Gartner: 2016年十大安全预测

在Gartner 2016年安全与风险峰会上，Gartner研究副总裁Earl Parkins指出了在未来2到4年内安全领域的10大战略性规划假设Strategic Planning Assumptions (SPAs)。

1）到2020年，99%的漏洞利用将依旧是安全和IT专业人员已知1年以上的。建议措施：企业必须致力于修补他们已知存在的漏洞。这些漏洞很容易被忽略，比起事后弥补，修复这些漏洞的代价更低，也更容易。

2）到2020年，企业遭受的成功***中有三分之一是针对他们的影子IT（Shadow IT）资源的。建议措施：业务部门会想方设法去应对企业面临的现实问题，会使用各种工具来完成自己的工作。企业应该找到跟踪影子IT的方法，并创建一个接纳和保护的文化，而不是付诸于检测和惩罚。【注：影子IT泛指那些不在公司统一管理之下的，不受公司官方管辖的IT硬件、软件和应用，譬如某些部门自建的网站、自己搭建的应用（未向公司申报）等】

3）到2018年，阻止公有云信息泄露的诉求将驱动20%的组织去开发数据安全治理程序。建议措施：开发一套企业级的数据安全治理（Data Security Governance，DSG）程序，找出数据安全策略的差距，制定出解决问题的路线图，并在适当的时候寻求网络保险（Cyberinsurance）。

4）到2020年，40%引入了DevOps的企业将会通过采用应用安全自测试、自诊断和自保护技术来保障其开发的应用系统。建议措施：在DevOps时采用运行时应用自保护技术（RSAP）。对那些不够成熟的供应商和开发商的潜在安全问题点进行评估。

5）到2020年，80%的基于云的CASB交易将被打包到网络防火墙、安全WEB网关（SWG）和WAF平台中。建议措施：考虑到客户迁移到云（过程中可能遇到的问题）和绑定购买的现实情况，企业需要评估应用部署的路线图，并决定这个投资是否合理。

6）到2018年，利用原生移动安全遏制技术而非第三方可选包的企业将从20%上升到60%。建议措施：验证并掌握原生的【注：iOS和Android自带的】移动安全遏制解决方案。注意，具有典型安全需求的企业应该有计划的逐步转向原生移动安全遏制技术。

7）到2019年，40%的企业侧IAM实现将被IDaaS（身份即服务）实现取代，当前只有10%。建议措施：IDaaS的大部分障碍已经排除，企业应该开始在小规模的项目里进行尝试。由于合规性的争论会阻碍IDaaS的发展，企业需要充分认识到IDaaS当前的限制和收益。

8）到2019年，由于识别技术的引入，在中风应用险场景中对密码和令牌的使用将下降55%。建议措施：密码的使用在商业实践中根深蒂固，难以彻底消除，但是企业应该着手寻找那些聚焦于将良好用户体验融入持续信任环境开发的产品。从身份识别开始，要求供应商具备生物识别与分析能力。

9）到2018年，超过50%的物联网设备制造商将无法应对来自弱认证应用的威胁。建议措施：通过改变企业架构，物联网引入了新的威胁。早期的物联网安全失效可能会迫使业界去制定认证标准，但企业应该去识别认证风险，建立身份保障的需求，并进行度量。

10）到2020年，超过25%针对企业的确认***将与物联网有关，而物联网（安全投入）仅占整个安全预算的10%。建议措施：随着物联网的持续发展，供应商（投入）对更偏向易用性而非安全性。IT安全从业者尚无法确认物联网领域可接受的风险量是多少。企业应该指派物联网安全的责任人，关注那些有漏洞或者是无法打补丁的物联网设备，并增加针对物联网（安全）的预算。

附上原文：

1. Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.
   Recommended Action: Companies should focus on fixing the vulnerabilities they know exist. While these vulnerabilities are easy to ignore, they’re also easier and more inexpensive to fix than to mitigate.

2. By 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources.
   Recommended Action: Business units deal with the reality of the enterprise and will engage with any tool that helps them do the job. Companies should find a way to track shadow IT, and create a culture of acceptance and protection versus detection and punishment.

3. By 2018, the need to prevent data breaches from public clouds will drive 20% of organizations to develop data security governance programs.
   Recommended Action: Develop an enterprise-wide data security governance (DSG) program. Identify data security policy gaps, develop a roadmap to address the issues and seek cyberinsurance when appropriate.

4. By 2020, 40% of enterprises engaged in DevOps will secure developed applications by adopting application security self-testing, self-diagnosing and self-protection technologies.
   Recommended Action: Adopt Runtime application self protection (RASP) for DevOps. Evaluate less mature vendors and providers for potential security options.

5. By 2020, 80% of new deals for cloud-based CASB will be packaged with network firewall, secure web gateway (SWG) and web application firewall (WAF) platforms.
   Recommended Action: While concerns exist about customer migration to the cloud and bundling purchases, companies should assess the application deployment roadmap and decide whether investment is justified.

6. By 2018, enterprises that leverage native mobile containment rather than third-party options will rise from 20% to 60%.
   Recommended Action: Experiment and become familiar with native containment solutions. Keep in mind that enterprises with average security requirements should plan to move gradually to
   native containment.

7. By 2019, 40% of IDaaS implementations will replace on-premises IAM implementations, up from 10% today.
   Recommended Action: Enough limitations have disappeared on Identity as a Service (IDaaS) that companies should start experimenting on small-scale projects. While a clash of regulations could derail the increased implementation, companies should work to recognize the current limitations and benefits.

8. By 2019, use of passwords and tokens in medium-risk use cases will drop 55%, due to the introduction of recognition technologies.
   Recommended Action: Passwords are too entrenched in business practices to disappear completely, but companies should look for products that focus on development of an environment of continuous trust with good user experience. Begin by identifying use cases, and press vendors for biometric and analytic capabilities.

9. Through 2018, over 50% of IoT device manufacturers will not be able to address threats from weak authentication practices.
   Recommended Action: By changing the enterprise architecture, IoT introduces new threats. Early IoT security failures might force the industry towards authentication standards, but companies should identify authentication risks, establish identity assurance requirements, and employ metrics.

10. By 2020, more than 25% of identified enterprise attacks will involve IoT, though IoT will account for only 10% of IT security budgets.
    Recommended Action: As IoT continues to grow, vendors will favor usability over security and IT security practitioners remain unsure of the correct amount of acceptable risk. Companies should assign business ownership of IoT security, focus on vulnerable or unpatchable IoT devices, and increase IoT-focused budget.

【参考】

Gartner：2016年十大信息安全技术（含解读）