Log in

Site menu:



Site search

April 2019
« Dec    



2008 Predictions

Strange ritual this is…

1) Virtualization security will hybridize – As the virtualization juggernaut marches on, the question “what do we do about virtualization security?” is heard with increasing frequency. In many ways, virtualization security is no different from physical security: best practices still apply, and at some point, the data that we endeavor to secure typically make it to the physical world where our traditional security mechanisms (i.e. firewalls, IPS/IDS, UTM, NAC, DLP, SIM/SEIM, NBAD, etc.) can interact with them. There are, however, two noteworthy complications…

First, virtualization breaks the physical “data context” model, meaning that schemes which rely on one-to-one relationships between the logical and physical world must adapt; an obvious example of this is IP or MAC based access controls, or many of the port-based security schemes currently implemented on switches. Moreover, the ability to dynamically migrate virtual machines from one physical host to another, across data-centers or across continents makes the value of a physical context even less meaningful as a means of delivering security.

Second, what happens in the virtual world sometimes stays in the virtual world. As server hardware becomes more powerful, it becomes possible to load more virtual machine (guest) instances onto single physical hosts. Although network traffic from a virtual machine destined for some other external host will be subject to inspection by network security gear upon network traversal, traffic from one virtual guest to another on the same physical host will remain within the physical host, and will never makes it onto the physical network, thereby precluding the traffic from inspection by physical network security gear. A number of companies including Blue Lane, Reflex, and Catbird address this with offerings that run a dedicated virtual machine linked to a promiscuous port on a virtual switch running on the physical host, allowing visibility into the traffic between commonly hosted virtual machines. While this solution is functional, it has its drawbacks such as placing a heavy burden on the physical host, robbing it of resources that could otherwise go to running the virtual machines (content inspection is extremely computationally intensive and is generally best left to dedicated, purpose-built hardware), as well as necessitating the creation of a redundant security implementation, with all its associated procurement and operational costs, rather than using the existing security controls.

Rather than placing this undue burden on each physical host providing hypervisory services to a collection of guests, and rather than squandering existing physical security apparatus, we will soon see solutions enabling physical security models to be easily bridged into to virtual environments. Simultaneously, as the physical crosses the boundary into the virtual, we will also see virtual security models move from the laboratory (i.e. honeypots and forensics) into the commercial mainstream.

And, of course, we will also continue to see more and more of the relatively latency-insensitive security appliances (shallow packet inspection, routing, anti-spam, backup, strong authentication and identity, pre-admission control NAC, remote access, proxies, web-application firewalls, vulnerability scanners, etc.) made increasingly available as downloadable virtual appliances, while the heavy-duty work (deep packet inspection, post-admission control NAC, data leakage protection, etc.) will continue, by necessity, to be done for the next few years by dedicated gear powered by ASICs or multi-core CPU/NPU platforms. Beyond the issue of performance, which will slowly abate as hardware speeds and capacities increase, another factor hindering the seemingly inevitable world-domination of virtualized appliances are those environments requiring levels of certification and assurance such as FIPS or Common Criteria, where current models have justifiably entangled physical dependencies such as cryptographic or Target of Evaluation boundaries.

It shouldn’t be an argument between physical vs. virtual security camps, it should evolve to a model of coexistence and sharing. Eventually, the physical and virtual security components will do what they do best (horsepower and ubiquity, respectively) and will share their knowledge with each other, enabling the whole to be greater than the sum of its parts.

2) Smartphone governance models emerge — Apple’s decision to make the iPhone a mostly closed-platform will not guarantee security. This has been evidenced by the number of exploits we’ve seen in the short time that the platform has been available. Conversely, the fact that Google’s Android platform is relatively open (it will require consent for execution) does not guarantee insecurity, but its lack of application lock-down does remove a single layer of defense.

Lost or stolen device recovery – With the amount of data (corporate emails, or mass-file storage) that can reside on smartphones today, and with the utility of these platforms approaching that of portable PCs, losing a smartphone can be just as bad as losing a laptop. And for as every lost or stolen laptop that makes the news, consider how much easier it is for a mobile device to fall out of a pocket or holster, or to easily be lifted and concealed? Nearly every phone available today has a GPS in it, why not allow enterprises to put it to use as a security control? The scope of Security Suites will expand just a little further as platforms such as Where Is My Phone ( and Lock My Mobile ( are assimilated into their ever-growing bulk.

Remote data destruction – Blackberry can do it. Period. Other vendors will realize that this is a factor in the Blackberry’s enterprise adoption, and they will start to do it too. Within a year of introduction, there will be incidence of some management server being compromised, resulting in self-destruct sequences being sent to loads of hapless users. Queue law suits and new breeds of enterprise mobile computing Security Standards and Qualified Auditors bodies emerging from the woodwork.

