Data security will change in 2014.
Credit: Data security image via Shutterstock
As they collect more and more data each year, businesses keep looking for new ways to ensure they can keep this information safe and secure.
With that in mind, Alan Kessler, president and CEO of the data security firm Vormetic, reflected on where he sees the data-security industry heading, making seven predictions for 2104:
Data-centric security will become a core practice for all enterprises: Enterprises have finally come to the realization that their perimeter security has failed and that their adversaries are likely lying in wait. In 2014, enterprise focus will shift from perimeter security to data-centric security, and it will become a core practice for enterprises across all of their in-house assets and cloud implementations. Common internal standards — based on the sensitivity and classification of the data — will drive protections that are consistent across all in-house data center areas, service providers, [and] virtualization and cloud environments. [7 Cybersecurity Risks for 2014 ]
Supply chains will no longer be allowed to be the "weak link" in data security: Given that many of the recent high-profile data breaches occurred because the adversary was able to infiltrate the intended victim's supply chain and gain access to the victim’s network from there, we will see enterprises demand that the organizations in their supply chain provide clear data-security commitments and enhanced data-protection.
Enterprises will require encryption and access control for information they store in cloud environments: Enterprise organizations will increasingly require the ability to revoke their service provider from the ability to view their data. I expect to see far greater cloud visibility and continuous monitoring occur in 2014 than we saw in 2013.
We will see "hardened" enterprise applications starting to emerge: As a consequence of all the recent data breaches, enterprises creating new applications (or renewing/replacing existing applications) will start to employ various "hardening" techniques as part of their development process. Specifically, they will start securing the application data with encryption, access controls, privileged-user limitations, usage pattern recognition and other techniques. However, these changes won't result in large changes in enterprise security postures overnight, because enterprise application cycles are typically five to eight years long. That said, we will see the appetite for enterprise-application hardening increase substantially in 2014.
Big Data usage for security intelligence will be a significant trend: We've all seen Big Data uses accelerate for business analytics related to sales, marketing, research, etc. Well, in 2014, Big Data tools will become increasingly adopted for security operations as well. They will be used to analyze the security intelligence that's been gathered, as a way to both gain insight and provide context.
We will see the emergence of "self-aware" malware: Malware source code moved to be "open" in 2013, making the building blocks and code readily available to malware writers. This means that the speed of change and effectiveness of malware is set to accelerate in 2014. Writers will be able to start with standard code that can then be easily adapted, modified and obfuscated in executable to change the patterns that anti-virus and other malware prevention software tools look for, and also expand the attacks that a given piece of malware uses. This means that traditional malware-prevention methods are continuing to become less effective. In 2014, we will see the emergence self-aware malware, which is malware that learns from its environment and that adjusts attack profiles accordingly.
- PCI DSS 3.0 won't break organizations: There is always some level of trepidation whenever a new standard emerges, and nowhere more so than in the compliance arena. However, the new PCI DSS 3.0 standard, which is the set of requirements businesses that accept credit and debit cards must follow, is incremental in scope, and the most difficult portions are not required until June 2015. This means that organizations will have ample time to assess and adopt required changes during all of 2014, so there's no need for a Y2K-style event as implementation deadlines near.
Originally published on BusinessNewsDaily.