Emerging Information Security Challenges
- Strategies for Securing the Enterprise in the New Economic Era
MENA Information Security Conference 2011
Amman, 19 Sep 2011
Ranjit Rajan Research Director - Software IDC Middle East, Turkey & Africa Introduction to IDC
• IDC is the premier global ICT market intelligence, events, and advisory firm
• 1,100+ analysts in 50 countries; delivering IT intelligence, industry analysis, market data, and strategic guidance since 1964
• A division of IDG, the world's leading technology media, research, and event company
• Global HQ at Framingham, Massachusetts, USA.
• HQ for Middle East, Turkey & Africa in Dubai. Analysts based in South Africa, Turkey, Nigeria & Kenya.
• Over 100 analysts in MEA offices
• Research coverage of 25+ countries in MEA
• IDC Conferences reach out to 4000+ IT executives in MEA
© 2010 IDC Sep-11 2 Agenda
IT Security Market Dynamics - Key Technology Themes Shaping IT Security - Emerging Security Technology Trends
IT Security Market in the Middle East - IT Security Spending - Forecasts
Security Viewpoints from CIOs - Challenges & Priorities Ahead
Essential Guidance
Sep-11 3 IT Security Market Dynamics
Sep-11 4 IT Markets in Context
IT Spending Growth 2007 - 2015 (%)
20%
15%
10%
5%
0% 2007 2008 2009 2010 2011 2012 2013 2014 2015
-5% Worldwide Middle East
Source : IDC Worldwide Black Book, Q1 2011; growth in constant currency Sep-11 5 Top IT Investments Across Markets
IT reliability and efficiency Improving security Increasing productivity Reducing operating costs for non IT functions Increasing revenue Executing business strategy Meeting compliance requirements/industry… Aligning business and IT Business process re-engineering Introducing new and/or improved products and… Reducing capital costs for non IT functions Improving business agility Retaining existing customers Merger and acquisition(s) activities Implementing environmental sustainability (e.g.,… Expanding into new geographic regions/countries Improving the effectiveness of marketing Other
0% 5% 10% 15% 20% 25% 30% 35%
Sep-11 6 Key Themes that will shape Enterprise IT Security
Sep-11 7 Mobilution
Laptops and Smart Phones in Use Worldwide (Mn)
© 2010 IDC Source: IDC Mobile Handset Research 2010 Sep-11 8 Commercial/Consumer Lines Blur
Multiple devices per person is the new reality
© 2010 IDC Sep-11 9 Connectivity of Tomorrow - Intelligent Everything
Billions of Connected Devices, 2020
Total Potential Market
Embedded 23 billion 200B Big Things
1-5 x People Other CE 3.3 billion Phones 2.6 billion <1 x People
PCs 2.0 billion <.5 x People
10 © 2010 IDC Sep10-11 Network Perimeter becoming more difficult to control
Viruses More Devices Trojans OS:s Enterprise Apps
Increased Vulnerabilities Increased
Office Apps
IM
Mobile Phones & PDAs
email VoIP
Increased Network Traffic
Web Apps Spam Spyware More Applications IT Departments Need to Plan Ahead
Who Decides What Device Gets Access? How much access? - Enforcement of acceptable use policies How much support (if any)?
How to Secure Multiple Devices? Malware defence, protection of sensitive data, remote wipe, and remote kill How to deal with Mobile Apps explosion?
What About BYOPC? Who owns the device if the employee leaves? How do you keep data on a personal device secure?
Users Don’t Care About IT Boundaries They just want to use what they want to use
© 2010 IDC Sep-11 12 Barriers to Provisioning of Converged Mobile Devices
Cost of mobile data
Cost of devices
Concerns over security, device management or support
No additional demand from users
No clear ROI
Lack of useful business applications
Usability of devices
There are no barriers
Decision sits in wrong part of organization
Others
Don't know
0% 5% 10% 15% 20% 25% 30% 35% 40% % of organizations
IDC Gulf Mobility Study 2010 N = 304 13 © 2010 IDC Sep-1113 Social Media opening a New Vulnerability Gateway
Cross-site attacks
As a growing Spam number of Social Media applications make their way into the enterprise, they bring with them even more Hackers security concerns and attack vectors.
Malicious Code Phishing
© 2010 IDC Sep-11 14 Virtualization - The Good, the Bad....
