There is no disputing the fact that 2015 wasn’t a great year for IT security. We saw a number of high profile breaches and this was also true for the Middle East. The rise of BYOD, Cloud, IoT and Virtualisation have only added another layer of complexity when it comes to enterprise security.
As we head in to 2016, Abdul Rehman, Regional Manager, Pulse Secure, reflects on some of the trends that will shape the security landscape for the next few years.
CASB is not a silver bullet
Cloud Access Security Brokers (CASB) have gained some interest and serve a valid purpose but 2016 will see the shine wear off for some early adopters. The first issue is that it adds another disparate layer to the security management stack. A layer that is, at least for the moment, not well integrated with the devices, workflows and policies of the organisation.
The second issue is duplication; many of the functions offered by CASB are already available in solutions already deployed and understood by the enterprise. For green-field sites with no IT security infrastructure and complete reliance on cloud based apps, CASB shows potential but for the majority of enterprises that mix and match on-premise, hosted, cloud, off-shelf and bespoke applications across multiple OS’ and devices; CASB, at least at this generation is more of a hindrance than a benefit.
The continued rise of BYOx
Now that bring-your-own-device (BYOD) is firmly in the lexicon of most enterprises, 2016 and beyond will start to unlock far more potential as organizations start to fully appreciate both the benefits and perils that individual freedom exposes. What started as employees wanting to use laptops with corporate apps has quickly spread to tablets, phones and in the future might include a lot more devices. The rise of Bring-your-own-“X” could mean that last letter will include apps and cloud resources that allow knowledge workers in particular to do more than the limits of corporate provided technology.
In 2016, expect employees to want to bring data into other areas like surveying tools, analytics and knowledge-bases that are not directly in the control of corporate IT. Organisations need to be ready for this new wave of device demands and think about building platforms that can cope with the X factor.
Embrace the amorphous perimeter
We have reached the era of the amorphous perimeter where insight into who, what and the why of access is critical to enable successful and dynamic business processes. The old notion of the firewall as the center has passed and 2016 onwards will be more about identity which will help build flexible access based on authenticating the user. This will not be at the expense of security which is enhanced by having more visibility.
Time for the Security of Things
According to the analysts at IDC, the Internet of things will generate $7bn in revenue by 2020, a year in which telecoms firm Ericsson estimates that 25 billion devices will be connected. The larger impact to society is probably a much larger order of magnitude as transportation, energy and healthcare amongst an almost endless list gain benefits from connected devices.
However, as more devices become exposed to open networks connected ultimately to the internet, security needs to be at the forefront of the revolution. As witnessed in the history of IT, getting agreement on standards is a hard battle and IoT with its multiple and largely competing technology blocks is no exception. What is clear is that security technologies need to be transparent to the user experience. Hopefully, 2016 onwards will see these competing groups at least agree on common security mechanisms, effectively a security-of-things coming together that can create some basic building blocks to mitigate risks and pave the way for wider adoption of IoT.
Building the new security stack
There is a realisation that the wave of new operating systems and devices arriving from the consumer space, with iOS and Android leading the charge, are here to stay in the corporate IT world. What started out as BYOD projects or in some cases ignored by formal IT has become a fundamental component of the landscape which cannot be ignored. This shift is forcing organisations to fundamentally redesign the security stack.
The old mind-set of company owned and controlled devices created a desire for rigid device builds and software stacks, often underpinned by PKI and fixed VPN requirements. Instead of Identity Access Management (IAM) being viewed as a standalone asset, in the future, it will be joined by Enterprise Mobility Management (EMM) as part of a coherent and seamless security stack. Analyst firm Gartner predicts that by 2017, EMM integration will become a critical IAM requirement for 40% of enterprises, up from fewer than 5% in 2014. The new security stack also needs to take the cloud into account but the likelihood is that security systems will stay in-house as few organisations are willing to outsource control of the keys to the kingdom.
Switch to an identity and device based model
Mobile access to IT is on the rise from using remote systems during customer visits to collaboration with partners; access to IT needs to be more flexible. What has gone from a physical, location centric activity is now shifting towards an Identity and device based security model.
Looking forward, more organisations are going to start to look at the security benefits offered by mobile devices that are generally tied to a single user. This requires acceptance that BYOD is more than just a fad and a slight shift in mind-set that embraces rather than fights against more freedom of IT access. With all the very public security breaches at household names, users are actually more accepting of security measures insisted upon by an IT department that make their personal/work devices more secure.
Considering that human error is consistently a top root causes for security breaches, 2016 will see an increase in the number of very large organisations that start to mandate Enterprise Mobility Management across not just one device but every device that a user interacts with and can have an impact on the IT environment.
If we learned anything from 2015, it is clear that security can no longer be an after-thought or just another IT to do. While enterprises will continue to invest in the Cloud, IoT and Virtualisation, the onus is on enterprises and IT teams to ensure that security does not get lost in the shuffle and if anything, actually is at the top of the priority list.
Click below to share this article