Information security is defined by emerging IT trends. I group the past information security focus timeline into three eras, with each era evolving the past era's contributions.
As in these past eras, information security evolution will continue to be defined by IT trends prevalent at the time. Current emerging IT trends, specifically cloud computing and Semantic Web, will impact information security in the future. Meanwhile, adversaries are implementing even more complex and multifaceted attacks that leverage their knowledge of the organization, its users and information. As a result, the information security evolution in the next 10 to 20 years will focus on three key areas: Infrastructure-Enhanced Security, Enhanced Threat Modeling and Semantic Security.
Infrastructure-Enhanced Security
Security will become more engrained in all levels of IT infrastructure and architecture, such as security enhancements in Internet Protocol V6 (IPv6). IT infrastructure will promote more comprehensive security solutions, from cutting-edge security enhancements created for cloud computing to hackers that leverage cloud to enhance attacks, while the decrease in the cost of disk storage will increase audit log retention and management. Cloud computing will likely reduce encryption and decryption times, promoting further adoption of these security controls, while likely demanding and promoting enhanced key strategies. Cloud computing is already having an impact on key strength assessment. Cloud computing will also promote cutting-edge, near-real-time analytics that mine vast amounts of security data to identify complex threats and detect intentional and unintentional information access and abuse for both internal and external users. Security will become more engrained in IT infrastructure, and advances in IT infrastructure will evolve information security.
Enhanced Threat Modeling
Current information security threat models primarily focuses on simple threats, such as defending against traffic on specific ports, virus detection, etc. However, adversaries are targeting organizations with complex attacks that appear completely legitimate but have devastating effects. For example, spear-phishing has an activation rate of nearly 20 to 30 percent, based on a December 2010 estimate. Current security controls might detect spear-phishing days after the final attack. To protect against these complex attacks, information security threat modeling will need to evolve. Cloud computing analytics developed for social network analysis will provide capabilities to analyze large amounts of data about users, network traffic and other interests to detect seemingly safe activities that match larger threats.
Semantic Security
Like IT, humans network to exchange information. However, information security works at a syntactic level, while humans work at a semantic level. Commonly implemented security controls can detect individual words or terms and can block entire traffic for certain ports or addresses. These security controls currently do not work at the semantic level. I may accept and trust news from a friend that "the Dow dropped 500 points today." However, I would not trust the same friend with the statement that "today's 500 point Dow drop proves the financial collapse of the United States will initiate Armageddon."
There is a difference in the semantics of these two statements, even though the core transmission is that the Dow dropped 500 points. Advances in semantic technology in conjunction with cloud computing will promote security controls that simulate human cognition and can block and/or report untrusted communications in near real-time over Internet scale data. The Semantic Security evolution will address the adoption of semantic technologies and include software agents that act on behalf of end users. Some security systems and researchers already advertise ontology models and automated reasoning, and others will follow.
A colleague reminds me that users are to security what location is to real estate -- the most important aspect of security is users, users, users, whether employees, partners, customers, adversaries or automated bots acting on behalf of one or more of these. These future information security enhancements will help IT organizations continue to focus on users and user interactions to ensure the availability, integrity and confidentiality of the organization's information.
Another aspect of security that is finally gaining its stride is: security awareness, and the channeling of that awareness into responses that actually can do some good. Legislation has a lot to do with this: if you have to comply with SarOx, or HIPAA, or any of a handful of other statutes which include a substantial information-security compliance payload, then of course you will make it your business to do so even if you're dragged into it kicking and screaming. But the same lipstick wears-off onto other shirt collars in the process. The practices that are written into these laws actually are(!) good ones.
An economy of scale develops which pushes hardware and software suppliers to make these best practices affordable and accessible ... not only to those who currently are obliged to follow them, but also among ("a rising tide lifts all boats") those who do not.