86% of CIOs in Middle East are scoping Virtualization projects for the next 12 months
Security Enabler Security Challenges
Hypervisor Vulnerabilities Test and Patch Environment Guest Machine Infection Application Isolation Denial of Service Forensics HyperJacking Honeypots Audit & Compliance Issues
Source: IDC Middle East CIO Survey (Dec2010/Jan 2011) N=97 Sep-11 15 Cloud : the Brave New World
of CIOs in the Middle East are scoping Cloud Computing projects in 2011
Interest mostly around Private Cloud in the region
Data privacy/security a major hurdle to Public Cloud adoption Amazon EC2 disruption, PSN hack adding to concerns
Security in the Cloud - Endpoint Security Will Move to the Cloud
Security from the Cloud – SaaS solutions
© 2010 IDC Source: IDC Middle East CIO Survey (Dec2010/Jan 2011) N=97 Sep-11 16 Emerging IT Security Areas
Emerging IT Security categories an organization expects to spend in the next 2 – 3 years
Others, 2% Biometric solutions for Security as IT access a service, control, 23% 41%
Security for virtual environment s, 34%
© 2010 IDC Source: IDC IT Security Road show Dubai 2010, N=143 Sep-11 17 IT Security Threats Perception among IT Security Managers Please rate the following threats in terms of their seriousness for your organization's network, data and Internet security. (1 – not a significant threat at all ……… 5 – very significant
Malware (Trojans, Viruses, worms, and other malicious code)
Spyware
Spam
Data loss through employee error (unintentional)
External Hackers
Data theft by employee or business partner
Insider system sabotage System failures through employee or business partner error
Application Vulnerabilities Cybercrime: denial of service, cyber ransom, cyber terrorism
Casual Intruders 0.00 0.20 0.40 0.60 0.80 1.00
5 4 3 2 1
© 2010 IDC Source: IDC IT Security Road show Dubai, Riyadh, Kuwait & Doha 2010, N=346 Sep-11 18 Growing Threat of Data Loss
Corporate Data Loss happens thru’ employees - accidentally and deliberately
Loss can cause severe damage to reputation, intellectual property loss, legal penalties etc.
Several avenues of data loss: Corporate email Laptops Mobile devices Web portals USBs Wikileaks incident shows it can Instant Messaging happen to the best
Sep-11 19 Reasons for Data Loss
Q. What are the primary internal factors due to which your organization loses data?
Easy to send corporate data via corporate email
Data can easily be carried or copied onto DVD or USB
Company data can be easily transferred to personal email
Use of social networking and web 2.0 technology
Non-existence of user defined rights on data
0% 10% 20% 30% 40% 50% 60%
Source: IDC IT Security Roadshow 2011 Dubai Sep-11 20 Preventing Data Loss
Data Classification will be needed What data is sensitive? Who can access the data? What data can be shared?
Data loss prevention (DLP) solutions at the endpoint. File and Disk Encryption technology to prevent data access from stolen or misplaced hardware sources
DLP emerging as a feature in messaging security platforms Deploying robust messaging solutions to track inbound & outbound communication.
Most data loss incidents are accidental Tools focus on end-users education to and to stop obvious violations of e-mail/instant messaging use policies
Sep-11 21 Factors driving DLP Spending
If planning to invest in DLP, what do you consider to be the top factors driving your data loss prevention investment plans?
Ensuring data is stored where it is supposed to be
Ensuring data is classified & accessed by authorised staff only
Contol / monitor data leaving the organization via web & email
Reporting capability on incidents
Control / manage data at end-point
Support for Arabic data
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Extremely important Important Neutral Less Important Not Important n=30
Source: IDC-Symantec CIO Study 2010 N=40 Sep-11 22 Regulatory Compliance Requirements Continue to Grow
GOVERNMENT REGULATIONS Data protection laws
INTERNATIONAL REGULATIONS
Sarbanes Oxley, Basel II & III
INDUSTRY STANDARDS
PCI DSS, ITIL, ISO 27002
© 2010 IDC Sep-11 23 Over 90% of large enterprises in the GCC are currently investing or planning to invest in Compliance solutions
Source: IDC-Symantec GCC CIO Study 2010, N=40 Sep-11 24 Identity Management becoming essential….
To meet regulatory compliance demands, Identity & Access Management (IAM) architecture becoming essential.
