work place. This trend is also called "IT consumerization." Integrating all of these private devices, applications and technologies into the enterprise brings distinct security challenges. In particular, enterprises must ensure that all corporate data and resources transiting on these mobile devices or services are protected, while guaranteeing their employees with access to the network anytime, anywhere. Mobile computing is already part of the daily work life in most companies. Indeed, the enterprise mobile device population has grown exponentially these past few years to pass the 100% mobile market penetration bar in numerous markets. Simultaneously, CIOs on the other side are struggling to keep up with all the devices their employees bring onto the corporate network. Yet as 2011 may very well see a surge in the number of incidents related to mobile devices, it is vital that enterprises urgently start securing their mobile workforce. Trend #4: Threat Sophistication Each passing year, Internet threats are reaching new levels of sophistication. From simple viruses and worms, attacks have become increasingly polymorphic, blended and complex, using multiple hacking techniques in a single attack. In addition, many Internet attacks spread by using automatic “robots” that scan the Web for possible vulnerabilities, making everyone a target for such exploits. As a result, attacks are becoming harder for the average business to detect. For example, Zeus, a Trojan horse that steals banking information through key logging, was one of the hardest forms of financial malware to detect this year (identified only 23 percent of the time), and was rated the number one financial Trojan, accounting for 44 percent of all financial malware infections today. In a different genre, the Stuxnet virus that was used against Iran’s power plants, is considered one of the most sophisticated computer threats ever created, exploiting four different vulnerabilities at a time. Internet attacks today not only impact individuals, but are increasingly targeting organizations. They are essentially driven by globally dispersed cyber-criminals, organized in networks and motivated by rapid, difficult to track financial profit, and intellectual property theft. In 2010, cyber crime cost businesses over two billion dollars in financial loss. We can only expect this figure to increase in 2011, prompting enterprises to opt for a proactive and solid network protection, such as Intrusion Prevention (IPS). Trend #5: IT Consolidation and Security Complexity Managing the complexity of security is a growing concern, frequently raised by organizations of all sizes. According to the InformationWeek 2010 Survey of security decision makers, it is by far the biggest information and network security challenges companies face currently. This is understandable. Security environments today have become more complex than ever, as businesses constantly struggle to raise their level of security and cope with the latest security threats. As they add more layers to their security infrastructure and deploy a variety of point products for specific protections, organizations often end up managing 15 different systems, vendors and platforms. Not only does this become very difficult to manage, it is also not very efficient and can be very expensive, financially and operationally. Administrators need to manage a multitude of network security technologies and point products, such as: IPS, Firewall, VPN, Anti-virus, Anti-Spam, Network Access Control (NAC), Data Loss Prevention (DLP) and URL Filtering, to name a few. Not only do organizations need to deploy these various technologies on the network level, but are also faced with managing these protections on a growing number of endpoints, such as smartphones, laptops, and other portable devices used for business. As if this wasn’t enough, network traffic itself has become incredibly complex. More and more applications are driven over the network - some for personal use, some for business use. In addition, today, applications are delivered by both external vendors, cloud based applications and internally. Last but not least, regulatory compliance is yet another element further adding to the security complexity that make the administrator’s life even harder. Trend #6: Data Security and Data Loss From customers’ databases, credit card information, business plans and financial records to corporate emails — the amount of electronic data is clearly proliferating within enterprises. Safeguarding these multi-gigabits of sensitive data is an absolute must for businesses, if they don’t want their innermost corporate secrets to be leaked and exposed to the outside world. According to a 2010 Ponemon survey, the average organizational cost of a data breach has continued to increase year over the year, reaching an astronomic average of 6.75 million in 2009 alone. Interestingly, among all the companies that suffered data loss, a very large majority were not compliant with PCI DSS requirements. The major sources of data loss across organizations and enterprises include: USBs and laptops, corporate email, public webmail, Wi-Fi networks, CDs and DVDs. In fact, approximately one of five emails that leave the corporate network contains content that poses a legal, financial or compliance risk. Luckily, there are security measures, such as media/hardware encryption or a preventative data loss solution that can help organizations alleviate that risk. The Wikileaks case should serve as reminder to all companies about the need for