Weather forecast: Cloudy with a chance of compliance

If there are constants to every information security conference, they are these: threats are up and the job of the average security professional becomes more demanding every year.

At the RSA Conference 2010 held in London this week, RSA’s CEO Art Coviello illustrated the depth of some of the key issues the industry is dealing with, and acknowledged the growing complexity of the job at hand.

It is estimated that IT professionals spend nearly 20% of their time on compliance. Many would argue that this takes care of the regulations, but actually doesn’t achieve much besides giving them an ultimately false sense of security.

“If we don’t change our approach, we will become locked in a vicious cycle of costlier attacks, generating more public outrage, more regulations, compliance and reporting,” Coviello noted. And the end result of these events would be less time available for companies to make themselves secure while the volume of elaborate attacks grows by the minute.

With a soaring volume of Internet traffic and the proliferation of increasingly complex systems, security professionals are dealing with a job that requires evolving security controls and adaptive procedures. It may sound easy to someone not working in the field, but giving the right people access at the exact time when it’s needed can be quite an endeavor – especially in this age of the mobile workforce.

“What we’ve ended up with is an overabundance of point products applied independently across the infrastructure: anti-malware, e-mail and application encryption, data loss prevention, etc,” says Tom Heiser, RSA’s COO. That means that the average security professional has to manage several products from different vendors that need to work together in a hybrid environment. And judging by the conversations I’ve been hearing this week, this is the starting point of many headaches.

You can probably guess where RSA is going with this talk – a unified solution.

I’ve never been one of those who believe that there’s a one-size-fits-all solution to an organization’s security issues. The premise sounds simply to good to be true, and also – could you ever be able to trust one vendor to solve all your problems? However, the marketplace shows a growing demand for such solutions. The frequent mergers and buyouts of big market players seem to indicate a definite shift into a world where we can expect a single solution to be the end of our information security problems.

Heiser says that the journey to the cloud is real. This may be true but RSA’s own research captures the concern of CISOs who frankly admit that they are not prepared to effectively manage risk in these virtual environments.

Herbert Thompson, Chief Security Strategist of People Security, talked about a trend where many started moving services like e-mail into the cloud despite not being clear on all the issues. Why the move? Everybody else is doing it so it must be a good idea and they expect to deal with potential drawbacks later. It appears that operational efficiency is inspiring risk amnesia.

What small organizations fail to realize is that while their size makes them unlikely targets for cyber criminal organizations, upon moving their data into a cloud that caters for companies their size, they become part of a pool. Imagine a company with 20 employees that does not want to do its own payroll processing. Not a compelling target, is it? Now picture 10,000 companies of 20 employees, all using a payroll aggregator. Now, this is something worth targeting.

Despite all the problems, the move to the cloud is happening on a ever increasing scale with each passing year and baby steps forward have been made. The cloud evaluation framework by ENISA, for example, allows the business consumer to approach a cloud provider and get some level of visibility.

Economically, we need to push forward and find solid solutions for a more effective, efficient and secure cloud. Can this be achieved before the bad guys make a serious dent? Only time will tell.