As we wrapped up the week at the RSA Conference, I went from looking backward to looking forward. There was a lot of talk about things we already know that we could be doing better, but there’s always the undeniable fact that the IT/security landscape, and the threats that come with it, are constantly evolving.

What do we see as we look forward, not just into 2011, but beyond?

Cloud, cloud, cloud: Top of the list, let’s just get it out of the way. We actually heard a couple of times from presenters at RSA (even speaking on unrelated topics) that they were asked to be sure to talk about cloud computing/security, so we know it’s already at the forefront of peoples’ minds (whether you want it to be or not). The concepts of cloud computing and cloud-based services are not so new anymore, and some really neat uses have come out of it (like cloud-based AV signature development, and the cloud-based fuzzy network perimeter). Auditors will learn how to incorporate it into their frameworks, vendors will learn how to deal with it, and we’ll still be left with a lot of data and a lot of tools we have to manage.

Multi-vector attacks are becoming the norm. From WikiLeaks to Stuxnet to the Verizon Data Breach Investigations Report, we keep seeing threats combine their powers to form a more complex attack. Social engineering and phishing, malware deployment, malware download, zero-day attacks, botnets, keyloggers, USB devices, physical security breaches… the possible ways to combine these attacks leave us wondering not if, but when we’ll be breached. The challenge is to think big and to understand and protect what’s important.

Mobile and user-owned devices have become more common. Smartphones and user-provisioned machines represent two things IT hates: a lack of control and a lack of visibility. One of the speakers at RSA had an interesting slide, moving us in time from mainframes all the way to the current mobile (and cloud) computing models that have challenged our concept of what’s important.

The next phase requires us to think not just about the endpoint, but what it is about the endpoint (and our network, and our data) that we’re trying to protect. Focusing on the data, not just the nodes on our network, helps us prioritize and look at how other technologies (like DLP) really fit into that landscape. Most IT/security environments will have to face multiple issues – securing what they can control down to the endpoint, identifying the risk of what they can’t, and addressing issues that also represent physical security and access concerns.

The market for vulnerabilities continues to move from quantity to quality. We’ve all heard about the Advanced Persistent Threat (APT) – which apparently has topped the list of top 10 security concerns for CIOs in a kind of “squeaky wheel” effect. As pointed out in a Friday presentation on Cyber Security Trends for 2011, the reality is most of us don’t have classified, life and death data that we’re protecting against a WikiLeaks-style exposure. What we do have is business-specific information (healthcare records, credit card data, intellectual property) and business process information (details on strategic advantages, sales and contract processes) that could both be exposed and used against us in creative ways.

Attackers are looking toward things like account credentials that provide continued access rather than a massive one-time breach of credit card numbers. Tools that focus on the data become more important – forcing IT/security to think more about the business and to really become part of the business processes themselves. Maybe auditors will join us in thinking this way, too – it’s not just about compliance, it’s about securing the business.

What do you see as you look forward, not just into 2011, but beyond?
There’s always a wealth of information presented at IT/security conferences and RSA is no exception. It’s hard to sum up a week-long tour of information security into a few quick blog posts, but we’d love to hear your thoughts. For those of you who attended the RSA conference (or just read all of the press, shared slides/notes, and any videos), what were your takeaways as the current and future problems of IT/security as we know it? What should have been on our list that we missed?

*** This is a Security Bloggers Network syndicated blog from TriGeoSphere authored by Nicole Pauls. Read the original post at: http://blog.trigeo.com/2011/rsac-2011-looking-to-the-future/