In security, annual recaps and predictions are often depressing and not particularly insightful. Let’s face it — it isn’t difficult to assert that there will be more nation-state involvement in increasingly sophisticated cyber attacks against foreign and domestic targets, all amidst a backdrop of a security paradigm that is perfectly aligned with … the past. Throw in the tech-platform trifecta of cloud, virtualization and mobile — and anyone can be an expert with a 100-percent success rate.
It might be a bit more insightful to suggest that the online socio-cultural climate is changing the way we think about friends and enemies, spanning geographic borders while also flattening the peaks and valleys of trust all around, but that is not particularly useful to the IT security professional.
So maybe it will be worth discussing longer-term security trends that don’t follow the annual earth-around-the-sun cycle and are playing out slowly across our technical universe. That’s what I’ll examine from this point on.
Technology trends revolve around consolidation and distribution of resources, and we have been sitting in the wake of two larger trends for the past several years – virtualization and ubiquitous networking. This allows us to collect and package different types of resources and then redistribute them in clever ways. Thus, we get cloud computing (aggregated network-available resources) and mobile devices (distributed personal resources) working together as the logical conclusion to this phase of technical development (next in line: grid/p2p/nano computing).
With these new technologies, people are essentially “jacked in” to the Internet, having liberated themselves from physical locations and physical machines. This ongoing disaggregation requires a move from the traditional layered security model to one of “tracers and tethers” (TnT) that consolidate protection around key assets – wherever they are – and monitor/tie them back to centralized management locations. In the Marine Corps , we called this centralized control with decentralized execution; in IT security, we could call this separation of the policy decision point (PDP) from the policy execution point (PEP).
With TnT model in mind, it is worth identifying key pieces crucial to its success. Here they are:
- Conscientious software – talking about software liability is absolutely destructive. But there is no reason software vendors shouldn’t be doing a better job of describing their software in some sort of machine-readable language that could be used by host intrusion prevention solutions (that already do this) or even by the software itself to self-regulate.
- Remote attestation – I hope every time you hear about Web 2.0, service-oriented architecture, virtualization, grid computing, and other buzzwords that you are concluding that remote attestation, using cryptographic verification of integrity and authenticity, is a near-term requirement. Yes, PKI lives.
- Microsecurity – To heck with generalized, coarse controls. We need to design scalable models to address the most fine-grained, detailed security policies ever.
- Contextual mapping – Men, beware, there is no driving without maps, but GPS is NOT cheating. All of this flexibility in architectures is going to make the management of contexts crucial to the success of a security program.
- Hyperdynamic processing – Darn straight, I am making this name up. What do you get when you combine live migration with address space layout randomization (ASLR)? Well, hyperdynamic processing, of course! Think about stable, transaction-oriented sessions (can I say that?) running in random locations across the Internet providing protection against lower-layer targeted attacks while maintaining a stable application environment.
I have to come clean here – trends be damned, this exercise is really more about hope than anything else. Our ability to protect IT of the future is rooted in it.