For the past several years, I have had the honor of writing for Network World in "Risk and Reward." Unfortunately, that time has come to an end as I am leaving the world of independent analysts to pursue new adventures. In my last column, I'd like to explore some of my recurring themes and offer some predictions for the future.
The world of security has turned on its head. It was always a fast-moving space, but in the last three years it has become a roller coaster. Part of that is because of huge changes in IT itself. Part of it is because of the enormous importance of electronic communications in our lives today. Some of the trends will continue to make security challenging, yet also rewarding and fascinating at the same time.
Mobility: The whole paradigm of security was originally based on immovable systems in concentric perimeters. That model is well past broken, yet it persists throughout most environments. Have a look at how many security systems rely on IP addresses and you will see why mobility breaks everything. Things will get more and more exciting as IT, security and society as a whole come to grips with the idea of enormously powerful sensor and communications platforms, full of every personal detail and experience, permanently carried by almost every person.
Virtualization: I wrote the first article on virtualization security in April 2004 for Network World. At the time, I saw an enormous potential for virtualized security. I saw the possibility of joining endpoint security and network security into a new paradigm that had elements of both but was more powerful than either. Unfortunately, that space is still immature as companies have tried to patch together a strategy to secure virtual systems largely by VLAN segmentation and firewalls. This has ended up weakening security and hampering virtualization too. I fully expect that in the end we will get there. The most important question is not, "How do I secure virtual systems?" but, "How do I virtualize security systems?" Answer the second and the first becomes much easier.
Cloud computing: The cloud is about to achieve a small percentage of the level of hype surrounding it, but that still means a remarkable transformation of IT and IT operations. It also means a huge opportunity for security, as well as a huge problem with security. For providers, security is not the barrier to adoption -- it is the holy grail of profitability in the cloud. You can actually make money off security services, unlike the CPUs which are commoditized to unprofitability. Like a restaurant that loses money on food and makes all the profit on wine and cocktails, service providers need to see security for what it is: as profitable as a liquor license. Security as a service is still in its infancy but growing rapidly. Like virtualization, the question to ask is not, "How do I secure the cloud?" but, "How do I cloud-port my security?" Answering the second makes the first question a lot easier.
Those three themes have made up the bulk of my security writing for several years. It's not because they represent new security technologies or products or vendors. It's because they challenge the foundational models and notions of security that permeate most security implementations. They subvert our security by contradicting the most fundamental assumptions we make in security. In my native culture, there is a word to describe this: skiamorphe, which means a "shadow of the old form." It describes a tendency to incorporate the features of an obsolete technology in a new one when it first emerges. In security, we have not yet emerged from the shadows of a location-centric, perimeter-oriented and static model. Until we do, we will be wandering in the dark.
Read more about wide area network in Network World's Wide Area Network section.