When making predictions about what the upcoming year will bring, I like to make a big general forecast, and then some smaller ones. This helps me maintain some semblance of credibility, when the obvious stuff really does happen, and the rest either does or doesn't.
The big, easy forecast is this: identity theft threats combined with poor control vulnerabilities will continue to play a large role in threatening the security posture of organizations.
Large data losses (that may or may not compromise integrity) will continue to be reported. 2006 was a big year for data loss, either through inventory mismanagement, device misconfiguration or employee error, and 2007 will not be any different.
Phishing will continue to be a thorn in the side of network providers and financial institutions. Although the number of
phishing attempts has lessened, with periodic bumps up, the Anti-Phishing Working Group (http://www.antiphishing.org) says that the dollar amount of funds mis-appropriated through phishing, pharming or Trojan horses has increased, and will likely continue to increase next year.
As far as a more specific forecast, I see a push toward more automated network and endpoint compliance tools, both agented and agentless, from companies such as Symantec and Altiris. Altiris has a scalable agentless and agent-based solution called SecurityExpressions for deploying and managing enterprise system security policies. Symantec's compliance management software, BindView Policy Manager 3.0, is designed to help lower the cost of compliance through an automated assessment of your customer's policies, comparing them against industry standards and best practices.
Asset management products from smaller companies that force non-compliant network users onto their own VLAN or specific DMZ will be snatched up by the big boys, as customers seek a more automated solution to bringing their end nodes into compliance with such standards as NIST, SANS, CIS, etc.
The degree to which control processes can be automated will always be in doubt, however. Some products will be able to perform compliance auditing fairly accurately, but will vary widely in how efficiently they'll be able to proactively prevent non-compliant devices from accessing trusted architecture.
Another concept that will create opportunity in '07 for VARs and integrators will be the management of unstructured data. Unstructured data is not a new concept, but the awareness of the risk associated with it is just starting to take hold.
Considered a ticking time bomb by some experts, the management resource drain and security liability from rogue data is increasing as more and more company information is held in non-standard database formats, like email, HTML, white papers, memos, etc. This data exposure can create serious privacy loss, confidentiality and integrity issues.
Varonis is a small company that's only been around a couple of years, but has snagged some major financial and investment firms interested in and using their products. Their two solutions, DatAdvantage and DataPriviledge, two elements of Varonis' Intelligent Data Usage Suite, comprise a data governance package designed to help companies get a handle on where their data really is, and who's accessing it. And Varonis is an example of a "hungry" vendor/developer that's making very reasonable channel deals for VARs and integrators in an attempt to increase visibility.
The bottom line for channel partners is: keep on the lookout for quickly moving trends and new zero-day exploits, and make sure your customers have the technical mechanisms and compliance processes in place to protect their bottom line.
About the author
Russell Dean Vines is a bestselling author, Chief Security Advisor for Gotham Technology Group, LLC, and former President of the RDV Group. His most recent book is The CISSP and CAP Prep Guide, published by John S. Wiley and Sons.