Pulse Secure 2016 security trends & predictions

Pulse Secure 2016 security trends & predictions

There is no disputing the fact that 2015 wasn’t a great year for IT security. We saw a number of high profile breaches and this was also true for the Middle East. The rise of BYOD, Cloud, IoT and virtualisation have only added another layer of complexity when it comes to enterprise security, writes Abdul Rehman, Regional Manager, Pulse Secure.

As we bring down the curtain on 2015 and head in to 2016, it is worth reflecting on some of the trends that will shape the security landscape for the next few years.

CASB is not a silver bullet

According to the definition by Gartner; Cloud Access Security Brokers (CASBs) are on-premise, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorisation, credential mapping, device profiling, encryption, tokenisation, logging, alerting, malware detection/prevention and so on.

CASB has gained some interest and serves a valid purpose but 2016 will see the shine wear off for some early adopters. The concept is a strong one, but there are some fundamental issues that may be overlooked as organisations rush to stick a bandage on what seems to be the wound of allowing uncontrolled access to ad-hoc application like Box, Dropbox and Google Drive. The first issue is that it adds another disparate layer to the security management stack.

A layer that is, at least for the moment, not well integrated with the devices, workflows and policies of the organisation. The second issue is duplication; many of the functions offered by CASB are already available in solutions already deployed and understood by the enterprise. For green-field sites with no IT security infrastructure and complete reliance on cloud based apps, CASB shows potential but for the majority of enterprises that mix and match on-premise, hosted, cloud, off-shelf and bespoke applications across multiple OS’ and devices; CASB, at least at this generation is more of a hindrance than a benefit.

The continued rise of BYOx

Now that bring-your-own-device is firmly in the lexicon for many corporates, 2016 and beyond will start to unlock far more potential as organisations start to fully appreciate both the benefits and perils that individual freedom exposes. What started as employees wanting to use laptops with corporate apps has quickly spread to tablets, phones and in the future might include a lot more devices. The rise of Bring-your-own-“x” could mean that last letter will include apps and cloud resources that allow knowledge workers in particular to do more than the limits of corporate provided technology.

We have already seen growing uses of ad-hoc file storage and file distribution through the rise of technologies like Dropbox and Wetransfer. In 2016, expect employees to want to bring data into other areas like surveying tools, analytics and knowledge-bases that are not directly in the control of corporate IT. Organisations need to be ready for this new wave of device demands and think about building platforms that can cope with the X factor.

Embrace the amorphous perimeter

In the supposed “good old days” of IT, the firewall was king of the perimeter. It knew all and saw all. That was a myth – in essence the firewall was more like a swipe card on a locked door, it offered only a modicum of intelligence. The modern IT environment has lots of doors, turnstiles, serving hatches and all manner of access points that are controlled based on both fixed and highly dynamic policies. We have reached the era of the amorphous perimeter where insight into who, what and the why of access is critical to enable successful and dynamic business processes. The old notion of the firewall as the center has passed and 2016 onwards will be more about identity which will help build flexible access based on authenticating the user. This will not be at the expense of security which is enhanced by having more visibility.

Time for the Security of Things

According to the analysts at IDC, the Internet of things will generate $7bn in revenue by 2020, a year in which telecoms firm Ericsson estimates that 25 billion devices will be connected. The larger impact to society is probably a much larger order of magnitude as transportation, energy and healthcare amongst an almost endless list gain benefits from connected devices. However, as more devices become exposed to open networks connected ultimately to the internet, security needs to be at the forefront of the revolution.

As witnessed in the history of IT, getting agreement on standards is a hard battle and IoT with its multiple and largely competing technology blocks is no exception. What is clear is that security technologies need to be transparent to the user experience. Hopefully, 2016 onwards will see these competing groups at least agree on common security mechanisms, effectively a security-of-things coming together that can create some basic building blocks to mitigate risks and pave the way for wider adoption of IoT.

Building the new security stack

There is a realisation that the wave of new operating systems and devices arriving from the consumer space, with iOS and Android leading the charge, are here to stay in the corporate IT world. What started out as BYOD projects or in some cases ignored by formal IT has become a fundamental component of the landscape which cannot be ignored. This shift is forcing organizations to fundamentally redesign the security stack. The old mind-set of company owned and controlled devices created a desire for rigid device builds and software stacks, often underpinned by PKI and fixed VPN requirements.

Instead of Identity Access Management (IAM) being viewed as a standalone asset, in the future, it will be joined by Enterprise Mobility Management (EMM) as part of a coherent and seamless security stack. Analyst firm Gartner predicts that by 2017, EMM integration will become a critical IAM requirement for 40 percent of enterprises, up from fewer than 5 percent in 2014. The new security stack also needs to take the cloud into account but the likelihood is that security systems will stay in-house as few organizations are willing to outsource control of the keys to the kingdom.

Switching to an identity and device based model

According to 2014 research by GlobalWorkplaceAnalytics roughly half of the US workforce holds a job that is compatible with at least partial telework and approximately 20-25% of the workforce teleworks at some frequency. This statistic has similar comparisons to other developed nations. Yet teleworking is only half the story. Mobile access to IT is on the rise from using remote systems during customer visits to collaboration with partners; access to IT needs to be more flexible. What has gone from a physical, location centric activity is now shifting towards an Identity and device based security model.

A great example of this trend is the use of the smartphone within 3 factor authentication schemas gaining popularity with internet banks. Looking forward, more organizations are going to start to look at the security benefits offered by mobile devices that are generally tied to a single user. This requires acceptance that BYOD is more than just a fad and a slight shift in mind-set that embraces rather than fights against more freedom of IT access.

With all the very public security breaches at household names, users are actually more accepting of security measures insisted upon by an IT department that make their personal/work devices more secure. Considering that human error is consistently a top root causes for security breaches, 2016 will see an increase in the number of very large organizations that start to mandate Enterprise Mobility Management across not just one device but every device that a user interacts with and can have an impact on the IT environment.

RIP passwords

Passwords are still the cornerstone of much of the security process. But passwords as the primary security method are just a bad idea. This can be proved with a simple test: Think of your internet banking password, Amazon password, PC login password, email password and now a birthday that is special to you. If two of these things are the same or very similar; then there is a problem. Considering breaches that steal sensitive personal data and login credential are often not discovered for many months and in some case are never discovered; it is not surprising that this data then leads to further breaches and issues like digital identity theft.

The use of passwords persists because they are easy to implement and only briefly hinder the sign up process for new users. According to a 2014 survey by Sophos, the average person has 19 passwords with about a third considered “Weak”. The next few years will see some major changes. Firstly, there is a rise of authentication based on physical devices. This includes tools that use SMS messages, device profiling and IP addresses. In addition, two factor technologies are dropping in cost and ease of deployment.

If we learned anything from 2015, it is clear that security can no longer be an after-thought or just another IT to do. While enterprises will continue to invest in the Cloud, IoT and Virtualisation, the onus is on enterprises and IT teams to ensure that security does not get lost in the shuffle and if anything, actually is a the top of the priority list.

Click below to share this article

Browse our latest issue

Intelligent CIO Middle East

View Magazine Archive