A post by Adam Dodge about a couple of University of Arizona departmental web servers being defaced reminded me of a sort of 5-year-ish prediction I have in my head now and then. These webservers were running Twiki and a vulnerability in that program led to the defacement and were apparently known about by the admins.
In my last job we were an ASP (application service provider, i.e. we hosted a web-delivered service) and about 150 employees. About 1/3 of the company was comprised of IT and development staff. The number of applications we, the infrastructure (network, security, sysadmin, etc) team, supported was not terribly high, maybe about 2-3 dozen different types of systems we needed to stay abreast of or at least keep secure. That’s still a lot of work to be on top of patching and securing and managing those applications properly. And it really sucked to have surprise applications (one was a wiki hosted on a developer laptop that suddenly became a burden to his system performance [gee, ya think?] and a critical piece of their own processes [ugh, thanks]) pop up in the environment.
My prediction is corporate applications will do one of three things:
1) Security will move to the network and we won’t necessarily give a crap about what goes on a system. Thin-client computing is being talked about again… If people want to run an application for their department that is buggy and 7 years old and barely supported anymore, go ahead in your own little secured network area.
2) Security and IT management will win out and corporate applications will consolidate and diminish. Rather than trying out everything under the sun and small pockets of people relying on a disparate number of applications, corporations will get rid of a lot of them and just use the really important ones. Providers that can provide a full solution will benefit. For instance, Salesforce.com provides sales with almost everything they need except corporate email and phones. That’s awesome and leaves sales really not wanting for much else other than mobile devices and access to information when they need it, anywhere.
3) We’re just plain screwed and the security function of managing all those disparate applications will be a regular task for IT/security.
This flies in the face of what I really think is coming: outsourced security. You can audit, evaluate, test, assess, monitor, and manage alerts from an outsourced entity, but how can an outside entity ever truly understand all those little apps that pop up in every corporate environment? How much clout would such an outsourced team have when saying an HR tool is outdated and should be removed as a liability and administrative drain on resources? How intimate can they REALLY get? (Answer: only as intimate as the tools let them…and they don’t get that intimate…)
I guess I can mix this all around and say a prediction will be the grinding of these two gears that don’t quite fit with each other: outsourcing security and day-to-day IT tasks vs. the disparate and complex and everchanging digital landscape of the corporate campus.