Security InevitabilitiesBy Rich
Despite my intensive research into cryonics, I have to accept that someday I will die. Permanently. I don’t know when, where, or how, but someday I will cease to exist. Heck, even if I do manage to freeze myself (did you know one of the biggest cryonincs companies is only 20 minutes from my house?), get resurrected into a cloned 20-year-old version of myself, and eventually upload my consciousness into a supercomputer (so I can play Skynet, since I don’t really like most people) I have to accept that someday Mother Entropy will bitch slap me with the end of the universe.
There are many inevitabilities in life, and it’s often far easier to recognize these end results than the exact path that leads us to them. Denial is often closely tied to the obscurity of these journeys; when you can’t see how to get from point A to point B (or from Alice to Bob, for you security geeks), it’s all too easy to pretend that Bob Can’t Ever Happen. Thus we find ourselves debating the minutiae, since the result is too far off to comprehend.
(Note that I’d like credit for not going deep into an analogy about Bob and Alice inevitably making Charlie after a few too many mojitos).
Security includes no shortage of inevitabilities. Below are just a few that have been circling my brain lately, in no particular order. It’s not a comprehensive list, just a few things that come to mind (and please add your own in the comments). I may not know when they’ll happen, or how, but they will happen:
- Everyone will use some form of NAC on their networks.
- Despite PCI, we will move off credit card numbers to a more secure transaction system. It may not be chip and PIN, but it definitely won’t be magnetic strips.
- Everyone will use some form of DLP, we’ll call it CMP, and it will only include tools with real content analysis.
- Log management and SIEM will converge into single products. Completely.
- UTM will rule the day on the perimeter, and we won’t buy separate boxes for every function anymore.
- Virtualization and information-centric security will totally fuck up network security, especially internally.
- Any critical SCADA network will be pulled off the Internet.
- Database encryption will be performed inside the database with native functionality, with keys managed externally.
- The WAF vs. secure development debate will end as everyone buys/implements both.
- We’ll stop pretending web application and database security are different problems.
- We will encrypt all laptops. It will be built into the hardware.
- Signature AV will die. Mostly.
- Chris Hoff will break the cloud.