You've likely seen plenty of articles lately detailing forthcoming IT security trends and defenses. I have a list of my own, but I bet it's a bit different. It doesn't include items such as cloud computing, virtualization, or mobile threats -- been there, done that!
Rather, I'm going to share some thoughts on five other trends that will affect your security risks and change the way you design you defenses down the road: Web 2.0; the consumerization of IT; global SSO (single sign-on); advanced persistent threats; and the death of the DMZ. There's a good chance you'll face these challenges in the coming year.
Web 2.0: What isn't Web will become Web
I was consulting for a customer a few weeks ago, and the company's developers asked me to perform a security review of a new database application. I found the normal SDL (security design lifecycle) bugs, but I was more concerned that the team was using a traditional programming language for the code -- with absolutely no Web interface. I brought up this point along with my normal review findings.
The programmers' answer was that the Web wasn't right for all applications, and performance-wise, their software outperformed Web apps by a factor of 3 to 1. I agreed with the latter point but strongly disagreed with the former. Yes, the Web isn't the best choice for all applications in a world where we can design programs in a stand-alone box or without consideration for the rest of the infrastructure -- but we can't. The whole world is going Web 2.0. Nearly every app is going Web 2.0. What isn't Webified today will be tomorrow.
The future consumer will expect to be able to access your app through a Web browser or as a Web service, no matter what type of computer they're using -- PC, smartphone, tablet, and so on. Separate interfaces and VPNs won't cut the mustard. If your app isn't easily available on the Web, it won't be used or will eventually be phased out or recoded. The writing is on the wall. Programmers, take note.
I don't mean that the app should simply be available on the Web -- you can't merely offer it as a Web-based app, especially if the app itself isn't Web-based. That will work for the short and midterm, but not in the long run. Today's traditional virtualization technologies, non-Web VPNs, and application gateways are short-term shims. In the future, for the app to survive, it must be Webified to its core. I may agree with you that the app is faster and performs better when not accessed using a Web interface, but it doesn't matter.
Consumer devices gone wild
As I've discussed previously, IT security admins will have more personal devices and fewer computers under their control in the future. Smartphones and iPads are entering organizations more quickly than defenders devise protections. In many cases, admins will not have the opportunity to control the device.
I'm not simply referring to the fact that you might not be able to control minimum password length and complexity. You may not even know if users are using a password. Further, you won't be able to control patching levels, installation of Trojans, and antimalware software or firewalls. You will be told that unmanaged devices can't access the most critical and valuable information -- but they will. You'll be told that users will follow existing policy. They won't. Welcome to our new reality: all the responsibility and none of the control.