This article is part of our Essential Guide: Essential Guide to dealing with a data breach

Business will have to embrace security as a service, says Gartner

Businesses will increasingly be forced to adopt cloud-based security services to take care of the basics so they can focus on more complex threats

Businesses will increasingly be forced to adopt cloud-based security services to take care of the basics so they can concentrate on more complex threats, says Gartner.

This is one of several security-related trends that will emerge and grow in the coming year and beyond, analyst Earl Perkins told the Gartner IAM Summit 2015 in London.

“Businesses need to watch the development of security services from the cloud as we expect these to grow and evolve,” he said.

But Perkins said while a move to cloud services is essential to the success of internet of things (IoT), cloud is nevertheless still only in an “early maturity phase”, especially in Europe.

Gartner expects European organisations to familiarise themselves with cloud architecture by setting up private clouds first, but that over time they will evolve their thinking to overcome resistance to cloud.

Cloud access and other broking services that would negotiate the relationship between cloud service providers and consumers will be key to enabling wider use of public cloud, according to Gartner.

Under this model, cloud brokers would enable businesses to enforce policies by managing the use, performance and delivery of cloud services.

Running through an overview of Gartner’s group of around 70 security analysts, Perkins said Gartner believes organisations need to start thinking about securing all the components of digital business.

“Digital business is made up of devices, services and people with digital identities, and this represents the future of business as we enter an era in which we create and use more information,” he said. 

Perkins said this means there is a need to move beyond information security or IT security to a concept of cyber security that also includes physical security, operational security and device security.

A key component of this more comprehensive approach is application security, and yet he said fewer than 10% of organisations have started making security part of the process of application development.

“This is an area in which most organisations will need to improve quite a bit,” said Perkins.

When it comes to identity and access management (IAM), he said, organisations need to embrace the idea that things and data will have identity too, and not only IT users.

“Organisations will need to define a relationship between people, things and data as part of a general trend towards entity relationship management,” said Perkins.

“This is something that is coming, but not many IAM suppliers are ready to move beyond users to include applications, data and devices,” he said.

Context-aware access control the next step for IAM

Gartner predicts that adaptive and context-aware access control is a necessary next step for the IAM industry, particularly in light of the need to enable machine-to-machine authentication in future.

“To decide that a person or thing is who or what they claim to be and whether they have a right to access, it will be necessary to take a broader range of factors into consideration,” said Perkins.

Read more about cloud-based security services

The challenge, however, will be to do so in a way that hides all the complexity and provides a simple and easy user experience, he said.

Securing unstructured data, such as emails and video files, that resides outsides databases is another key area that organisations and security suppliers need to address.

“There are fairly well-established good practices for securing databases, but unstructured data is quite different,” said Perkins.

“Organisations need to look at data across the enterprise and secure all data like they have secured databases, but for many locating and classifying data will be a major first step,” he said.

Gartner predicts the trend of separating management from data functions and other activities in the stack to reduce complexity, which has driven the adoption of software-defined networking, will spread.

“Enterprises will be moving to single management layers across different systems in a number of areas, and I believe software-defined security is on its way,” said Perkins.

“This is not something that enterprises should seek to do immediately with all systems, but they should priortise critical functions,” he said.

Five styles of defending against advanced threats

Gartner has identified five styles of defending against advanced threats that have emerged in the enterprise.

These are: network traffic analysis, network forensics, payload analysis, endpoint behaviour analysis and enpoint forensics.

Dedicated attackers in all likelihood will breach perimeter defences, which means organisations need to be able to detect intrusions and respond quickly

Earl Perkins, Gartner

“It is important for organisations to understand there is no one approach, service or supplier that is going to solve the advanced threat problem, but a select combination,” said Perkins.

In the light of this fact, organisations should have a plan to enable maximum protection by identifying where threats are most likely to come from and setting defence priorities, he said.

According to Perkins, defence against advanced threats should be driven by risk, with most targeted defences being deployed only in the cases of highest risk to critical or most valuable data.

However, he said while prevention is still important, the general trend is a move away from prevention to detection and response capabilities.

“Dedicated attackers in all likelihood will breach perimeter defences, which means organisations need to be able to detect intrusions and respond quickly,” said Perkins.

Companies on the leading edge, such as suppliers of critical national infrastructure, are looking to assemble next-generation platforms that often have an embedded analytics capability.

This capability is enabled by technologies such as vulnerability intelligence systems, threat and attack intelligence systems, IP reputation systems and user reputation systems.

“We are entering an age in which machines can learn from different sources of data and identify what to protect and how,” said Perkins.

He cautioned against haphazard adoption of new security technologies, warning that all have their strengths and weaknesses, and what may be adequate for one organisation may not be for another.

“The key is to match technology capabilities to your organisation’s particular needs and to never spend more on security than the asset it is meant to protect is worth,” said Perkins.

Moving away from mobile device management

When it comes to protecting against security threats to mobile devices, Gartner predicts a move away from mobile device management and mobile app management to enterprise mobility management.

“Organisations will increasingly seek to combine reputation of devices, services and users with secure gateways to ensure business tools function properly while improving security,” said Perkins.

Just as airlines can predict when components need servicing before they fail, data-dependent businesses want to be able to predict attacks to head them off before they are launched

Earl Perkins, Gartner

However, he again cautioned against over-investing in mobile security devices if there is no particular need, especially in the light of the fact that attacks on mobile computing is not yet prevalent.

Perkins also expects the IoT will help improve the security of mobile devices by driving industry wide initiatives to embed security into the chips used for IoT devices.

“Device manufacturers are currently jockeying for position as they all seek to set the industry standard for trusted devices, software and services,” he said.

Gartner expects at least two of the biggest chip makers to emerge as the leaders in the move to establish chip-level security which will put renewed focus on the concept of trusted computing.

“Security professionals should watch developments in the semi-conductor and device industries to see how they can assist businesses’ cyber security capabilities,” said Perkins.

Like an organisation’s overall security strategy, its mobile security strategy is likely to consist of two or more technologies such as trusted containers, trusted apps and trusted cloud service providers.

Looking beyond 2016, Gartner believes the concept of a security gateway enabled by a software-defined management layer will become increasingly important.

Gartner also expects the concept of predictive maintenance in the airline industry to be adopted by the information security industry as organisations seek to be more proactive in their defences.

“Just as airlines can predict when components need servicing before they fail, data-dependent businesses want to be able to predict attacks to head them off before they are launched,” said Perkins.

Gartner also predicts an evolution towards people-centric security, which seeks to make people the strongest agents of security, challenging the traditional view of people as the weakest link.

Read more on Privacy and data protection