Unisys IT Security Experts Predict 2005 Will Bring Greater Liability, Growing Mobile and Cyber Threats and Increased Identity Management

Singapore, December 08, 2004 – Unisys (NYSE: UIS) IT security consultants today revealed what they predict to be the major IT security issues and developments facing enterprises in 2005. They stressed that enterprises worldwide will meet seismic challenges in the coming year as they rely more and more on integrated networks linking them with partners and clients, increase their use of mobile technologies to empower workforces, and face determined efforts by cyber terrorists and cyber criminals to disrupt business and government.

Unisys Chief Security Advisor Sunil Misra and colleague Patrick O'Kane, chief architect of Unisys Identity and Access Management Practice, predict that the following will be the top IT security challenges and developments in 2005:


1. Application software breaches will lead to "lemon laws.'
2. Trusted networks involving business partners and others will grow as sources of risk.
3. The mobile realm will continue to grow as a "Petri dish' for security incidents.
4. Cyber attack styles will become virulent.
5. Organized attacks by Internet desperados will increase.
6. Enterprises will turn to proactive "defense-in-depth' as business needs drive security.
7. Credit reporting agencies will become more involved in managing the consequences of identity theft.
8. Adoption of federated architectures for identity and access management will accelerate.
9. Enterprises will revisit role-based access control for identity and access management.
10. Virtual directory technology will increasingly become a strategic component of identity integration projects.


"Security is above all a business issue,' says Misra. "Security is about making investments to optimize your capability to conduct business and about managing risk to business assets and reputation. In 2005 we'll see security challenges with significant business impact – legal, economic and technological. Enterprises will find themselves challenged as never before to make focused, strategic, pervasive investments in security. But those investments will be necessary for any organization seeking to achieve what Unisys calls the ‘trusted enterprise' ideal: making risk management an integral part of its business strategy to create a secure environment that enables optimal collaboration with partners and clients and drives its business forward.'

Misra and O'Kane explained their predictions further.

1. Application software breaches will lead to "lemon laws.'
Providers of browsers and operating systems have frequently been the focus of blame for enterprise security vulnerabilities. Applications and related software are just as vulnerable, but more often overlooked. As applications are brought closer to the edge of the Internet, it is only a matter of time in 2005 before an attack on a specific vendor's application or database product causes damage that leads the customer to sue the software provider for the consequences of the security breach. Says Misra: "It's likely that in 2005 we'll see agitation for ‘lemon laws' on security breaches involving application software. This will significantly alter the economic balance of power between the application software provider and the buyer.'

2. Trusted networks involving business partners and others will grow as sources of risk.
As enterprises increasingly include external parties – such as business partners, suppliers and customers – in their business networks, the likelihood grows that companies IT infrastructures and vital business information will be compromised. Because enterprises anticipate that most cyber attacks will come from internal personnel and external hackers, few have made provisions for attacks by partners' or clients' personnel. But those people can have just as much motive – if not more – for nefarious activity than internal employees might have.

Misra says that enterprises must evolve their security focus from simple information security to a more programmatic, process-oriented method of securing the infrastructure and authenticating users – from comprehensive policies agreed on with partners, to technology safeguards such as proxy firewalls and to federated identity management.

"In short,' says Misra, "e-businesses using trusted networks must evolve quickly from ‘trust me' to ‘prove it. '

3. The mobile realm will continue to grow as a "Petri dish' for security incidents.
As they become both smarter and increasingly indispensable for business, mobile environments and devices such as third-generation networks, cell phones and PDAs are pushing the boundaries of the enterprise IT infrastructure farther than the security infrastructure can currently reach. Protective technologies for the widely used Bluetooth and other common mobile environments are nascent and difficult to use, creating openings for "snatch and grab' data theft conducted on the fly.

The answer, says Misra, is a focused, prudent investment strategy. "Enterprises must approach mobile security from a business perspective rather than one of technology. They need to analyze the potential impact of current and future threats realistically. Then they must make business decisions about the amount of money and resources to put in place to mitigate the risks created by new-generation mobile security threats.'

4. Cyber attack styles will become virulent.
"Possibly out of malice, but mostly for economic motives, some attackers will seek a lingering effect versus a one-time catastrophe,' says Misra. "In 2005, we can expect the first worm or virus with a truly dangerous payload that alters or destroys information at the record level.' The resulting problem will not be remediable by simple means, such as restoration from a previously backed up version of data. Enterprises will spend considerable time and money searching for and replacing what has been altered. Says Misra, "The worst thing is, these virulent attacks will violate the victim's operational and business integrity – decreasing trust at a time when it's never been more essential for e-business.'

