Giving Authentication the Finger

Having recently broken the thumb of my dominant hand it has become painfully clear that thumbs/fingers are an intricate part of who we are and something we take everywhere … even when they are a big PAIN.

Why bring it up?

• Like many enterprise users, my corporate laptop comes equipped with a fingerprint scanner, and I have linked it to my desktop sign-on.
• While the advantages to me were not obvious at first, losing the ability to authenticate this way makes me realize what a substantial usability advantage it is to me daily.
• But the security advantages combined with cost savings on provisioning/replacing tokens is much greater.
• Leveraging Oracle IdM & BIO-Key bio-metric authentication solutions offers Enterprise better security gives customers an substantially improved user experience.

  

How Does it Help?

• Tokens & Passwords have limitations - Passwords have and token security policies have limitations are either ineffective or become a nightmare for both IT staff and users to manage from productivity and cost perspective.
• Give me an Example - The George Washington Medical Center in Washington DC recognized that doctors and staff were becoming increasingly frustrated with having to remember and periodically reset their passwords in order to meet security requirements. So in May of 2007 the IT staff and Allscripts successfully integrated fingerprint identification software from BIO-key International into the Enterprise EHR Solution to protect access to patient medical records.
• What was the result? - Privacy of patient records was vastly improved; Doctors quickly and conveniently now access needed information; System security is enhanced.
• How does it work? - BIO-key International’s ID Director integrates with Oracle Access Manager  to enable user authentication to OAM protected Applications, based on fingerprint biometrics. This provides a more convenient, secure and cost effective alternative to passwords and tokens to establish an individual’s identity.
• For more information - click here 

What about Identity Theft?

• While it seems everyday in spy movies and gag shops, in reality cutting off someone’s finger and using it for authentication is far less likely to impact the Enterprise then tokens left in a taxi/plane.
• Comparatively, the rises in traditional and emerging forms of identity theft highlight the current deficiencies of passwords and tokens used to establish user’s identity when accessing your databases and applications.
• An article published in January, by the Identity Theft Resource Center states “The meteoric rise in social media use has also created a launch pad for identity thieves.”
• The article predicts an increase in ID theft crimes and victims over the next two years unless significant changes are made in information security.
• The article goes on to say “Our most important asset is our identity. And we are functioning under a completely antiquated system of identification.”
• BIO-key International’s ID Director for Oracle Access Manager Applications, based on fingerprint biometrics, provides a more convenient, secure and cost effective alternative to passwords and tokens to establish an individual’s identity.
• For more information- click here

Learn more about Bio-Key ID Director for Oracle Access Manager visit the solution page.

Leaky pipes, call a plumber. Leaky data, call PwC & Oracle

Enterprises are moving from “Who has access to what?” to “What are they doing with it?”

Data & Identity theft has a potentially enormous financial impact on the enterprise through damage to brand reputation, regulatory penalties, and competitive theft.  But protecting against misuse of resources is an increasingly challenging issue in a world of Cloud Applications, globally dispersed teams, and networks open to multiple devices, contractors, and Web 2.0 applications.

"A small leak can sink a great ship." - Benjamin Franklin

Is this really a problem?

• Trust me – According to Wikipedia , an Ethical Hacker, or White Hat is “the hero or good guy, especially in computing slang, where it refers to an ethical hacker or penetration tester who focuses on securing and protecting IT systems.” While the concept is reassuring, 90% of test by White Hats succeed in getting sensitive information.
• The FTC puts the annual business loss from ID/Data Theft near $50 billion.
• Over one-quarter said the incident resulted in brand/reputation damage.
• With growing profits, sophisticated techniques, lagging international laws, and the migration from a basement hobby to an organized crime syndicate – this is an area of growing opportunity which is increasingly hard to prosecute.
• Identifying and protecting sensitive data requires a deliberate process of understanding your existing risk and “plugging the leaks”.
• This is NOT just an IT issue, it is an overall business issue.

Why have we missed this?

• Why? - While portable/accessible information is crucial to fast moving collaborative businesses; sharing data can lead to unintended consequences.
• What is it? - Sensitive or regulated information including Intellectual Property (“IP”), Personally Identifiable Information (“PII”), trade secrets, sales/customer data, and payment card data are all open to be misused or compromised.
• What is the impact? – Beyond the obvious risk of fines and lawsuits, breaches can lead to a long term impact on brand reputation, competitiveness, and financial well-being.

