Emerging Challenges in Information Security

I’m updating a client’s information strategy document. This requires that I identify emerging challenges in information security. This involves some prognostication regarding trends in the near future, and concise summaries of selected infosec pundits.

I’m looking for truly new developments, not a rehashing of recent history, and not the usual security chestnuts like IDS, firewall policies, VPN administration, incident response, etc.

Here are some topics I’ve found:

Information Security and Physical Security Convergence – Physical security has always been important to IT security. The relationship has become more intertwined as the computing environment has become more distributed. It is no longer just about securing the data center. Intelligent computing devices and network access points are all over. A stronger reason for this convergence is the adoption of IP-based management protocols for traditional facility-based devices (CCTV, alarm systems, facility access control, HVAC, power, etc.).

Integrated Security Management Systems – Sometimes called the “security dashboard”, this is an attempt to create a security management console similar to what products like HP OpenView provide for fault and performance management.

Voice over IP Security – The cost and management advantages of VoIP are leading some organizations into a full charge ahead with this technology. The combination of IP-based networks and old-fashioned telephony promised to bring back the era of phone phreakers.

Wireless LAN Security – This is almost an “old news” category, but were it not for the constantly evolving security standards and constantly evolving attack tools. It seems every time an improved crypto protocol is released, a new tool designed to attack it follows.

Business Partner links – In some form, this has been around since the days of EDI. The current version involves Web services. The key buzzword acronym is SAML (Security Assertion Markup Language).

End point security – Securing the desktop and laptop device, especially when IT may not have direct control over the machine. Employees want to work from home, traveling executives may check their email from kiosks, etc. How can one evaluate the security of the endpoint, and allow or deny services based on that security?

As I research these, I will post my findings and analysis here.