Data breaches, confidentiality and privacy will remain key areas of concern in 2011, and these topics fuel many of Ipswitch’s 2011 security predictions.
2011 will be the year that smart companies shift their focus away from tactical (and often reactive) security tools and instead focus strategically on policy creation, management and enforcement. More organizations will shift their approach from quick-fix to preventative.
Four more 2011 predictions:
- Enterprises will start monitoring and managing the information flowing to and from personal email, IM and cloud-based services.
- The largest data breach of 2011 will hit the retail sector.
- A major data breach with further reaching diplomatic consequences than WikiLeaks will be the direct result of a lost smart phone or USB drive.
- Organizations in the financial, media and health sectors will gain larger market share by leveraging company investments in MFT, specifically those that offer visibility, analysis and analytics.
I’ve blogged a bunch on Ipswitch’s 2010 research that unveiled startling trends about employee access and use of company information. Our 2011 predictions are in part fueled by some of these facts:
And here is a fun video by Frank Kenney on top IT policies that WILL BE INGORED by employees:
The New Year is almost here and we want to hear your thoughts and plans for investment in cloud services. Take our quick poll and let us know which area you will focus your investments in for 2011. (Plus, after you vote you’ll be able to see what others think.)
Poll: Investing In The Cloud
Where will you invest most for cloud-based services in 2011?
(Click on one of the answers below to see the results)
Each year sees an increase in the amount of IT tasks and operations that can be automated. 2011 will be no different, according to Ennio Carboni:
As the number of networked devices inside and outside the enterprise continue to explode – both in infrastructure (e.g. routers, switches and systems infrastructure supporting video, and wireless app delivery) and end point devices (especially mobile handhelds, tablets, and netbooks) – higher automation is necessary to maintain control of management costs. Equipment vendors, software publishers and end user IT organizations are embracing automation in many ways – building and deploying more intelligent network devices, using virtualization-led dynamic provisioning and configuration to meet variable demand profiles and attempting to build closed loop management systems that can react to infrastructure changes. We’ve seen this coming: technology replacing humans in the workplace – case-in-point, HP laying off 9000 workers from their datacenter services unit.
Configuration Management and IT Security
However, the rapid growth in the number and complexity of network devices does have its drawbacks. As networks grow, so do the vulnerabilities associated with their configuration and security. Analysts estimate that more than 60% of network outages are caused by manual configuration errors at an annual average rate of 30+ errors per device. This has tremendous impact on maintaining IT security and compliance with internal and external regulatory policies. As a consequence, analysts predict that configuration management and IT security tools will continue to see robust growth in 2011 (Check out slide 4.)
If your network is undergoing the growth now found across the board and you don’t already have a configuration management tool in place, 2011 is the year to change that. A good configuration management tool allows you to automate the process and reduce your chances of an outage, while also notifying you when and where an outage occurs so it can be rectified quickly with little downtime.
Here are two more predictions from Ennio Carboni, the Ipswitch Network Management Division president, on another blossoming area of technology in 2011: mobile computing.
2010 witnessed the release of multiple versions of the tablet computer. Although netbooks have been around for a few years now, they continue to remain popular due to their low price. And, it seems like everyone you know is upgrading to a new smartphone from countless providers. With mobile computing’s availability and reach growing quickly, employers are expecting sonic speed response time and near 24/7 availability more now than ever before. In order for this to be viable organizations must ensure their employees can access business applications from these devices, while at the same time maintaining security, speed and functionality.
As we enter 2011, we can count on almost every business software provider or tool releasing mobile-compatible versions and apps for your convenience.
The Rise of the Android
For several years, the top contenders in the smart phone race were the iPhone and Blackberry. 2010 brought the advent of the Android, which threatens to usurp the former smartphone leaders. Google’s Android OS for mobile phones is already toppling Apple’s iOS as the top mobile operating system. While millions of apps exist for the iPhone, it is not considered the friendliest OS to work with. The Android’s opensource capabilities have opened a huge window of opportunity for more hardened business applications, beyond games and social apps.
Let’s do a news recap of yesterday. Some tax legislation was passed, lame-duck Congress, celebrity mishaps, missteps and gossip as usual. Oh and there was also notification of a few data breaches; most notably McDonalds, University of Wisconsin and the Gawker website (the folks that bought a prototype of the iPhone 4 after it was lost by an Apple engineer.). Unlike the “it’s been two weeks and it’s still in the news” WikiLeaks data breach, expect McDonalds, UW and Gawker to melt into the ether of public consciousness along with the Jersey Shore, AOL and two dollar a gallon gas prices.