Is this a growing problem?

• These thefts are increasingly driven by organized, motivated, and sophisticated groups that are well compensated for their success.
• In a down economy with growing layoff’s and fears of unemployment, employee loyalty is the Enterprise equivalent of a unicorn.
• Global businesses rely on international collaboration networks, distributing information through a variety of methods—potentially leaving companies more exposed.
• IP loss leads to counterfeiting, fraud, and from there loss of revenue with lasting negative effects on brand value and corporate reputation.
• Existing IP protection is not designed to detect targeted hacking or electronic espionage activities.
• Standards such as Payment Card Industry (“PCI”) or Sarbanes-Oxley (“SARBOX”)  create a false sense of security as they are very finite in scope

What did we do before?

•      Ignorance is Bliss – Most felt, “This will never happen to us.”

•      The Gong Show – Historically attackers were driven by outsiders which were disorganized amateurs working from their parents basements.

•      Not my job - “This is an IT issue.”

•      Risk Reward Ratio – Previously the impact was neglibilbe compared to the cost of solving the problem

•      Unicorns ARE real – “We trust our employees to secure our information.”

•      Who Care’s – “We passed our audit, so we’re safe.”

What should we be thinking about now?

•      Enterprises, regardless of their size vertical, or location; need to confront a real and growing risk from data and identity theft.

•      Data loss is from organized groups, internal employees, and comes from physical loss, data exchanges, fraud, and human error.

•      Corporate data losses open the door for employees and customers to experience fraud and personal identity theft.

•      Employees and collaboration networks are the most common data leak sources.

•      Data protection is not just a C-Level issue, it is a CEO-level concern.

What do I do about it?

• Data Security Audit – Understand where your sensitive data is, where your leaks are and what your options are for plugging the leaks with the help of PwC
• Data Loss Protection (“DLP”) – Leveraging integrated tools from Oracle partners including McAfee  and Symantec ; Enterprises have the tools to look at data on the network or inflight to understand how sensitive it is and allow the enterprise to respond.
• Oracle Information Rights Management (“IRM”)  - Provides a uniquely efficient response to sensitive data highlighted by DLP products.  Oracle IRM allows Enterprises to continue to share sensitive data while protecting it from misuse or theft
• Oracle Identity & Access Management (“IAM”)   - Extends the standard provisioning of access rights and roles for applications to data and content by working closely with Oracle IRM.

Why PricewaterhouseCoopers (PwC)  ?

• Founded in 1998 with the merger of Price Waterhouse and Coopers & Lybrand, their client history dates back to the nineteenth century combining a global perspective with a local focus and deep understanding of US national issues.
• Originating in London in the mid-1800s, PwC has 16 industry sector concentrations with unique expertise in assurance, tax, human resources, transactions, performance improvement and crisis management help to resolve complex client and stakeholder issues worldwide.
• Driving innovation from global financial services and public sector or military to non- profits, and relief agencies their collaborative model to create innovative solutions to today's most complex business issues.

For more information:

·         PwC’s “10 Minutes on data and identity theft”

·         Contact: Gary Loveland

`                    Principal, National security practice leader

                    Tel: +1 (949) 437 5380

Identity & Access Governance hits the Big Time!!!

Combining Oracle+Sun IdM & GRC 

products with cutting edge partners

like Simeio Solutions, 

Identity and Access Governance 

are center stage in IdM today.

“Whenever the people are well-informed, they can be trusted with their own [governance].”  - Thomas Jefferson

Even back in his day Thomas Jefferson noted that good government, like good governance, was ability being informed and more and more these days Enterprises are looking to their IT resources to not only enable business functions but to provide greater visibility into those functions/applications.  Through Oracle’s applications and the expertise of partners like Simeio Solutions, Oracle is helping deliver this visibility for Identity and Access Governance.

So, who is Simeio?

