Stories by: Andreas M. Antonopoulos

My predictions for information security in 2009 are just predictions, not recommendations. I am trying to guess what will happen, not suggesting what should. As always, take these with a grain of salt.

Whom can you trust? In security, many of us nurture a healthy sense of paranoia and tend to be distrustful. But as human beings, as social beings, we form bonds of trust with those around us.

I have been very interested in virtualization security since early 2004 and it now seems like it has become a mainstream topic. Most of the focus however is on securing the technology of virtualization (the hypervisor) and providing virtualized security (usually as virtual appliances). My focus nowadays is more on the operational impact of virtualized infrastructure and by extension the impact on security operations. After all, security controls (technology) are essential but without operational controls (people) they are not sufficient. So what is the operational impact of virtualization?

People don't notice change when it's gradual. Sometimes, however, small, incremental changes add up in a way that isn't noticed until a change in degree becomes a change in kind.

Companies are adopting virtualization technologies at a faster and faster rate. They are virtualizing servers, desktops, storage, networks. But one aspect of infrastructure has been lagging -- very few companies address the growing demand for virtualized security.

Viruses and other malware are getting better at evading antimalware systems despite the sophisticated behavioral-analysis systems that are used to detect them. This week a rogue trader in France was able to hide a growing loss until it reached US$7 billion and was impossible to hide. What do these two events have in common? Both exploit the predictability of defenses to evade detection.

There are two ways to predict the future with 100% accuracy. You either have the power to shape the future to your predictions (the God method) or you make your predictions vague enough so that they fit most conceivable outcomes (the Nostradamus method). For those of us without omnipotence and with a desire to write something meaningful, that leaves the alternative: extrapolate from in-depth research, solid statistics and current trends and hope for minimum volatility (disruptive innovation or externalities) in the outcome.

I've always believed in the importance of maintaining a well-designed emergency response capability. For many years I helped organize security operations centers (SOC), computer emergency response teams (CERT) and incident response teams (IRT). No company is ever 100 percent secure. Breaches happen and will continue to happen. "Secure" companies are the ones that are able to efficiently and effectively mitigate the damage from a security incident. Looking back, I would probably do things a bit differently now. A key difference would be the balance between company privacy and involvement of law enforcement.

What drew me to the security business is that it resembles an endless game of chess. Every move is almost immediately countered by another move. For every defense a new attack, for every attack a new defense. Just like in chess, it's worth thinking a few moves ahead and looking at the whole picture -- if you concentrate too much on one part of the board you get blindsided.

SOA is one of those buzzword acronyms that mean so many things to so many people, it's hard to pin down what it is. Nevertheless, many large enterprises are integrating applications and building applications using XML, Web services and rudimentary service-oriented architectures. But what about security?

Virtualization is quickly being adopted in many different industries. As virtual machines move from testing and development roles into production, security becomes ever more important. Virtual servers are no less secure than regular servers, and may provide additional security by compartmentalizing applications.