OVUM VIEW

The big security themes for 2012 were mobile device and application protection, lack of cloud-based security, data-loss prevention, and the need for Big Data management. If advanced protection requirements and increasing compliance demands are added to the equation, most of these issues will continue to retain a strong influence over proceedings during 2013 and beyond. The thing that is changing is what security professionals believe about the way in which these issues should be addressed.

There is an urgent requirement to look more closely at the latest attack trends and to deal more effectively with advanced threats. At a time when all organizations are at risk from stealth attacks, the challenge is to know how effective existing protection strategies are, and to understand what is working and what should be replaced. Businesses need to get the security balance right. They need to be able to share information with trusted partners, but still ensure that regulatory compliance requirements are met.

Infrastructure and device-management changes will have a significant impact on data-protection requirements

Over time, the growing use of new-generation mobile devices is going to reduce the Wintel (Windows operating systems running on Intel processors) stranglehold over the business community. We may still be at the stage where the prestige of owning and using these shiny new toys outweighs their business value, but that position is already changing. The business value of various tablets and smartphones is growing, and as a result, in the coming year the device and data-protection demands on security professionals will increase. The break-up is likely to be messy as common endpoint-protection requirements start to fragment after years of monopoly-driven consistency.

For security managers, the considerations may include the option of maintaining data controls elsewhere, and with it the potential to turn endpoint devices into virtual display screens with update capabilities. By using this approach, information can still be delivered on an anytime, anywhere basis, but the source data may be held and secured in a remote data center controlled by the organization or a cloud-based service provider.

Going forward, senior executives and middle managers will continue to favor their Macs, iPads, and smartphones, but for the vast majority of business users it is likely that organizations will want to standardize on a smaller range of device types and improve the controls over the systems, applications, and data their users have access to. Security professionals recognize that as the push for consumerization within business environments will continue, the security challenge will be to add business value to service-delivery channels through the delivery of secure access and security-management services.

The impact of 4G is likely to be a game-changer for BYOD and business users

The combined Orange and T-Mobile approach to delivering the first 4G network facilities under the Everything Everywhere (EE) brand is seen as having the potential to build on current BYOD demands. At the higher end of the scale, it will offer greater opportunities for a single device to fulfill business and social demands. Senior and middle managers are likely to be comfortable with an EE always-online approach that gives them personal as well as corporate access away from the office without having to fire up a second machine.

The always-connected mentality also suits a growing number of employees who want to stay connected at home, while commuting, and outside working hours. They are happy to check business communications while watching TV using a single connected device. However, it is recognized that the one-device argument may have only limited and short-term appeal.

It is already the case that the last thing that the majority of employees want to do when arriving home is check their work email. Going forward, as the personal commitments to BYOD become clearer, employees are more likely to want to operate one device which is theirs and has nothing to do with work, and then use a single company-owned device for all commercial purposes. This preference for a separation of duties in 2013 is likely to be driven by BYOD privacy-intrusion concerns. These will include the employer’s ability to track device locations, control installed software applications, and the power to remove private as well as business data.

For the business, a separation of ownership may reverse the trend of supporting an ever-widening range of mobile platforms. Keeping costs down will again become the driving force. Purchasing decisions are likely to be based on what is the cheapest, easiest to support, and most robust piece of kit that can be rolled out to as many users as possible. From a company cost-saving perspective, BYOD take-up is also likely to falter if employees demand payment for using and adding software licenses to their machines.

Organizations take a vastly different view of future security requirements

There may be vastly different security requirements across public and private sector organizations, but there is a common recognition that data-protection requirements need to change. The impractical “classify everything” approach has proved too difficult, and while not true for all sectors of business, the amount of sensitive data that will severely impact a company if disclosed is thought to be much smaller than many security managers previously believed. This is one area where the 80/20 rule does not necessarily apply. In many organizations the percentage of data that falls into the most sensitive categories, and needs to have the highest levels of security built around it, can be as little as 1%. Similar distinctions can also be made in the identity-management space when determining which users should have access to highly sensitive areas of the business and the strong authentication credentials needed to control that access.

In some highly regulated industries all senior personnel need to be rated on the level of risk they present. Typical risk parameters include propensity to travel and areas visited, business role and access rights, and the nature of the business itself.

In some organizations the carrot-and-stick approach to educating users is being tried. For example, if employees fail to respond to security reminders, their systems access may be curtailed or even removed. Operational problems have been encountered, but the general feeling from IT is that awareness quickly improves.

At the other end of the scale, the charity sector tends to have a completely different set of security-management views. Senior people (board members) are often volunteers and might be allergic to technology. If this is the case they will print everything needed for meetings and are therefore much more likely to leave confidential documents, rather than a mobile device, on a train, for example. The usage challenge here is therefore more about individual risk and accountability and the need for education on basic security matters.

APPENDIX

Author

Andrew Kellett, Principal Analyst, Security – Infrastructure Team

andrew.kellett@ovum.com

Further reading

Cyber activity is keeping the CISO awake at night (Ovum opinion, July 2012)

Securing data is all about devices and users (Ovum opinion August 2012)

Disclaimer

All Rights Reserved.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior permission of the publisher, Ovum (an Informa business).

The facts of this report are believed to be correct at the time of publication but cannot be guaranteed. Please note that the findings, conclusions, and recommendations that Ovum delivers will be based on information gathered in good faith from both primary and secondary sources, whose accuracy we are not always in a position to guarantee. As such Ovum can accept no liability whatever for actions taken based on any information that may subsequently prove to be incorrect.