• Leaders with IAM and Role Management deployments
• Reach:  Global Customer Base with a presence in NY, LA, Atlanta, Dallas, Canada, Australia, and India Canada (2008), ASPAC (Established in Sydney and Mumbai , 2009), EMEA (2010 Planned, UK Q1)
• Focus: Solving critical business needs through IAM, ITGRC and Cloud Computing Fortune 100-1000 as reference-able clients
• Biz/Tech Capabilities:  Simeio has experienced resources able to deliver IAM and IT-GRC consulting projects based on the following areas Simeio has developed quick-start assessment and rapid deployment models allowing for shortened project delivery timelines using both fixed fee and time and materials based contracts; resources across the company, multiple trained across Oracle’s security portfolio (User Provisioning, Role Management and Compliance)
• Services Capabilities:  Simeio has a diversified set of services to differentiate from our competition and be seen as a leader in Identity and Access Management and IT-GRC; Simeio meets with industry analysts (Burton, Gartner, Forrester) on a regular basis to keep a pulse on industry trends and ensure our services align with customer needs; Simeio meets with vendor Product Engineering and Management on a monthly basis
• Value: Strong team that has a reference-able base of customers for Simeio to discuss Oracle Identity Management; Up-sell Oracle Identity and Access Governance suite to existing and new customers
• Strong position in the market with deep understanding on Identity, Role and Compliance Management
• Allows for Oracle to have a dedicated team to go into Oracle accounts and discuss and implement these solutions as a replacement to other role management and identity products and continue to expand Oracle’s footprint within the account

Where do they come from?

• Enterprise Software Experience: Collective team comes from the Vaau (prior to acquisition by Sun)
• Deployment Experience: 90% or more of Sun Role Manage (“SRM”), now Oracle Identity Analytics (“OIA”) deployments done by Simeio
• Migration Experience: Provide a deployment /migration path from other Role Management & Identity solutions to Oracle IdM; example Sun Identity Manager (“SIM”) to Oracle Identity Manager (“OIM”)
• Competitive Experience: Knowledge and experience has led to key wins against competitors such as Aveksa, SailPoint & CA
• Field Experience: Work with field and development around POC’s and beta testing
• Product Experience:  Simeio Developed SRM 5.0 Documentation and was an integral part of the SRM 5.0 release
• Unique IP: Simeio Solutions has Intellectual Property around integrating and fast tracking deployments of SIM/OIM: Packaged 2 step approval workflow built for quick deployment; Package for quick integration between SIM-SRM and OIM-SRM; Packaged custom reports providing immediate business value; Expertise in developing custom connectors for home-grown applications
• Unique Approach: Skilled resources out of our center of excellence for custom development; “zero-day” rule based provisioning solution; Quick ROI and value to the business; 7 day manual process reduced to 5 minute automated provisioning

How do they help with IdM Governance?

• To borrow a phrase, they have their own dog in this hunt: Simeio Solutions Intellectual Property such as DirectAXs  and offer services in the cloud for Provisioning, Single Sign-on and Access Request
• Compliance & Role Management:  Simeio Solutions Intellectual Property around integrating and fast tracking deployments of SRM; best practices SoD library; plus 160 Business Rules and thousands of technical rules
• Well Published: Authored multiple independent white papers published in Role and Compliance Management
• Well Respected:  Already published in several technology analyst papers
• Role Management for the Enterprise (RME) & GRC:  Best of breed practices for IT-GRC consulting projects Simeio is currently seen as the leader with the most Sun Role Manager deployments Simeio has developed quick start packages and delivered numerous projects with both Sun and Oracle Identity Solutions Simeio has reference-able deployments to Fortune 100-1000 clients

What exactly do they offer On Demand?

• ROMAXs - Role Engineering, Role Management
• ICOMAXs - Access Re-Certification, Identity Auditing
• GRCAXs - Policy Management, Controls Testing, Risk Assessment
• IAMAXs - User Provisioning, Self Service
• SSOAXs - Web Single Sign-On, Federation, Web Access Control, and Role Mining/Management

The alternative to flexible infrastructure that allows dynamic access to business resources BUT gives visibility is protection through limiting access:

“The best government is a benevolent tyranny tempered by an occasional assassination.” – Voltaire

While this might have worked for Voltaire most modern Enterprises are looking for IT infrastructure that enables business innovation and growth; Oracle and its partners like Simeio are poised to deliver this.

Identity Management as an Appliance by AegisUSA

In light of the Oracle/Sun acquisition closing today, AegisUSA existing solution demonstrates the power of Sun/Oracle Identity Management delivered as a hardware appliance.

Who is AegisUSA?

• IAM solution provider
• Over 60 clients nationwide
• Created IAM IP over last 5 years
• Built IAM products focused on specific solutions
• Market focus
• Mid Market
• Higher Ed
• Healthcare
• State and Local Government

What is the challenge with the traditional approach?

