The annual RSA Conference is taking place next week in San Francisco, and Avivah Litan, vice president and distinguished analyst at Gartner, provided her thoughts on what to expect at this year’s event and on some of the top security trends of 2014.
What are you expecting from RSA this year?
I’m expecting a lot of buzz about the recent retailer breaches, NSA surveillance programs and DDoS attacks. Many of the speakers and vendors at the show will likely leverage the plethora of security infractions of the last year to create a sense of urgency for more intelligent solutions. I expect “intelligent analytics’ and “context aware security’ to be underlying themes.
One of the keynotes at RSA will focus on redefining identity in the age of intelligence-driven security. While identity lies at the heart of cyber security, the rapid growth of the Nexus of Forces – cloud, information, mobile and social – determines what can be accessed and how. How do you see the Nexus of Forces impacting intelligence-driven security?
The Nexus of Forces (the convergence of four interdependent trends: social interaction, mobility, cloud, and information) creates a much richer set of contextual information on identities. It enables real time analytics and business decision making around a lot of different components of identity information, so individuals can be serviced more effectively, and enterprises can become more profitable. But all of this also comes with security and privacy risks. I think we all face tremendous challenges on how to take advantage of the tidal waves of identity information and contextual data while respecting individual privacy and maintaining a secure environment.
Customer privacy is always a huge concern, even more so following recent data breaches at major retailers, and over the past few weeks, a number of vendors have announced considerable security changes to some of their products. What are the key areas to focus on to ensure customer privacy?
Customer privacy in part means that customers have the final say on how their information is shared. This generally means giving consumers the right to opt in to how information on them is collected, which information is collected and how their information is shared. That’s when data privacy becomes meaningful. The problem with retail and payments is that the data security and privacy are beyond consumers’ control. They have no say on how their payment card data is protected. The only thing consumers can do is not use credit or debit cards for example if they are worried about theft of this information.
Where do you think enterprises and retailers should focus their security efforts over the next few years?
I’d separate security efforts out into two broad areas – first is operational and second is strategic. For sure, enterprises need to lock down their forts as much as possible on the operational side – for example, enforcing strong, but risk based contextual authentication, making sure passwords are not shared across devices, whitelisting software that can run on endpoints, whitelisting the points to which sensitive information can be transferred to and more.
At the same time, they need to also put efforts into strategic technologies – namely security analytics and intelligence that leverages rapid access to important information. This will give them the ability to pinpoint infractions amid the constant noise and barrage of daily events. For example, this would enable an enterprise to detect anomalous access to a server or anomalous behavior on an endpoint and to correlate those anomalies with other internal and external information in order to draw a picture of a security infraction against the enterprise.