Outsourcing, grid computing, and hacker professionalism are trends that cannot be stopped, and the sum total of those factors will have a dramatic effect on the way businesses attempt to protect their IT system in the future, researchers and analysts agree.
The intersection of groundbreaking new IT architecture and previously unparalleled levels of professionalism among writers of malware attacks will result in an increasingly challenging electronic business environment, according to speakers at the ongoing Source Boston 2008 conference.
And while such estimations are sometimes characterized as fearmongering set in motion by an IT security industry dependent on the presence of new attacks to keep its coffers full, the assembled experts appeared to suggest as many answers as they proposed potential problems that need to be solved.
Each technological step forward should present its own array of security challenges and create new opportunities that force companies to continue to reassess their defenses, the presenters said.
Even mature IT trends such as outsourcing are having a significant impact on the changing manner in which businesses address security today.
"The reality is that we will be outsourcing some security functions," said Rich Mogull, an industry analyst with Securosis. "Organizations need to both take advantage [of outsourcing] where it makes sense and integrate outsourced security opportunities. At the same time, companies can't transfer all of their risk by handing off responsibilities to someone else; just because someone is handling your credit card information, customers won't let you off the hook if something goes wrong."
Companies will increasingly apply a mix of on-premise IT defenses and "in the cloud" security services to maximize their ability to thwart attacks and to adjust their protection to account for other outsourced operations, the analyst said.
"Companies will have a mix of outsourcing and in-sourcing," said Mogull. "For security, especially for things like firewall management, outsourcing absolutely makes sense. You'll also have companies outsourcing workstation systems management, and eventually they will outsource antivirus management as well."
And just as attackers have leveraged the potential of grid computing via botnet systems that some experts estimate to be as powerful as the world's largest supercomputers, the IT security industry must likewise tap into distributed processing power to better protect customers, the presenters said.
With the bad guys already getting deep into grid computing, it will be crucial to fight firepower with firepower, they said.
"Companies will be distributing security [capabilities] to help figure out ahead of time where anomalous things are occurring; technologies will take advantage of distributed [sensors], virtualization, and grid computing to garner data using the herd mentality," said Chris Hoff, chief architect of security innovation at Unisys. "When you think about infrastructure in 10 years, instead of thinking about where virtualization gets us in terms of consolidation, [think] about distributing [security] processes to pools of memory and computing power."
Based on those major trends and other new paradigms, including virtualization, SaaS (software-as-a-service), and SOA, companies will also have to consider new ways to address the issue of maintaining less concrete perimeters for their networks and IT systems.
As evidence that major security vendors already understand this emerging shift, the experts highlighted the fact that more than 20 such companies immediately signed on to help support new systems-defense tools from virtualization market leader VMWare, even though the technology being pitched is still under development.
"The concept of re-perimeterization will involve taking the [existing] perimeter and making it stronger, condensing it in places, and adding all sorts of little internal perimeters," said Mogull. "It's not that the perimeter will disappear soon, but it will consolidate. Companies don't have a choice about this; with remote workers and virtualization, this is already happening today."
However, perhaps the biggest shift in IT security is one that is already transpiring around information protection, as companies shift their primary focus away from systems defense to safeguarding their valuable data.