5. Organized attacks by Internet desperados will increase.
New cadres of cyber criminals are emerging. Unlike their predecessors, they often have purely economic motives, do not fear consequences and are willing to launch increasingly destructive attacks. Says Misra, "Until now, cyber extortionists have generally only threatened to cause damage – erasing the contents of computers' hard drives or corrupting data pointers, for example – unless they were bought off. Now we'll see them actually wreak havoc if their threats aren't complied with, using a range of assaults from targeted denial of service attacks to actual record-level destruction of information.'

6. Enterprises will turn to proactive "defense-in-depth' as business needs drive security.
Complex business imperatives such as compliance with Sarbanes-Oxley, Basel 2, HIPAA, the Gramm-Leach-Blilely Act and other regulations mean that security is no longer just the realm of technologists. The ramifications of security breaches and non-compliance are now more clearly economic and personal. "Faced with accountability for compliance, management has begun to realize that security is 20 percent technology and 80 percent process,' says Misra. "Off-the-shelf solutions are no longer adequate.'

In 2005, enterprise management will increasingly realize the value of – and the need to implement – multi-layer, end-to-end solutions spanning a full range of requirements, from threat and vulnerability analysis to policy development, implementation of multiple technologies and managed security services. They will often find that outsourcing design, implementation and management of those solutions to an expert partner is the
most efficient and cost-effective way to achieve optimal risk management and return on investment.

7. Credit reporting agencies will become more involved in managing the consequences of identity theft.
Much identity theft involves information from credit card accounts. Criminals can use that information to try accessing other systems, such as banking and brokerage accounts, to steal more information or gain access to other resources. Reporting agencies will need to help devise user identity validation methods that prevent identity thieves from using stolen ID information to access information from additional sources. Says O'Kane, "If the credit reporting agencies don't become more involved through consumer education and other proactive steps, the government will step in and start to solve the problem for them.'

8. Adoption of federated architectures for identity and access management will accelerate.
Federated identity management enables participating organizations to cooperate in sharing each other's authentication and authorization services. As such, federation is vitally important for secure information sharing with external partners and suppliers, or among business units within a company. "In 2005, users will adopt federation as a key solution to the problem of increased threats within trusted networks,' says O'Kane. In a Unisys research study conducted in October 2004, 37 percent of respondents indicated that they will implement federation within the next year. That adoption rate for this nascent technology is likely to accelerate further with industry adoption of the latest release of the OASIS Security Assertion Markup Language 2 (SAML 2) standard.

9. Enterprises will revisit role-based access control for identity and access management.
Role-Based Access Control (RBAC) grants users access privileges – to certain applications – according to their function, not their personal identity. RBAC can eliminate the complicated changes needed when access rights are linked directly to individual users.

Adoption of RBAC stalled until recently because of the difficulty and cost of defining roles at the enterprise level. In a 40,000-person organization with multiple systems, for example, it could take up to 12 months to define roles. However, associating the 40,000 individuals with only 2,500 roles would greatly reduce the amount of effort required for provisioning and administration. "In 2005, newer technologies will enable faster realization of the benefits of RBAC – especially greater operational efficiency and lower costs,' says O'Kane.

The October 2004 Unisys research study shows evidence of accelerated RBAC adoption. Thirty-two percent of respondents said they were likely to implement RBAC in 2005.

10. Virtual directory technology will increasingly become a strategic component of identity integration projects.
Virtual directory technology provides a way to view and aggregate identity information from multiple systems without physically combining the databases. The recent maturation of virtual directory technologies now enables virtual directory solutions, which are important for integrating both new and legacy systems. For example, in an integrated justice system, a district attorney's office, police department, corrections department and judiciary, working on different computer systems in different jurisdictions, could all have authorized virtual views of comprehensive information about a known felon.

Says O'Kane, "New virtual directory technologies are eliminating the need to physically move and integrate data. In doing so, they're removing associated data-ownership issues, speeding up identity integration timelines and reducing costs. I'm convinced that
2005 is the year in which enterprise users will fully understand those benefits and make virtual directories part of their security strategy.'

About Unisys
Unisys is a worldwide information technology services and solutions company. Our people combine expertise in consulting, systems integration, outsourcing, infrastructure and server technology with precision thinking and relentless execution to help clients, in more than 100 countries, quickly and efficiently achieve competitive advantage. For more information, visit www.unisys.com.

About Unisys Asia Pacific
Unisys Asia Pacific helps clients eliminate business and IT complexity providing specialized services delivered by trusted consultants. Drawing on a history of industry innovation and expertise, Unisys Asia Pacific delivers services and solutions through subsidiaries in Australia, New Zealand, China, Hong Kong, Korea, Malaysia, The Philippines, Singapore, Taiwan and Thailand and through distributors or resellers in other countries in the region.