• Small Identity Customer = $500K Project
• $50-150K Software License
• $200K PS
• $50K Hardware
• 1000-3000 Employees
• 3-6 month deployment
• Organizations with 1000 users and below may be priced out of both the solution and the suite and therefore may not be good opportunities to prospect

What is the benefit of AegisUSA Appliance?

• Small Identity Customer can’t afford $500K
• $50-150K Software
• $50-75K Solution
• 30 Day Deployment

What is it?

• Appliance Solution
• Hardware – 2 Sun Fire x4150 Servers
• Sun Identity Management Software Suite
• Identity Manager
• OpenSSO
• Directory Server
• Supporting Sun Software
• MySQL, Solaris 10, Open MQ, Glassfish
• Professional Services to Install, Connect, and Configure
• Appliance Support

What are the benefits of the Appliance approach?

• Foundation for Further Expansion
• Differentiator from other “point” solutions.
• Open Architecture
• Easy to Understand, Implement, and Support
• Requires Minimal Professional Services to Deploy
• Solves “Low hanging fruit” identity problems
• Provides Quick wins
• Increases Visibility for IAM Initiative

IdM includes a broad set of use cases, so where did they start?
Password Management

• Account Discovery (3-5 apps – 1 Authoritative)
• Change Password
• Forgot Password
• Change Authentication Questions
• Password Policy Configuration
• Help Desk Admin
• Password Reset
• Change Password
• User Audit Report
• Standard auditing and reporting
• Branding

Federated Identity

• Infrastructure to join InCommon Federation
• Leverage existing AuthN (LDAP)
• OpenSSO with Shib SAML Profile
• Documentation Package for clients

Single Sign On

• Initial Loader and Existing Directory Integration
• SSO Object Class Updater
• Policy and Rule Configuration
• IDM Authentication
• Application Authentication and Simple Authorization
• Session Persistence
• Request SSO Access.

Google Apps Provisioning

• Leverage existing ‘directory’
• Well defined set of rules for provisioning accounts
• Allow for sponsored/guest account creation

This is a great example of how Oracle/Sun Identity Management software can be delivered as a hardware device to increase customer success and reduce implementation cost. We look forward to see further innovations that come from Oracle/Sun + Partners!

Government is going to the clouds...

“The government's living in its own cloud cuckoo land...” - Bob Brown

For reasons ranging from cost savings to real time collaboration and innovation or job growth; increasingly government agencies around the globe are racing to roll out cloud services. And like most IT departments there are areas of major overlap where various groups are competing for budget and influence.

Like an awards show, below I have highlighted some of the more notable Cloud Initiatives in progress within the Public Sector, starting here in the United States:

My Favorite Cloud (Being a Space Camp graduate): Nasa Nebula

• According to Wikipedia "A nebula is an interstellar cloud of dust, hydrogen gas, helium gas and plasma."

• The pun-intended pilot program is under development at NASA Ames Research Center and is primarily based on open-source components and provides a virtualized dynamically scalable computing infrastructure .... hence a cloud.

• Today it is used for public outreach primarily but theoretically for scientific collaboration and mission support.

• As we see with Enterprises, innovation out paces infrastructure and NASA researchers see Nebula as a way to dynamically share discoveries to rapidly iterate on theories to more quickly lead to scientific discovery.

• As with any organization with high value IP, data handling, privacy, and access requirements are critical so security is fundamental as well as the need to comply with agency and federal policies such as the Federal Information Security Management Act (FISMA).

• Nebula's Infrastructure-as-a-Service leverages Eucalyptus, a cloud management system from UC Santa Barbara that is compatible with Amazon's EC2 web service.

• However Nasa assures us that sensitive information is NOT being stored on Nebula

Obama's Favorite Cloud: Apps.gov

• Goal - Per the launch announcement, “to lower the cost of government operations while driving innovation within the government.”

• Apps.gov is an online storefront for federal agencies to quickly browse and purchase cloud-based IT services, for productivity, collaboration, and efficiency.

• Breaking from their historical challenges we saw before 911 leading to the creation of the Department of Homeland Security, where data (+apps) were hosted by individual agencies and on fenced off devices

• As the Fed spends north of $75 billion annually on IT, the potential benefit from even minimal optimization is enormous

• Additionally, for anyone who has gone through a Fed procurement process, it is painfully clear that glaciers of molasses in January move faster. Enabling a more dynamic model of sharing resources could, theoretically, enable Federal agencies to roll out new services much more quickly saving time, money (on people), and be more effective .. more upside.