Lately, we are seeing more companies and institutions admitting to data breaches. Passwords get hacked and ATM cards, identities and cell phones are stolen all the time. Expect to here about more breaches as companies move ahead of legislation that forces them to admit security breaches and expect the media to pick up on the stories and run wild with them. What this forces the public to do is look closer at the type of data breach, the type of data that was stolen and what the company or institution did to cause the breach.
- the McDonalds breach was about third-party contractors and not enough governance around customer e-mail
- the UW breach was about unauthorized access to databases over a two-year period… again not enough governance around data storage and access
- the Gawker breach was about outdated encryption mechanisms and a rogue organization purposely trying to embarrass that community.
Of these three things, the Gawker breach is most troubling because of the organized and intentional motivations of a rogue organization. This is why the FBI is involved. For the past year I’ve been telling you to classify your data, assign risk to your data and mitigate that risk appropriately. Old news.
The new news is this: even something like a breach involving low risk information can actually damage your brand. And damage to the brand can be costly to repair. So when classifying risk be sure to consider not just the loss of the data but the nature of the media hell-bent on reporting any and all data breaches.
This just in… I’m getting that watch I always wanted for Christmas because I compromised that space in the attic where we hide all the gifts. Happy holidays!
As the year comes to a close its always refreshing to look at where we have been and where we are heading. What better way to gain accurate insight into the industry than going straight to the source? Ennio will share some of his predictions for 2011 in technology with a multi-part blog series.
Server virtualization will become a commodity. According to Gartner, SMBs will deploy more virtual machines in 2011 than enterprises, even though the latter had a few years of headstart. As we’ve mentioned, Ipswitch Network Management hasn’t purchased a single piece of server hardware in 3 years; we rely on virtual servers more than ever before. And we’re not alone-thousands of SMBs have already implemented virtualization and many more are looking to implement it. The need for guidance throughout the process will therefore be prevalent. Learn about the virtualization process here.
The other thing you can point out was the article I sent you from groofer that talked about utilities stopping incentives for virtualization as it is now commonplace?
Public/Private Cloud Computing
Ennio also thinks that cloud deployments — public and private, will go mainstream next year. This covers all nature of clouds, from infrastructure to platforms and software as a service. Most enterprises and SMBs have embraced cloud based services, but as of 2011 they will build private cloud services with hugely increased capacities through linking to public clouds.
From a management perspective, this means organizations will need to have the tools to manage unified computing environments with network, system, i/o and application layers virtualized. Until now, only a few such tools exist, but 2011 will prove to greatly increase competition in this area.
Continuing with our Holiday Tech Gift Idea series, here are some more of our favorite tech gifts for the 2010 Holiday Season!
Grassy Lawn Charging Station – Hide your cable rats’ nest with scenic grass.
Scrabble Flash Electronic Letter Game – The classic game of scrabble has upgraded with this perfect portable game; move the LCD screened tiles to spell words.
Digital Luggage Scale – Weigh your luggage on-the-go.
Bluetooth Watch with Caller ID Display – Now you don’t have to frantically find your phone to see who is calling you or to even turn the volume off.
Monstrous iPhone Battery – You no longer have to worry about your battery dying by the end of the day with this lithium powered rechargeable battery extender.
Check back next week for more of our wish list!
Are you in the midst of planning for next year? Take our quick poll and let us know what you think your biggest challenge will be. (Plus, after you vote you’ll be able to see what others think.)
Planning for 2011 Web Poll
What is the biggest challenge to managing networks in 2011?
(Click on one of the answers below to see the results)
This December, the Network Management Division is teaming up with Trees for Life for a special promotion. For every Facebook friend and Twitter follower, we’ll plant a tree in your name in conjunction with Trees for Life:
“Trees for Life empowers leaders in developing countries who are improving the lives of people in their communities. Truly helping those who help themselves. Trees have been planted, libraries have been built, wells have been dug. Much has been accomplished, but this is not what we do. We plant hope and watch joy grow! We plant inspiration and watch miracles happen! We point to the tremendous potential hidden within every perceived problem”
Help us support this great cause, and stay connected to our product news and special promotions.
We’ll plant a tree for the total amount of friends and followers as of December 31st – help be part of this effort!
You may have thought you had taken all the right steps in planning the bandwidth requirements for your business. You even went the extra mile and set up Quality of Service (QoS) for high-priority traffic. Still you are faced with complaints that claim site access and critical order uploads are too slow. What is going on with the network utilization?
What you are missing is a way to gain visibility into the flow of traffic coming in and out of your network. A network flow is technically defined as a “unidirectional sequence of packets” all sharing the following values:
- Source IP address
- Destination IP address
- Source port
- Destination port
- Ingress interface
- IP type of service
By utilizing automated classification of network traffic flows by type and protocol, you can begin to build a picture of bandwidth utilization without painstakingly reviewing individual network packets. Broad support for vendor network flow records such as NetFlow, JFlow, and SFlow records from Cisco, Juniper, and HP provide you with visibility into real-time usage as well as historical network trends.
