‘What 2 things are most likely to change the security industry in the next 2 years? And why?’
Mobility is going to necessarily change the security industry. And not just geographic or device mobility of users but mobility of applications and networks. SDN, cloud and BYOD are all converging on security professionals like ants to a picnic. So many of the traditional tools and methodologies the security industry relies on for visibility and control depend on fairly static network and application topologies. These are rapidly disappearing. Policies cannot be static, they can’t be based on IP addresses, and they can’t assume any particular topological route. Security professionals are going to need to move up the stack along with operations and network teams and focus more on applications, on user identity, and contextual data to ensure compliance with corporate security policies. They’re going to have to look to new ways of monitoring and ultimately enforcing policies outside the data center perimeter. The use of cloud – and in particular SaaS – for myriad business functions is not going to slow down. Security needs to find ways to not only monitor but act on aberrations in user behavior or violations of policy that occur when employees interact with those cloud-based applications.
Social is forcing its way into the enterprise, and security needs to be ready to deal with it. While it is not likely that social logins themselves will ever become the status quo for authentication and authorization inside the enterprise, it is true that the principles behind social will. For decades we’ve been trying to find a single-sign on solution that just works, and social seems to have accomplished that task. Security professionals should actually be pleased by that, as federation of identity (which is really all social login is) will afford them greater opportunities to track and enforce policies based on identity, rather than on the shifting sands of IP and network-based attributes. “Social” will enable security teams to craft more flexible policies to govern access because those policies won’t be tied to topologies. Instead, they’ll be based on the business risk incurred by allowing access to data from the unique combination of user/device, network and application.
Lori MacVittie | F5, Sr Product Manager | @lmacvittie
To find out more about our panel members visit the biographies page.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.