Looking forward to 2010 while trying to erase the memory of 2009 -- here are my security predictions for the new year.
* Security funding increases by more than 10% to recover from a year of cuts. Our research shows that security is one of the areas least likely to suffer severe funding cuts. However, given escalating threats, a flat security budget in 2009 may have been a step back for companies. Expect an attempt to make up for 2009.
* Congress creates new regulatory compliance mandates. Enron gave us the Sarbanes-Oxley Act (SOX). What will 100x Enron give us? The math of compliance is shocking because it represents "assymetric warfare". A few sentences of legislation (SOX section 404?) can lead to billions in spending. The financial meltdown of 2008 to 2009 will lead to extensive and very costly regulation, in financial services and beyond.
* Self-propagating mobile phone worms and Trojans. Mobile security will get slightly worse as the proliferation of applications and smart devices broadens the attack surface. While we've seen worms on iPhone, they have not been self-propagating, depending on PCs to spread. Expect to see true self-propagating threats on iPhone and Android systems in 2010.
* Cloud computing providers introduce encryption-at-rest and other security capabilities "as a service". With security as one of the main impediments to cloud adoption, expect to see encryption, VPN, intrusion-protection systems and other security capabilities offered as a per-hour billable service. Amazon's Virtual Private Cloud is just the beginning. This could become a key area of competition in 2010.
* Security in the cloud expands with new services. In addition to cloud computing, managed security services (security in the cloud) will also expand. Expect to see data-leak prevention, encryption, directory and authentication services provided by MSSP in addition to the old staples of antispam, antimalware and firewall.
* Desktop virtualization grows. Beyond thin-client virtual desktops, companies will begin looking at on-laptop virtual machines as a way to create secure corporate desktops with easier deployment. A virtual machine can use snapshots to revert to a known-good (known-secure) configuration providing a higher degree of security for online banking or secure corporate applications. Work and play can co-exist on hardware while maintaining separation. Or you could just pretend your employees only use work PCs for work -- good luck.
* The FBI issues tens of thousands of security letters to get records on individuals without warrants. Congress investigates and is appalled at the FBI's "underreporting". The FBI promises to do better (see 2009, and 2008 and 2007....). The 4th amendment continues to erode into meaninglessness.
* Real ID dies a deserved death and is abandoned in 2010. The brain dead idea of better-security-via-universal-ID unfortunately persists despite the enormous number of identity theft victims created by over-reliance on SSN.
* The Transportation Security Administration stops wasting billions of dollars in traveller delays by confiscating water bottles and removing shoes. Instead it focuses on real threats based on rational risk assessment, not security theater based on movie-plots (hat-tip Bruce Schneier). OK, unlikely, but I can dream, can't I?
As always, I will revisit these at the end of the year and provide a critical analysis of my success rate.
Happy New Year everyone, and thank you for reading!
Health privacy undermined: Worst breaches of 2009
10 of the Worst Moments in Network Security History
New laws complicate security efforts in 2010