New Year Will Put New Pressure On Security Services Decisions

Security, as many consumers have recently discovered, is a matter of perspective. Many consumers carefully lock their houses each night and turn off their computers. They keep their AV products up to date, their wireless connections encrypted, and their passwords in their heads.Then they find out some company has lost all of their data, and they are now prime candidates for identity theft.

Enterprises are in a similar situation. These days, many enterprises are careful to deploy their security patches, encrypt their portable hard drives, and update their firewalls. They run audits of their environments, and they carefully protect sensitive data to prevent leaks.

Then they implement cloud computing or other third-party services and realize they don't know where their data is -- or who might be accessing it.

Do you see what I mean? Security is a matter of perspective. If you stay in your home or inside your headquarters building, then you can fool yourself into thinking you've taken all of the necessary precautions to stay safe. But most people don't live inside their houses all the time, and most businesses don't operate in a cocoon. Operating out in the world means that sometimes you have to count on the security capabilities of those outside your own sphere of control.

Which leads us, inevitably, to the subject of security services.

In 2010, perhaps more than ever before, companies will have to begin trusting others to provide some elements of enterprise security. Cloud services will require a type of third-party trust that we haven't seen since the move from private networks to Internet-based communications. The proliferation of spam and malware will make ISP security and filtering services more critical and valuable than ever. And, of course, the ongoing need for compliance will necessitate the use of third-party penetration testers, compliance advisers, and external auditors.

I hesitate to call 2010 the Year of Security Services; I called 1988 the year of ISDN, and THAT still hasn't happened yet. Still, it's clear that as we move more and more into an Internet-based environment, it would be a bit naive to think any company can build a secure, defensible perimeter. Even if you could, it wouldn't prevent your data from being lost by a business partner, an insecure WiFi network, or a hole in a hypervisor. If we are going to be able to use cloud computing and other Internet-based services, then we're going to have to depend more than ever on the security of others.

What does all of this mean for the enterprise? It means that in 2010, companies are going to have to take a hard look not only at their own security, but the security delivered by their business partners, distributors, and service providers. It will mean evaluating not only the security of the two endpoints of any communication, but also at what happens in between. And it could mean a closer evaluation of service providers, both those that offer transport services and those that offer outsourced security capabilities.

This year, whether we're small consumers or large enterprises, we're going to need more than home security.

Tim Wilson is the editor of Dark Reading.