What an incredible, action-packed year 2019 turned out to be in cybersecurity. Throughout the past year, I interviewed industry experts, authors, and technology luminaries with topics ranging from quantum computing to authentication to top security threats to PKI evolution. Below are highlights from the 2019 The PKI Guy’s Q&A Series. Keep checking back to read about the latest topics and trends as we embark on another interesting and engaging year ahead!
Q&A with Bruno Couillard, president and CTO, Crypto4A
TPG: What is the latest in quantum cryptography advances?
BC: There is a tremendous amount of activity in the cryptographic community to develop new quantum-safe algorithms to replace conventional public key algorithms, which are vulnerable to quantum computing-based analysis. This includes algorithms leveraging hash-based, code-based, multivariate, lattice-based and super-singular isogeny elliptic curve cryptography. These all have various pros and cons with regard to maturity, implementation difficulty, resource usage, security, and performance. One challenge is that standardization efforts of new quantum-safe algorithms by NIST and other organizations are ongoing, so it is important for solution providers to take advantage of a cryptographically-agile platform such as QASM, which allows them to implement quantum-safe solutions today while still being flexible enough to adapt to new algorithms and variations as the standards and best practices evolve. Read the complete Q&A here.
Q&A with J.J. Stapleton, co-author of Security without Obscurity: A Guide to PKI Operations
TPG: What security controls do you recommend for highly-secure PKIs?
JS: There are essential controls needed for any high-risk application, such as multifactor authentication for its administrators, clear separation of duties, and independent auditing outside the operational management structure. But for any PKI, the CA private keys used to sign the certificates must be protected using cryptographic hardware security modules (HSM) that are FIPS 140-2 certified at security level 3 or better level 4. Note that there are other equivalent certification programs out there. Another important control is that the messages between registration authority (RA) and the CA are signed, but this is rarely done. Regular audits are critical, as is having a proactive policy authority (PA) keeping the CPS and agreements current. Read the complete Q&A here.
Q&A with Cindy Provin, CEO, nCipher Security
TPG: Where is cryptography headed over the next five years, 10 years?
CP: Cryptography will continue to be part of our everyday lives and even more so in the coming years. Encryption is at the heart of digital transformation and that digital transformation is changing the way we live. Think about connectivity — or IoT, electronic transactions, and online payments — they all rely on a root of trust that enables trust, integrity, and control. Read the complete Q&A here.
Best Practices for Enterprises
Q&A with Ryan Smith, vice president, global business development, Futurex
TPG: What information security best practices do you recommend for enterprises?
RS: For a long time, the industry’s mantra has been “encrypt all sensitive data.” This is good, but it misses a vital component: key management. As organizations start incorporating encryption into more areas of their business, they need the technology and the training to effectively manage their cryptographic keys. When enterprises pair effective cryptographic processing with robust key lifecycle management, their overall security posture increases alongside general improvements seen in efficiency. Read the complete Q&A here.
Q&A with Dr. Charles Clancy, executive director of Virginia Tech’s Hume Center for National Security and Technology, engineering professor, and author
TPG: How is the U.S. faring in the global 5G race?
CC: One of the key concerns around 5G security is the security of our supply chain. Over the past two decades, the North American telecommunications OEM ecosystem has withered with giants like Motorola, Nortel, and Lucent all being broken up, going bankrupt, and being sold to foreign companies. The ecosystem has fragmented into the EU suppliers Ericsson and Nokia, and Huawei in China. Trends show Huawei’s market share continually increasing while the EU companies’ continually dropping. Chinese companies now dominate standards bodies like 3GPP.
This creates complex dynamics as the U.S. and its allies seek to roll out 5G. There is considerable anxiety that global adoption of Huawei technology could leave the Internet fabric itself vulnerable to Chinese manipulation and exploitation. China does not have a good track record when it comes to hacking, censorship, and intellectual property theft.
The next few years will be interesting as questions of economic and national security, technology leadership, and global competitiveness collide. Legislation percolating through Congress anticipates developing a national strategy in 5G. Expect some significant investments in R&D that will help shore up U.S. leadership in certain areas and help catapult us into having a global mandate for 6G. Read the complete Q&A here.
Future of Passwords
Q&A with Doug Beattie, vice president of product management, GlobalSign
TPG: What is the future of passwords?
DB: Passwords are not going away anytime soon for the enterprise, but these are being augmented by two-factor, which is now the de-facto standard. However, use cases that involve remote access or privileged access will require supplemental authentication factors such as biometrics, PKI, or OTPs. Further, advancements in identity and access management (IAM) will address user experience in a positive way especially around single sign-on (SSO) to both local and cloud-based applications. While adoption for facial recognition technologies remains low due to a fractured approach by various vendors (Windows Hello, Apple Face Unlock, etc.), the ease of use of this method may lead to increased adoption if a proven, secure, and consolidated method can be agreed upon. Read the complete Q&A here.
TPG: What are your top recommendations for a PKI implementation?