Proximity-based encryption – It’s not just conspiracy theorists that bristle at the idea of sub-dermal RFID implants for the purpose of identification. Yet it would be so darned handy for well-intentioned security applications. So how about something slightly less apocalyptically sinister like a ring that can be worn (and removed) by the user for the purpose of proximity-based decryption of and access to content on a paired mass-storage device? With a dedicated scope of application and the user’s retention of full control of the identifying token’s operation, even CASPIAN might approve.

3) Defending against the incomprehensible — Just as users began to adopt terms like “firewall”, “spyware”, and “botnet” into their vernacular, along with a conceptual grasp and acceptance of these concepts, the threat landscape keeps shifting. While terms and concepts like “XSS”, “CSRF”, “DNS rebinding”, “iframe / ad-delivered malware” are hardly new, they remain relatively foreign, despite that fact that we are seeing them employed with renewed vigor, and in vicious combination with one another as well as with increasingly sophisticated and persistently effective social ploys.

How does the security industry convincingly demonstrate the need to secure against threats that are becoming more complex and more difficult to describe to an ever-expanding base of information technology consumers? We appear to be on the verge of “you might not be able to appreciate this today, but this is for you own good” styles of security. A necessarily imposed model of authority that reminds us that information technology is just reaching adolescence.

4) Competitiveness turns destructive, so long as security is not a key factor in competitive evaluation – Globalization. Outsourcing. Operational Efficiencies. And other big business words, as well. Not so much a trend as an all-encompassing reality, the fact that all manner of competitive cost-reduction tactics pervade our modern economic existence guarantees an impact.

Consider it from the perspective of security technology producers:

Competitive pricing pressures force vendors to reduce costs of goods – There are different grades of components, there are different levels of skill in design and manufacture, and there are different classes of design and engineering verification testing. Although similar, glycerin is not the same as diethylene glycol. But testing and inspection doesn’t happen for free. The cost burden must be borne by someone. The vendor? Only if all the other vendors bear the same cost. The consumer? Only if they have no choice but to pay the premium. So caveat emptor will reign until there emerges regulation prescribing a standard. Not this year.

Competitive feature pressures compress development and quality assurance cycles – As competition intensifies, pressures to introduce more features, more quickly follow commensurately. Along with the accelerated schedules comes an increasing intolerance among user and financial communities for missed deadlines, often demanding releases that, in a perfect world, might be considered premature. The result? Bugs. A defanged euphemism, often the subject of public ridicule when occurring on a platform like a Microsoft Windows desktop OS, but which becomes far more significant when running critical systems. Ever hear of the Therac-25? Is there a standard for QA? Is there any prescribed penalty for releasing software or firmware with bugs?

And consider it also from the perspective of the security technology consumers:

We need to stay within our procurement budget – While it’s romantic to think that there’s widespread employment of a model of risk assessment wherein there’s a quantified or qualified calculation of exposure, of the cost of a loss, and of tolerance to risk, it simply doesn’t occur in the majority of businesses, particularly in the small to medium enterprise. Therefore staying within budget often means buying what is affordable rather than buying what’s right for the job. Some vendors design with this in mind, and are able to provide solutions that can be both. But unfortunately, there are other vendors who design with nothing but their hegemony and profit maximization in mind.

We need to reduce operational complexity and cost – Security is hard. Sometimes doing something securely steps on the toes of ease-of-use, particularly when the standards for ease were built on a foundation of insecure principles, in a day when there was much less bad on the Internet. Rather than dealing with the burden and costs of trying to break bad habits, or trying to mend weak controls and systems, it can be tempting to give in and to simply defer security. Moreover, given our natural tendency to prefer that which is familiar, upgrades or replacements (to or with more suitable or capable technologies) might be stalled because of perceived adequacy of the current solution, training costs, or simple complacency. Recognizing this, service providers (mere ISPs today, Converged Data Services Providers tomorrow) will fill the gap left here by vendors, and will mandatorily begin to layer tight (read: restrictive) security controls into the services they provide, extending all the way to the desktops.

Sometimes it takes as external event or force to begin the process of change. Accepting that both from the perspective of producers and consumers of information security technologies there is a natural resistance to change, perhaps rather than preparing for, we should simply begin to expect some imminent external factor of influence. Since it seems economically infeasible for either the producers or consumers to materially raise the bar in our own defense, it might come to some unforeseeable event to necessitate the legislation or regulation that elevates our current standards (or robs us of our networking civil liberties, depending on your perspective). Politically motivated cyber-terrorism might not bring about infrastructural system collapse in 2008, but expect to hear about it just a bit more frequently as the year passes.

Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • Reddit
  • Slashdot
  • LinkedIn
  • Facebook
  • email
  • Print

You must be logged in to post a comment.