With the emergence of the Internet of Things (IoT) and the continuous growth of cloud adoption among small businesses and large corporations, it is no wonder that the security industry is going through an unprecedented time of challenge and re-invention. But if we were to focus on data security alone, what would we recognize as the emerging trends and needs?
Cloudifying the Security
This is an interesting paradigm. It is all about providing Security as a Service (SECaaS), which is essentially an outsourcing model for security management. The irony lies within the fact that SECaaS will use the cloud as a mainstream deployment platform, when part of its own reason of existence is to enhance the protection of…the cloud!
SECaaS has evolved from delivery of a security software (such as an anti-virus) on a Software as a Service (SaaS) model to security management provided in-house by an external organization. Generally, large security service providers integrate their products into a corporate infrastructure on a subscription basis, making security more cost effective to large corporations.
The growing trend in the SECaaS sector is for the provisioning of authentication and security event management services, which brings SECaaS a step closer to Security at the Core – the ultimate objective of security implementation.
The benefit of SECaaS, aside from traditional cost savings, speed of deployment and ease of scaling inherent to cloud products, is continuous protection, due to the constantly updated threat databases.
Emerging players such as Cloudbric, CloudFlare and Incapsula are now offering SECaaS free of charge, therefore, challenging existing major players like Avast. Business models may change in this market in the coming years, with more traditional players having to adapt to remain competitive.
This trend will consist in broadening the scope of SECaaS, while strategic alliances and possible acquisitions may occur in the process.
Improving Authentication …
A significant issue in data security is data hijacking, or compromising by usurpation of digital identity. The only solution to this problem is improving the accuracy of authentication.
Of course, authentication challenges open the door to biometric security. There is nothing more difficult to impersonate than a consistent set of biological footprints.
More and more players are becoming involved in these concepts. For example, fingerprint-based security systems are widespread in the physical world (building security, safes, cars, etc.) and in online-related items like smartphones. But will biometric security dominate? It is certainly trendy at the moment and will reduce costs as technology evolves and scales.
IoT may be a key enabler as well. It makes sense to secure connected objects with simple biometric identification, again as mobile phones do now, so the trend will most likely benefit from a noticeable uplift in the near future.
… To Provide the Right Authorization
Authorization is the step that comes when identification (‘I claim I am somebody’) and authentication (‘I managed to prove I am who I claimed to be’) have been successfully achieved. Authorization is generally coupled with access control: what data can I access with the privileges associated to my profile?
Access control is a key aspect of data security. Practitioners have to balance data availability versus unauthorized data usage, knowing that hackers often target privileged users as their accounts provide a beachhead into the entire network.
In the near future, the challenge to solve this will relate to segmenting the data in such a way that it is actually useable by its consumers, while sufficiently compartmented to mitigate the risk of significant hacking. It will also be coupled with the necessity to achieve (or get close to) a state of ‘Positive Identification,’ which is notoriously difficult to achieve.
While the concept of ‘proving who you are claiming to be’ is quite simple, it requires a complex set of elements to be efficient and reliable. It starts with the definition of the evidence required. Is a photo or signature sufficient? Is a biometric component? Once defined, next comes the issue of gathering this information, especially for online systems. What proves that the passport, fingerprints and signature you present are actually yours?
This leads to the challenge of vetting the identification parameters provided. In the offline world, a study of the applicant can take months or years. Sources are cross-referenced, items are verified and testimonials are gathered. It is impractical to replicate this in the online world.
Finding a way to make it easier and faster, while maintaining the reliability of the concept is an interesting challenge and may well turn into an emerging trend.
(About the Author: Stephane Ibos is CEO and co-founder of Maestrano, a cloud services business management platform, which serves SMBs and Enterprise customers in more than 17 countries).