a layered and holistic approach to data security — so that sort of lighting doesn’t strike. Trend #7: Web 2.0 & Social Media Web 2.0 has become an integral business tool today and has found brand new legitimacy within the workplace. An average user spends about one quarter of his working day surfing on the Web, sharing content, downloading files, chatting, blogging or watching online videos. Facebook, which is leading the social networks race, has become the third largest populated application platform in the world and monopolizes about 7 percent of all business network traffic every day. Businesses should prepare to face the increased risks associated with enhanced social networks and Web 2.0 application usage. According to The Economist, 45% of the 100 most popular websites support user-generated content, and 60% are infected with malware. In addition, many web applications present vulnerabilities, for which no patches are supplied by vendors. Therefore, in 2011 it will be vital for enterprises to start reinforcing their — and their employees’ - security policies. This level of application control enables organizations to enforce better, more effective security, without inhibiting employees. Because traditional tools like IP-based firewall policies and URL filtering have reached their limits in the Web 2.0 environment, organizations need new security controls that can differentiate between the thousands of applications running on the Internet. Businesses should have better visibility and more granular application awareness so they can distinguish different applications that share the same protocol and ports across the firewall, and so they can better monitor and manage application and platform usage. Trend #8: Governance, Risk & Compliance: enterprises’ bottleneck Enterprises are under a regulatory compliance overload — not to say, overdose. Organizations today not only struggle to keep up with all the various vertical regulations, but also with a variety of state laws, E.U. directives and other local data privacy and data breach notification laws. Public companies, for instance, need to adhere to SOX (Sarbanes-Oxley Act). Health care organizations need to adhere to HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health), as well as PCI DSS (PCI Data Security Standard). Financial services institutions need to adhere to GLBA (Gramm-Leach-Bliley Act), as well as BASEL II. Those are only for the most common and standard regulations. Such regulations are meant to protect customers, employees, partners or investors from fraud and identify theft. Yet for organizations, they end up being a big burden for IT staff and security budgets. For instance organizations that reside in countries with data breach disclosure laws, tend to have higher data security spending than in countries that don’t have such laws. According to the Information Week 2010 survey, industry and government compliance mandates are the most influential factors driving security programs today. As companies start massively virtualizing their data centers and IT environments, the level of security complexity will continue to rise. Trend #9: Cost reduction Despite the economic recovery in progress, businesses are still under pressure to drive down infrastructure and operational costs. IT budgets remain tight, and CIOs are looking for the biggest cuts in their budget line items: current operating costs. For IT administrators this translates into a simple adage: do more, with less. Maximizing their security spending, optimizing security resources and getting the most out of their security systems and infrastructure will be crucial for businesses in 2011. In an effort to maximize return on investment (ROI), one can expect enterprises in 2011 to be more inclined to look at 'must-have' technologies, rather than 'nice to have' technologies — and most importantly, solutions that can evolve as their business grows and as new threats emerge. Given the increased financial pressure on enterprises, the spotlight will certainly remain on cost-saving technologies, such as virtualization and cloud computing. Trend #10: Green IT Last but not least, Green IT remains one of the top ten trends that we will emphasized in 2011. With soaring energy prices and increased consumer awareness of the danger to the environment, organizations will have to get serious about the migration to green tech. Yet, this green IT trend is also conveniently used by savvy IT leaders to marry ecological aspirations with financial reality. Conclusion Keeping up with all these different trends and meeting all these various requirements is a huge challenge for enterprises. The 2011 IT administrator’s check list appears very long, including: a) meeting IT governance, risk and compliance (GRC) requirements; b) preventing the loss of sensitive data; c) securing and managing Web 2.0 applications; d) securing all fixed and mobile endpoints; e) protecting against attacks and evolving threats; f) securing the virtualized and cloud environments g) reducing the IT spending. Enterprises trying to address these various security challenges need a different approach - one that instead of offering a plethora of different security products, addressing each problem one by one, would rather help them build a flexible and extensible infrastructure that provides security for all these different areas, and can grow with the organization’ evolving security needs. For more information, please visit www.checkpoint.com Media Contact Srisuput Siangyen Mind PR Co., Ltd. [email protected]