This past year has been a doozy in the security world. We kicked off the year by discovering operation Aurora, saw the first national-industrial sabotage attack with Stuxnet and are closing the year with Wikileaks about to become a constitutional crisis between the First amendment and a 1917 espionage law. Reality has well and truly become weirder than fiction.
Let me dive in and make some predictions for security in 2011:
Device explosion: Continuing from 2010, consumer devices flood corporate networks with security professionals trying to come to grips with all the new risks introduced. The good old days of only worrying about Windows are truly gone. Tablets, smartphones and other devices will push the ratio of devices/people well past 1-to-1. Desktop virtualization will expand a lot beyond just laptops and thin clients if we want to secure data on mobile devices.
Internet censorship and control: The "free" Internet is annoying too many governments and corporations. In 2011, the U.S. government will try much harder to impose controls, censorship, prior restraint and eavesdropping on the Internet. Expect to see unconstitutional laws passed and then challenged. Freedom of speech is far less popular in practice than it is in the abstract and it will be up to a small minority to vigorously resist pressure to abandon principles of free speech, net neutrality and content neutrality.
Breach notification: Gradually and with little noise, breach notification has become the highest impact regulation. Forget fines - just buying credit monitoring and sending letters to the 500,000 people whose identities you lost can cost tens of millions of dollars and wipe out your business. Breach notification cost scales with the size of the database you lose, yet your security budget and controls do not. Your only hope might be to buy insurance. Expect more businesses to disclose massive losses and then face massive notification costs.
Cloud computing privacy: In 2011, cloud computing (IaaS, PaaS or SaaS) adoption becomes big enough that you have the first legal skirmishes over the "expectation of privacy" in such environments. The feds will try to grab data without warrants. Hopefully, the service providers will push back. Either way, the legal parameters around ownership, privacy and lawful search & seizure will become better defined through legal precedent. Let's hope the new parameters don't make cloud unusable for anything other than Farmville.
Identity: Identity management, federated identity and identity-based controls continue to rise in importance, eclipsing location-based security. Mobile users and systems demand this new paradigm and the market is gradually responding. Cloud computing will only make the need for robust identity even more obvious and pressing.
Consolidation: The security market is incredibly fragmented, but it has been consolidating for years. Expect that consolidation to accelerate in 2011, as economic conditions and the IPO-disincentive of SOX make more companies opt for innovation-through-acquisition. Once again, customers are left with impossible choices: standardize on an incomplete suite of products from one vendor or try to integrate multiple vendors without any worthwhile open standards to do so. End up with swivel-chair management (multiple management consoles) either way.
While these predictions might provide a road map for upcoming trends, the security industry is punctuated by the unexpected, the disruptive and the outright extraordinary. That's the nature of an adversarial innovation arms race and that means plenty of good material for discussion. Happy New Year and thanks for reading!