29
Fri, Nov
0 New Articles

What's Hot and What's Not in the World of Security Technology

Security - Other
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

In this article, security expert Carol Woodbury discusses technologies in the security world that are hot and some that are not so hot.

 

I'm sincerely hoping this article doesn't just appeal to my fellow security geeks. In other words, even if you couldn't care less about security or perhaps even loathe the role that security plays in your day-to-day life, I hope that you can appreciate the technology described in this article.

 

This article is based on what I see happening (or not happening) in our (SkyView Partners) clients' organizations as well as what's appearing in (or disappeared from) the security-related press. Others may have opinions about what's hot and what's not, especially if they happen to work on a particular technology. I'm not trying to promote a technology or play favorites. My definition of "hot" is that the technology is either being implemented or considered by the majority of our clients and/or is receiving significant press in the security world. In other words, this is my experience as to what's going on in the security world today.

What's Hot

Here's what's steaming!

 

Encryption

 

One of the hottest technologies in the security world today is encryption. I didn't say new technology; I said hot technology. How can a technology that's admittedly only interesting to true security geeks be so hot? One word: compliance. The widespread use of encryption is due to the fact that regulations such as the Payment Card Industry's Data Security Standards (PCI DSS) require that data in motion as well as data at rest (that is, information in a database) be encrypted. Couple that with state breach-notification laws that allow organizations to skip notifying individuals that their data was lost or stolen if the data was encrypted, and you have a technology that is hot.

 

One would think there could be few advances in the area of encryption since it's such as mature technology, but that's not the case. Most encryption vendors are now touting the use of tokens as a means of further protecting the security of data at rest (in addition to the act of encrypting it.) When using tokens, the data is encrypted and stored on a separate server typically known as a vault. Using tokens allows you to work with the transaction associated with the use of a credit card without having to work with either the cleartext or encrypted version of the credit card number. As an added benefit, if an application needs this association but doesn't need the cleartext credit card number, using tokens may allow the system to be removed from the scope of PCI compliance. Tokens aren't right for every situation where data at rest is encrypted, but they're worth investigating.

 

Another area of encryption to watch for is the requirement from laws or regulations like the PCI DSS to use encryption algorithms that have been certified as meeting specific standards, such as the NIST encryption standards. While they're not yet required, it is widely believed that the PCI consortium will require the use of certified encryption algorithms at some point. This will eliminate encryption implementations where developers have "rolled their own" solution and where less than optimal (i.e., weak) key management processes/implementations are in place.

 

Data Loss Prevention (DLP)

 

Another area of hot security technology is data loss prevention (DLP.) Data loss prevention in the IT world (versus physical measures designed to help deter theft) is a rules-based technology that prevents data from leaving your network or computer systems. Compared with event-management software, which notifies you after an event has occurred, the focus of this technology is prevention of the event. It does so by inspecting the data as it travels through the network or while it is sitting in a database file, recognizes when it matches one of the rules you've defined for that type of data, and prevents the action that's about to be taken. For example, you could prevent files containing private data from being FTPed to an external Web site or from being copied to a USB. Or you could stop emails containing confidential corporate information (such as pricing or vendor lists) from being sent to an external email address.

 

While the emphasis of this technology is prevention, you can also implement it in log-only mode. Or, if you intend to implement the technology in prevention mode, you can start out in log-only mode and send warning messages to the users to warn them of their "infraction."

 

DLP can be annoying to end-users who are prevented from doing tasks that are part of their job, but many organizations are either considering or have already implemented a DLP solution—at least in log-only mode. The key to a successful DLP implementation is finding the balance between being too intrusive (that is, preventing too much movement of data) and not intrusive enough.

 

Security Information and Event Management (SIEM)

 

The implementation and use of SIEM technology is another technology that is driven by compliance. SIEM started out as a log aggregator used primarily to gather all log or audit information within an organization and consolidate into once place. This allowed all log information to be backed up and protected from modification. While not an issue on IBM i, the integrity of log files (audit journal to the i world) comes into question on other systems if additional measures aren't taken to protect the logs. While the protection of log information was the initial reason for log collection, it was quickly realized that having all information in one place allowed for the correlation of the logs. This holds great benefits when investigating an incident as well as analyzing activity to detect incidents. In addition, depending on the implementation, events can be sent to the centralized log server in real-time, providing the potential of real-time event notification.