IR: Standards for TLS configuration, plus automation for certificate deployment. Automation is very important because you don’t want your best employees to spend their time doing menial work. Monitoring is also important, because things break. And there is sometimes danger, when you automate something, to think that it will run forever. I am a big fan of monitoring via Certificate Transparency, which is a fantastic and very easy way to monitor how your domain namespaces are used and secured. What can be done to make servers more secure? Two things: First, we need to make sure our components are secure by default. Second, we need to assemble the components in secure ways. Both of these are enormously challenging. On the development side, the predominant deciding factor for technology selection is still popularity, rather than security. On the assembly side, we’ve had made great strides recently with the DevOps movement, but things are still done in a way that’s equivalent to duct tape everywhere. Read the complete Q&A here.
Q&A with Charles Jennings, author of the new book Artificial Intelligence: Rise of the Lightspeed Learners
TPG: How can AI help cybersecurity vendors stay ahead of threats?
CJ: Advanced polymorphic malware — threats that keep changing form — are impossible for traditional signature-based applications to detect. Intel’s hardware-enhanced security platform uses AI to monitor malware behavior at the level of silicon telemetry. Only an AI-enhanced service could keep learning fast enough to identify ever-changing polymorphic threats (especially cryptomining). AI gives serious cyber defenders an important new tool.
The larger question is how cybersecurity vendors can support AI — how they can help make good-guy AIs the best cyber protectors ever? The answer: collect and curate all your data.
AI-ready datasets, when properly constructed, can be powerful balance sheet assets. They can also be used to train AIs to perform information assurance tasks no human would even attempt. Most cybersecurity vendors today have some sort of AI initiative, but if not grounded in the collection of clean, AI-ready data, it will likely fail. Read the complete Q&A here.
Q&A with Dr. Thorsten Groetker, chief technology officer, Utimaco
TPG: What needs to happen with IoT security?
TG: Well, first and foremost, IoT security needs to happen. We have arrived at the point where we need to consider the IoT to be critical infrastructure and, hence, have to equate IoT security with a special form of critical infrastructure protection. Granted, we can sustain failures of individual IoT nodes and subsystems, but large-scale breaches on existing less-than-ideally protected IoT systems could have substantial impact on public safety and the economy.
Legislators and industry bodies need to work together to create easy-to-understand risk profiles and corresponding ratings.
We will see the deployment of more PKI technology too to make this work. As devices are often of the install-and-forget variety, we cannot solely rely on humans to assess (and periodically re-assess) risk ratings. Instead, we need certificate-based classification of devices. In the IoT, the I (the network) needs to reject the T (the node) if it is not, or no longer, fit for the job.
I appreciate related efforts, for instance in the 5G context. Of course, I don’t mean the better connectivity/reduced latency/improved throughput aspect, but rather IoT security related efforts such as those by G5AA. Read the complete Q&A here.
Q&A with Jay Schiavo, vice president of Entrust Certificate Services Markets, Entrust Datacard
TPG: Where do you see identity management headed in the next few years?
JS: Cloud adoption continues to rise across enterprise IT applications and identity management is no exception. As more organizations migrate applications, they need to evaluate the primary technologies they use to store data, including user directories. Historically, user identity information was stored in-house, such as in Active Directory. Now, organizations will have to decide if they want to transition their user directories from being managed on-premise to managed in the cloud. This has implications for applications such as authentication and access management, which rely on tight binding to directories and need to support modern cloud identity management repositories.
A second identity management trend is the expansion of the types of identities the enterprise has to manage. Traditionally, employees were the primary user base. Now, organizations digitally engage with customers, partners contractors etc., so they need to accommodate new approaches to user identity management. And recent regulations — such as GDPR, CCPA and the New Zealand privacy bill requiring stronger security — are driving the need for even more robust identity and access management solutions to balance security, user experience, and operational efficiency. Read the complete Q&A here.
Managing Sensitive Data
Q&A with Alex Momot, CEO of Remme
TPG: What are the top three things you recommend organizations do when it comes to managing sensitive data?
AM: First of all, organizations should use encryption keys for data – including data at rest. Second, event logging and monitoring can help alert you to any potential misuse of data and potentially help you stop that misuse. Finally, some organizations put particularly sensitive data in distinct environments with stronger controls and oversight. As noted, though, broader application of blockchain can contribute importantly to both managing and protecting sensitive data. Read the complete Q&A here.
Q&A with Roger A. Grimes, IDG/CSOOnline security columnist, author of Cryptography Apocalypse: Preparing for the Day When Quantum Computing Breaks Today’s Crypto, and Data-Driven Defense Evangelist for KnowBe4, Inc.
TPG: What’s the worst malware you’ve seen lately?
RG: Ransomware in general. You’ve got tons of companies going down for days to weeks. Ten percent of small businesses never recover and go out of business. Most companies are paying the ransom because they have no other choice. Their backups are not nearly as good as they think. Some forms of ransomware steal your data and want to be paid or else they’ll release your company’s most secret information into the public realm. A backup is not going to help you there. Read the complete Q&A here.