• Peter Mell of NIST succinctly put it, "2010 will be the year of the cloud computing pilot." I look forward to continuing this exciting conversation with you all!

Most Seafaring Cloud: Navy's CANES Initiative

• Why it's cool – Like any cloud initiative, it seeks to make data and applications shared resources accessible by users/apps ... but the Navy makes it accessible by Sea.

• The Consolidated Afloat Network Enterprise System (“CANES”), as you might suspect, consolidates hardware/software for centralized access which will deliver a common hosted computing environment for the entire fleet ... freeing up the ships to focus on their day job, protecting us from the bad guys ... sounds like a great idea to me!!!

• The Navy is also looking at their own version of a Virtual Private Cloud for the individual boats (ok, they prefer the term vessel) called "grey clouds"

Toughest Cloud: DISA Cloud Initiative

• The Defense Information Systems Agency (“DISA”) is currently putting together several Cloud services for the US Department of Defence (“DoD”).

• These include Forge.mil, an open source initiative (Thanks for supporting the US software industry) which is a group of SaaS applications that support the DoD IT community.

• Started in October 2008, Forge.mil is a DISA-led activity that theoretically delivers operational efficiency, cost savings, and would help protect the operational environment from potentially harmful systems and services

• Another example is GIG Content Delivery Services (“GCDS”) which is actually not owned by the Public/Federal Sector , and this computing platform is shared/deployed across the DISN (NIPRnet & SIPRnet).

• GCDS is designed to focus on delivering applications/data in a secure and reliable fashion no matter the state (or location) of the network or end points.

• Some interesting advantages of GCDS include localized caching anywhere, global redundancy and fail-over, multi-vector scaling, defense in depth protection, edge level data and network control, rapid implementation, and neurologically based network security.

Most Empowered Cloud: US Department of Energy's Magellan

• If you can't run with the big dog's stay on the porch - Funded by the American Recovery and Reinvestment Act through the US Department of Energy (DOE), the aim is really to test if cloud computing is all it is cracked up to be or another passing trend (What, CORBA won't change the world?)

• The DOE centers at the Argonne Leadership Computing Facility (ALCF) in Illinois and the National Energy Research Scientific Computing Center (NERSC) in California are installing basic but comparable systems as a test bed to assess the effectiveness of cloud computing from the perspective of energy efficiency.

• What's in a name? - Viewed as an exploration of the next frontier in IT, Magellan is named (no surprise here) in honor of the Portuguese explorer whose voyage was noted as the first to circumnavigate the globe. Also the “clouds of Magellan”, 2 galaxies were named after him so it gets even more cute.

The Most Pail Cloud: Department of the Interior's NBC Cloud Initiative

• The Department of the Interior's National Business Center (“NBC”) is planning a set of cloud services to be offered to the broader community of federal agencies.

• Having historically operated as a service provider, NBC (no peacock included) was originally established to be a shared services provider for what those of us in the commericial sector might think of as G&A activities such as accounting, HR, etc.

• Starting in 2004, NBC took on the role of being the US government wide service provider under the Information Security Systems Line of Business and in so doing quickly stumbled into the typical issues/requirements of multi-tenancy we see in the commercial space.

• Today NBC (still no peacock) is planning to start with 6 cloud solutions: NBCGrid (IaaS), NBCFiles (Cloud Storage), NBCStage (PaaS), NBC Hybrid Cloud, NBCApps (SaaS Marketplace), & NBCAuth.

Around the World

“Behind every cloud is another cloud.” - Judy Garland

James Bond's Favorite Cloud: The UK's G-Cloud Initiative (it even sounds classy)

• Announced by Great Britain's Federal CIO, this onshore and private initiative by the government is aimed at delivering a middleware platform for delivering data and applications as shared services in a iTunes.gov.uk like application store.

• Initiated with a study/investigation into the effectiveness of Cloud Computing and Virtualization, the apparent success of their test results turned into a full blow IT initiative

• As in the US, the goal is to empower UK government agencies to benefit from the costs savings and efficiencies of a shared computing environment while also maintaining the appropriate levels of security, accountability and control required government programs.

• Having previously kept such efforts within specialized teams/groups, this is the first effort to bring IT innovation directly under the responsibility of their operating agencies (or for those of use from the private sector think business owners not IT).