 

Content Classification and Email Retention

 

Another technology that's hot is the analysis and retention of email. Why is this a security technology? Because the retention policy is based on the classification of the data. In addition, appropriate use of the data as well as the use of email are typically two issues documented in an organization's security policy. Content classification and email retention is another technology being driven by compliance requirements as well as legal requirements to produce documentation when demanded by the courts. Products based on this technology archive and catalog the electronic data (including email, chat logs, and all other forms of electronic communication) that is discoverable and, therefore, admissible in court. After the defined retention period, the data is destroyed according to the requirements defined by the classification of the data.

Not So Hot

And these, well, they're a bit "chilly."

 

Digital Certificates for User Authentication

 

The use of digital certificates for user authentication is a technology that has definitely "cooled off" from the height of its popularity. That's not to say that digital certificates aren't widely used; they are. Every time you connect using an encrypted session (such as through a VPN or HTTPS), you are using a digital certificate. What's cooled is their use for authenticating individuals. Then they and the technology they enable (public-private key encryption) were first introduced, it was thought that every man, woman, and child was going to be issued at least one digital certificate, and we were going to use them for authentication to every application known to man. (Perhaps a bit of an overstatement, but you get my point.)

 

While there are some applications that have utilized digital certificates for user authentication (that is, using digital certificates to prove users are who they say they are), the adoption rate for digital certificates as a means of user authentication is significantly less than originally anticipated. Why? The overhead of maintaining large numbers (over 100) of digital certificates has proven to be non-trivial. Certificates have to be issued to new employees, renewed when they expire, and revoked when they leave or lose the device in which they've been stored. Operating systems and applications have to be re-written to accept a digital certificate instead of or in addition to a user ID and password. These changes have been slow in coming, and this has also led to the slow adoption rate. The bottom line is that the cost to the organization of implementing and maintaining digital certificates for all employees as a means of user authentication has outweighed the benefits.

 

Biometrics

 

Another technology where cost has outweighed the benefits for many organizations is the use of biometrics for user authentication. This very cool technology is, unfortunately, not practical for most organizations. While I think that every organization would like to use biometrics for authentication (who wouldn't want to use the technology that great movie scenes are made of? Think Tom Cruise in Mission: Impossible), many can't afford the additional cost. Biometrics requires hardware. For example, say an organization wants to have users authenticate to the network using their fingerprints. This requires a fingerprint reader, the cost of which is at least a few dollars to tens of dollars, per instance of implementation. depending on the model. In many cases, to get a reliable reader, you need to spend more than a few dollars. Multiply the cost of the reader times the number of employees, add in the cost of debugging and replacing hardware and don't forget the programming changes required to authenticate to the network via a fingerprint rather than a user ID and password. While by no means a huge programming effort, it does require programmers be allocated to the project. All told, many organizations make a business decision and don't feel the benefits justify the additional costs. However, if the cost of reliable hardware becomes more affordable, watch for this technology to heat up.

 

Put on Hold: Single Sign-On

 

Single sign-on is an interesting technology. It was hot a few years ago but has definitely cooled. But unlike an organizational roll-out of digital certificates or biometrics, I see single sign-on projects more being put on hold than cancelled. Organizations have had to put many projects on hold as they implement compliance requirements, but I still hear about and get questions from organizations interested in single sign-on. When organizations get caught up with their compliance requirements, this technology may heat back up.

Hot or Not?

I hope you've enjoyed this discussion of "what's hot" and "what's not" in the field of security technology.

as/400, os/400, iseries, system i, i5/os, ibm i, power systems, 6.1, 7.1, V7,

 

 

Carol Woodbury

 

Carol Woodbury is IBM i Security SME and Senior Advisor to Kisco Systems, a firm focused on providing IBM i security solutions. Carol has over 30 years’ experience with IBM i security, starting her career as Security Team Leader and Chief Engineering Manager for iSeries Security at IBM in Rochester, MN. Since leaving IBM, she has co-founded two companies: SkyView Partners and DXR Security. Her practical experience and her intimate knowledge of the system combine for a unique viewpoint and experience level that cannot be matched.

Carol is known worldwide as an author and award-winning speaker on security technology, specializing in IBM i security topics. She has written seven books on IBM i security, including her two current books, IBM i Security Administration and Compliance, 3rd Edition and Mastering IBM i Security, A Modern, Step-by-Step Approach. Carol has been named an IBM Champion since 2018 and holds her CISSP and CRISC security certifications.


MC Press books written by Carol Woodbury available now on the MC Press Bookstore.

IBM i Security Administration and Compliance: Third Edition
Don't miss the newest edition by the industry’s #1 IBM i security expert.
List Price $71.95

Now On Sale

Mastering IBM i Security Mastering IBM i Security
Get the must-have guide by the industry’s #1 security authority.
List Price $49.95

Now On Sale

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: