Trying to avoid the obvious and the already underway, here are my predictions for 2010.

1. Cloud security standards emerge. By the end of 2010, we’ll see a framework emerge for establishing a well defined set of technology, practices, and processes, organized into different levels of trust. Ultimately, adherence to these specifications will need be certified by third parties. The effort won’t be complete, but it will be underway. Look to the government as key industry (other than the vendors) driving this effort.

COROLLARY: The use of cloud will take off as adopting organizations by and large overcome their security concerns – or at least, understand them at a specific enough level to seek out providers that satisfy these concerns.

2. Federation will start to take off by the end of 2010. Use of federation will be fueled by SaaS and cloud computing and the need for single sign-on to bridge identity from the enterprise to those external environments. Where standards reign over kludges, SAML will be the leading mechanism. OpenID will continue to be just a lab toy for the “Identerati”.

3. Managed Security Services expands far beyond “Managed”. Organizations are not only turning to managed security services, they are seeking more from their providers than merely assuming operational functions. Increasingly, they seek partners to help them with security strategy, benchmarking, making the business case, and integration. MSSPs that are in fact multifaceted solution providers will start to establish market dominance. Big winners will be IBM, VZB, Wipro, among others.

4. Web content security in the cloud will take off. Though managed email security is one of the more popular areas of security SaaS, organizations have been slow to adopt the SaaS model for Web content security. This will change in 2010. Fueled by the increasing focus of attacks on browser and browser plug-in vulnerabilities, exacerbated by growing degree of mobility among users, and further boosted by the acquisition of some major  SaaS-based vendors (PureWire by Barracuda and ScanSafe by Cisco), SaaS-based web security is primed to enter the mainstream.

5. Cybersecurity starts to look like a bonanza for security vendors. Cybersecurity and critical infrastructure protection are real challenges. But with the need to act gaining visibility, and so much money being made available, we’re likely to look back on 2010 as a rather large give-away to the security vendor, service provider and consultant communities.

What won’t happen:

  1. Federal data privacy legislation. By the end of 2010, we’ll still be grappling a hodgepodge of state and industry laws dealing with breach disclosure, encryption, auditing and other forms due care.
  2. A big “I told you so” mobile malware outbreak. I do expect mobile to be the next frontier in malware – but that’s a 5-year trend, not a 12-month one. And does anyone else share my perverse sense of amusement at the irony that in the mobile world, it’s Apple that owns the malware target platform, not Microsoft?
  3. Investment in training and awareness. Despite the fact that inadvertent insider activity (including getting fooled by social engineering attacks) continues to represent a significant vector for breaches, and despite its value in enlisting users as a front-line defense to spotting suspicious activity, security training and awareness will remain on the back burner of IT security priorities.

What do you think I missed? Where do you think I’m wrong?

[This entry is cross posted to Cyberia, Jonathan Penn’s blog]