Jiri’s Notepad

From the user perspective, the future practice of technical security will be determined by the current technical trends such as application integration or resource virtualisation in conjunction with the lowering cost of security products available off the shelf.

The fact is that most business driven technical developments today have moved ‘up the stack’ and revolve around application technology. Alongside benefits, these innovations also create new risks that need to be addressed, and this, in turn, creates a demand for security. Application security, to be more precise. What is even more important, integrated nature of the future application landscape introduces a range of identity issues lying somewhere in the no-man’s land between data integration and security. Unlike general security problems, these need to be resolved. Whereas it generally is possible to ignore security until something bad happens, identity issues have to be addressed for a system be operational, and so it is hard for them to get ignored. Therefore, in the guise of identity, security is becoming one of the critical concerns for the new IT architectures.

How is technical security going to look like in the future?

The current practice of implementing application security measures locally to applications, in a manner that is rather selective, will (eventually) give way to a combined use of standard-based local application security mechanisms tied using specialised security integration infrastructure. At the same time there will be a drive for more sophisticated and richer security functionality

The focus will move from a simple password authentication to sign-on simplification implemented using a variety of federated and centralised methods. Supporting this, the focus will move onto the consolidation of minimum user identity data across multiple applications. As application authentication measures mature and become standardised, desktop integrated single sign-on will become more widely used as well as two-factor and smart-card, application, authentication.

Authorisation and its management will remain local to application due to scalability and cost reasons. The consistency of authorisation mechanisms will, however, get improved as a result of wider implementation of access provisioning software enabling faster user creation and revocation of user rights. It is likely that companies will continue experimenting with capabilities and rights-based technology (such as DRM), though maturity and political issues surrounding its use will make this process slow and its result uncertain.

On the other end, vendors will hopefully start improving application audit capabilites. Availability of cheaper and more easy to use auditing functionality will lead to more wider use of audit, either to complement or replace authorisation, which is conceptually incapable of scaling. Wider use of application audit will drive the use of tools for application audit log collection, event correlation and filtering.

In the data integrity space we can expect more consistent use of data validation to protect against errors and application level attacks either at perimeter, in applications and integration middleware. I haven’t seen any product in this area, but I suspect someone may start experimenting with multi-application data input/output validation software.

Judging on the current increase in application level attacks, we will see wider and more frequent application infrastructure hardening. The question, which still remains open (at least for me) is, whether application-level firewalls and intrusion prevention become popular.

Application security, however important, will be still complemented by infrastructure security, which will be evolving in its own way following roughly three high-level trends.

The first one is a move from perimeter-based security model to defence in depth model in a response to evolving risks. But as infrastructure hardening, patch management, auditing and malware protection implemented throughout the whole infrastructure is much more expensive than perimeter protection, this again is going to be a slow process that is not going to happen overnight.

The second trend is the strengthening of baseline security mechanisms achieved through of more ’secure’ programming languages (such as Java, VB or C#), improved O/S level security (e.g. SELinux or Microsoft’s NGSCB).

The third trend is a wider availability of technology that used to be really niche and specialised, such as biometrics or smartcards due to their lower costs and wider adoption (subsidesed courtesy of finance industry or governments).

Although the progress in the infrastructure security space will not stop, it will not be enough to start a revolution in the way security is being done in user organisations. On the other hand if you consider that, a revolution is already taking place on the application side of things, it is relatively easire for application security to join in and make part of it.

To cut it short, there will be lots of fun in application security.