The Cloud with the most painful acronym: The EU's RESERVOIR project

• While Government agencies are known for their use of acronym's the EU (already an acronym) takes the cake with the Resources and Services Virtualization without Barriers Project (“RESERVOIR”).

• As in the US and the UK, the project is designed to provide cost savings, efficiency, and scalability across a shared pool of IT resources and geographies.

• With On-Demand resource provisioning and Web 2.0 use of applications as a services and networks as platforms to expedite time to market for new government resources to help the EU compete on the global stage

• The EU hopes to leverage RESERVOIR to enhance the competitiveness of their economy and bring about a powerful ICT infrastructure for the reliable and effective delivery of services as utilities.

Most Friendly Cloud: Canada's Cloud Initiative

• The inititaive was essentially otlined in a paper from the Canadian Government's CTO of Public Works as a strategy for helping diminish the negative impact of IT on the Environment

• It also suggests that leverage the inherent cooling advantages of the geography of Canada make the country an ideal location for hosting world wide cloud initiatives

• Looking at this from the perspective of a traveler, Canadians are possibly the most generally likable travelers and hosting high value infrastructure there might make it safer from unintended terrorist attacks.

The Sunniest Cloud: Japan's Kasumigaseki Cloud Initiative

• Dubbed the ICT Hatoyama Plan as outlined by the Digital Japan Creation Project, Japan’s Ministry of Internal Affairs and Communications has released plans to deliver a massive cloud computing infrastructure to support all of the government’s IT systems.

• Tentatively named Kasumigaseki after Japan's first high rise building (1^st building in the clouds) the plan is to deliver the infrastructure in stages with full role out by 2015.

• As seen in other countries the goal is IT efficiency for cost savings and speed of rolling out new solutions and services

• Japan’s Ministry of Internal Affairs and Communications (MIC) anticipates that the project will boost the economy

Security’s Baby New Years for 2010

As the ball drops on the 1st decade of the new millennium…

What will represent the Baby New Year of 2010 for Information Security?

Will our 2010 resolutions mitigate the threats or fall inevitably short?


Wikipedia defines Baby New Year as a “male baby wearing nothing more than a diaper, a top hat and a sash across his torso that shows the year he is representing. Sometimes he is holding an hourglass or is otherwise associated with one”.

Not too ominous at face value but this icon represents the anticipation, excitement, and uncertainty everyone feels in facing a new era. On the eve for 2010, the likely evolutions in Information Security (those foreseen and those yet unimagined) are certain to bring out the same feelings in CSO’s, CISO’s, CIO’s, CEO’s across the public and private sector.

Step 1: Learning from the past attacks

"Among all forms of mistake, prophecy is the most gratuitous.” - George Eliot
What was expected?

• Early predictions this decade anticipated that information security would be much better, more efficient, less complicated, with fewer attacks.
• Popular thinking was that vulnerabilities would flatten/decline, and so would breaches.
• Applications were expected to get simplified, smaller, less interdependent and less extensible
• Some even suggest that by 2010, a security Martin Luther would lead us through a class-action lawsuit that sparks a full-blown security reformation.
• In 1991, D. James Bidzos, then president of RSA created the buzz phrase “digital Pearl Harbor”; referring to a global InfoSec attack compounded by disrupted backup systems and leading to cascading failures and worldwide panic where the origin is later pinpointed to an avoidable vulnerability.
• Viruses and data breaches were seen as mischievous acts of disruptive individuals rather, not criminal enterprises.
• PKI was seen as the imminent solution to all authentication problems
• Reformers such as SEI’s Watts Humphrey, proposed solutions to software vulnerabilities through formalized software engineering best practices and requiring professional licensing, as within the medical field, to minimize threats by heightening quality and consistency.

“Whoops there it is!” - The Fresh Prince of Bel-Air
What wasn't expect?

