Certainly this IT environment is well beyond what today's security solutions address or can even envision. A whole new generation of security products is needed to meet this coming IT world.
Automated. It goes without saying that this new security environment must be automated-that security solutions must be installed onto cloud instances and into programs without the need for manual intervention.
That's not enough. In the future, we'll need to be able to subscribe to security services that can analyze an environment, calculate what security measures need to be applied and automatically implement them. Just as manufacturing has outstripped human's ability to perform the same functions manually (think chip manufacturing), so too will information system security outstrip human ability to comprehend the environment's complexity.
The very human tendency to insist upon and only trust that which has been evaluated and implemented by a manual configuration will be overwhelmed by the scale of the need. Those who remain committed to manual security practices will find themselves vulnerable.
Learning. Of course, the security system will need to constantly evaluate what kind of interaction is going on in the environment and applications it is monitoring and tune its behavior accordingly. Again, waiting for humans to examine, comprehend and configure new practices just won't work in this environment. Lest you think this couldn't happen, look at credit card rating and fraud systems. That's all artificial intelligence, with reactions based on the system tracking behavior and modifying its rules as more behavioral data accumulates.
Policy-based, not configuration-based. The role of security administrators will be to define the appropriate security stance of the organization for which they work, capture it in policy and make those policy rules available to the security system. Trying to modify thousands of configuration settings manually will be well beyond anyone's competence. We will need to look to humans to define the desired outcomes and leave the method by which those outcomes are accomplished to the security software.
Tips: Cloud Security: Ten Questions to Ask Before You Jump In
Again, one of the most pressing issues regarding this will be the very human temptation to check on the system's configuration decisions. Should someone intervene in the security configuration process, the likely outcome will be a reduction in overall security.
Naturally, most people's reaction to the ideas discussed here will be disbelief. Most will dismiss it as unrealistic, or too riven with problems both technical and cultural, to ever come about. On the other hand, if you had told almost anyone a decade ago that autonomous cars would be driving around in 2012, people would have laughed at you. Now driverless cars are legal in Nevada. The lesson here: This is moving much more quickly than anyone can imagine, and "big security" is in fact on the horizon.
Sign up for CIO Asia eNewsletters.