Enterprise Password SSO Management IAM integral component of governance, risk, and compliance (GRC) Network Access Collision of cloud platforms Control and traditional systems pressures enterprises to better handle IAM Mixtures of SaaS with internal applications, such as ERP and CRM IT Security Market in the Middle East
Sep-11 26 IT Security Market in the Middle East
IT Security (SW & Appliance) Spending Secure Content & Threat in the Middle East (2010) = US$ 210Mn Management Software forms the largest segment of the market Network security – firewalls, VPNs End point security – client anti-virus 13.8% & anti-spyware, end point DLP 0.4% 18.1% Messaging security – anti-malware, content filtering Web security - Web filtering, Web antimalware, Web 2.0 security
Fastest growing categories Identity & Access 67.7% Management Software – password mgmt, single sign-on (SSO) etc Identity & Access Management Security & Vulnerability Secure Content and Threat Management Software– Management compliance, risk mgmt, patch mgmt Others etc.
Source: IDC Gulf States Software and Security Market Report 2009 Sep-11 27 IT Security Spending Outlook - Middle East
Total IT Security Spending (SW & Appliances), Middle East
14.8% 400 14.2% 15% 14.0% 350 354 13% 300 12.4% 310 250 272 11% 237 200 210 150 9%
US $ Million 100 7% 50
0 5% 2010 2011F 2012F 2013F 2014F
IT Security Spending YoY Growth
© 2010 IDC Source: IDC Gulf States Software and Security Market Report 2009 Sep-11 28 CIO Viewpoints on Security
Sep-11 29 CIO/IT Head’s Strategic Priorities 2011
Q. What are your ICT expenditure priorities over the next 12 months? 1 means lowest priority and 5 means highest priority.
Increased availability and performance of IT supporting business systems Standardization of technology infrastructure, applications and processes Alignment of applications to specific business metrics
Better communication with customers Improved security of information and information systems Analysis and reporting of internal decision data
Streamlining of internal business processes
Improved insight into customer trends
Cost control within the organization
3.6 3.7 3.8 3.9 4 4.1 4.2 4.3 4.4 4.5 Priority (Mean) © 2010 IDC Source: IDC Middle East CIO Survey (Dec2010/Jan 2011) N=97 Sep-11 30 CIO/IT Head’s Technology Priorities 2011
Q. Which of the following technologies are you scoping for projects in 2011? (Multiple responses)
Virtualization (server, storage, network,… Business intelligence and analytics Unified Communications and/or video conferencing Mobility technologies BCDR (Business Continuity and Disaster Recovery) Integrated network, compute and storage… Managed services or outsourcing Cloud Computing WAN optimization/Application acceleration 360 security Customer care and analytics Green IT and sustainability (energy savings, cost… Intelligent/Smart networks Open source technologies Social media or New media BPO (Business Process Outsourcing) 0% 20% 40% 60% 80% 100%
© 2010 IDC Source: IDC Middle East CIO Survey (Dec2010/Jan 2011) N=97 Sep-11 31 CIO/IT Head’s Challenges with Security
Q. What are your key challenges with regards to investment in security solutions?
Lack of skills
Lack of support from business / senior management
Complexity: Staying ahead of threat landscape
Budget constraints
ROI of security regarded as low
Identifying appropriate solutions / partners
Vendor support
Lack of awareness / education
Regulatory compliance
Lack of technology
Managing client/employee expectations
0% 5% 10% 15% 20% 25%
Source: IDC-Symantec CIO Study 2010 N=37 Sep-11 32 Challenges with Security Policy Implementation
Q. What are the primary reason that hinders the proper implementation of an IT Security Policy?
Non-existence of policy
Employees do not receive proper training in terms of the security policy
The user rights changes constantly making it hard to have a propery security policy in place
Policy is too complex for employees to follow
Others
0% 10% 20% 30% 40% 50% 60% 70% 80%
Source: IDC IT Security Roadshow 2011 Dubai Sep-11 33 Essential Guidance
Sep-11 34 Essential Guidance
The dynamics around ―Virtual, Mobile, Social require a new way of thinking of security Security in a virtualized environment Device Management, Mobile Security Raise awareness of security implications of Virtualization & Cloud Traditional approach to network security, identity & access etc. may not be sufficient If your orgn is planning for Cloud, get involved. Take the lead on Data Loss Prevention seriously Don’t wait for incidents Start small – Endpoint solns IT should take lead on data classification – look for easy wins to begin
© 2010 IDC Sep-11 35 Essential Guidance
• Align security strategies & policies with fast-evolving business needs • Benchmark & incorporate best practices; Enforce policies • Educate, Educate, Educate!! – Not just the average user but also senior management
Image Source: Scott Adams Sep-11 36 Thank you!
Questions?
Contact:
Ranjit Rajan Research Director - Software IDC Middle East, Africa and Turkey [email protected]
© 2010 IDC Sep-11 37