• Hoaxes - For example, the Baby New Year Hoax of 2007 claimed a Baby New Year Virus had infected up to 42 million computers worldwide.
• Complexity - Instead of being simplified applications became more complicated, architectures more sophisticated through SOA, virtualization, SaaS, etc.
• Out Sourcing - Rather than becoming a highly regulated, licensed profession software development moved to an out sourcing model where vendors and customers build solutions through composite teams world wide
• Abstraction - Information Security moved to an abstraction model with shared/standard components across applications for authentication, authorization, provisioning, roles management, etc.
• Protocol flaws- For example, researcher Marsh Ray of PhoneFactor discovered a hole within SSL/TLS that allowed man-in-the-middle attacks.
• Security as a Facade – For example, Security2010 offering dummy security cameras and solar powered dummy security cameras
• Social Networking – 10 years ago we struggled with AOL IM, Yahoo Webmail, and peer-to-peer networks like Napster and focused on server port 80; but by the end of the decade, the top concerns were Facebook, Twitter, and other Web 2.0 applications.
• Worms – Unlike Oscar the Grouch friend Slimey, the 2005 Samy worm on MySpace or Facebook’s Koobface, demonstrated the risks in opening the web to malware contributions from users, innocent or malicious.
• Get Shorty - Twitter fans love of mini-URL’s lead to vulnerabilities of their own
• Mafiaboy to Organized Crime – The Feb 2000 Denial of Service attack from the Canadian teenage named Mafiaboy temporarily brought down sites including CNN, Dell, eBay, and Yahoo but by the close of the decade attacks were lead by well organized and funded criminals to produce data breaches at Dave & Busters, Hannaford Brothers, Heartland Payment Systems, and TJX and Iraq Shia fighters hijacking the security camera’s in drone airplanes
  
• Gone Phishing – Clever con artists leveraging fast flux to rapidly switch domains locations and sites that felt like known banking sites successfully extracted PII from users trying to log-in, update, or review their accounts.

Step 2: Anticipating future threats

“Never assume the obvious is true.” - William Safire
What can we foresee now?

• Jail Bait – Apple’s restrictive policies on “approving” applications and limiting user control of the device has lead to a large & growing sub-culture of “jailbroken” phones. While this gives the user more access it opens the device to vulnerabilities. Conversely security vendors like Symantec, McAfee, Sophos, etc. cannot develop antivirus applications for the iPhone as Apple blocks necessary low-level access to the device.
• Rock’m Sock’m Androids - Google's Android is a natural attack for 2010, as Google is more open in allowing applications, but this is open to abuse by seemingly desirable applications functioning as malware.
• Hey! You! Get off of my cloud – Cyber-criminals combining stolen credit cards and hosting cloud services like Amazon’s EC2 have already started to use the new platform for Bots-as-a-Service or Malware-as-a-Service. Not to mention the legal liability facing cloud services around protected data from PII to pornography being stored on their servers unbenounced to them.
• It’s getting blurry - As public and private organizations extend their use of smartphones, web 2.0, and social media to interact with clients, employees, and contractors, they blur the perimeters of the network. Organizations will need to shift the focus towards data protection beyond network/infrastructure security as the question shifts from “Who has access to what?” to “What are they doing with it?”
• MyCloud.gov - Government agencies are increasingly moving data and services of low or moderate risk to cloud services to attain cost savings, such as Nasa’s Nebula http://www.cloudbook.net/nebula-gov or from the Pentagon http://www.networkworld.com/news/2009/100509-pentagon-cloud-computing.html?page=2
• Enough is Enough – As with the recent bombing attempt, the continuous evolution towards heightened security at airports and long, uncomfortable security screenings for most passengers will likely lead to biometrics finally making it to prime time. Consumers will be willing to compromise privacy and bear the cost to simplify their life with everything from air travel to eliminating the 100+ passwords they have to remember or keep in a file on their computer or sitting on the desk.

“No question is so difficult to answer as that to which the answer is obvious.” - George Bernard Shaw
What can’t we anticipate?

• Greatest Thing Since Sliced Bread – As we have seen throughout the evolution of enterprise software, there seems to be a never ending flow of revolutionary architectures changing how we build products, deploy solution, and conduct business. This includes CORBA, P2P, SOA, SaaS, Virtualization, and Cloud Services just to name a few. As each new platform emerges there will be new vulnerabilities associated with them.
• What’s Old is New Again – Appliances keep coming back as vendors like Intel and AMD seek to drive high-use functions into the chip set and organizations look to reduce the cost and risk associated with major deployments through the use of packaged solutions. However each new wave of appliances has its own associated risks.
• The Perfect storm – Who knows, perhaps the combination of social networking, smart phones, and cloud services will lead to the “digital Pearl Harbor” that was predicted in 1991

How did we do compared to our predecessors projections, how will we be judged by those who come after us? Only time will tell.