Consider layering flow classification with identification of top talkers and top listeners to narrow in on who is over-subscribing the use of the network. Top talkers represent the outbound—devices sending the most data over the network. Top listeners inbound—source hosts that are receiving the most data. By analyzing top type reports, you can build detailed top conversation views of which endpoints are taking up the most network bandwidth.
Many times, top type reports will also provide a wealth of information into unauthorized applications, spyware, and non-business-related Internet usage. For example, in the Top Conversations report below, high bandwidth utilization is observed between the iTunes site and an accounting PC.
With this information in hand, you can begin to address the performance issues by updating your Web filtering tool or enabling additional blocked categories to minimize the use of bandwidth for non-business traffic.
Real-time flow visibility allows you to determine the mystery behind bandwidth utilization. Continued review of traffic flow data across your network at regular intervals in conjunction with well-planned threshold alerts will help you quickly detect traffic anomalies, which are often a sign of computer virus outbreaks or malicious software.
For those unfamiliar, the Information Commissioner’s Office (ICO) in the United Kingdom is the independent regulatory office dealing with data protection regulations such as the Data Protection Act.
Like many policy makers, the actual enforcement of policies has been a major stumbling block to their potential effectiveness. Up until recently, the ICO enforcement powers were very limited. However, the ICO has very recently started to issue fines (or “monetary penalties”) for failing to comply with the Data Protection Act.
- A4e was fined £60,000 for losing an unencrypted laptop containing thousands of client details
- Hertfordshire County Council was fined £100,000 for faxing details about a child sex abuse case to the wrong people
At the very least, seeing harsh penalties handed out for data breaches should help increase organization’s focus on protecting sensitive business and customer information. Hopefully that focus will be centered less on what device people are using to access company files and data (such as USB drives, personal email, portable hard drives, smart phones, etc) and more on the underlying risk mitigation need.
“This is part of a wider trend whereby the penalties for, and consequences of, inadequate security measures are increasingly costly and come from different sources – from the payments card industry, to government and private sector contracts, to activist regulators and the public at large,” said Frank Kenney, VP of Global Strategy at Ipswitch File Transfer. “The ICO move has to be seen in the wider context of increased compliance activity.”
Businesses need to take inventory of their own information and understand what confidential files exist and where they are located. Access to confidential files should only be granted to people that are required to use it as part of their job. Simply making policies won’t make a difference; organizations need to follow up with policy enforcement and also must provide employees with the right tools to keep them productive so they done need to resort to their own devices.
Okay we get it. WikiLeaks had the gumption to collect private cables sent to and from the United States State Department, and actually publish them on a website accessible by anyone with Internet access. But the United States State Department blaming USB thumb drives and/or WikiLeaks for their failure to properly mitigate the risks associated with sensitive communications between government officials and ambassadors is just ridiculous.
I remember shortly after the 9/11 terrorist attacks the country waged all-out war on white box vans at U-Haul trucks, because those might have been the means in which terrorists would conduct future attacks. Creating an immediate policy that bans the use of USB thumb drives by United States government officials is not only overkill, but it also doesn’t make sense and it won’t work unless we also start banning iPhone’s, blackberries, digital cameras, portable scanners, wristwatches, necklaces, belts, laptops, fax machines, e-mail and all the other ways that individuals are storing and moving information.
Here’s an opportunity for our government to start to consider not just classifying data but generally making an effort to enforce policies around access and usage. Of the hundreds of thousands of tables that have been reportedly sent to Wikileaks, some news agencies are reporting over 3 million individuals have access. Let’s put that into perspective. If one of the world’s largest financial institutions decided to give 3 million individuals access to Social Security numbers, bank accounts and credit card numbers that financial institution would be run out of business and subject to fines, penalties and the mundane congressional hearing. It just doesn’t happen.
Just like any company or institution that stores and shares data on its customers and/or constituents, the US government, specifically the US State Department needs to be held accountable for access control policies, the enforcement of those policies and visibility into both the access of and usage of sensitive information. But clearly there is an issue of way too many ungoverned pipes connected to critical data stores and sources. Managed file transfer is certainly part of the answer. Consolidating all of those ungoverned pipes can help as well. A little content management and DLP may likely be valuable too. Or maybe just a good old reclassification and risk mitigation of sensitive data so that it isn’t accessible by 3 million people.
Over the last 9 1/4 years we stopped a lot of white box vans but I’ve yet to see a security report or an intelligence report (provided by the news media, I am not one of the 3 million who have access to that type of information) that says we’ve significantly mitigated our risk of terror attacks because we don’t allow white box vans.