The PKI Guy discusses security threats with Alex Momot of Remme

Q&A with Alex Momot, CEO of Remme

TPG: What do you see as the biggest security threats organizations are facing today?

AM: There are a lot of them. But the ones that I see as most critical right now are phishing and shadow IT. Both of them are also partly personnel issues. With phishing, organizations can take some steps through security tools to spot and block likely phishing messages, but mostly it is a matter of continually training employees to not click on questionable links and not share information such as passwords. Some estimates suggest that email-based attacks cost as much as $12 billion globally. But phishing attacks are also moving to texts, phone calls and other techniques to get victims to share information. Also, attackers are getting better at targeting business clients – say a CEO – where the rewards for them can be greatest. Shadow IT, of course, is also all about people not following standard procedures. So, classically, for convenience or even simply to get around annoying corporate security rules, individual may set up Dropbox™ accounts or similar data sharing accounts – not to mention accounts and functions in the public cloud. Most of the time, this is harmless but it can easily lead to loss of control of data or worse. In addition to those two, I also see issues with cloud security, again most often due to human factors such as not properly configuring AWS buckets. Cryptojacking and ransomware are also very concerning.

The former involves hijacking corporate IT resources to use them for cryptocurrency mining and the later involves encrypting corporate data and holding it for ransom. The number of such attacks is on the rise.

Finally, there are attacks on operational technology (OT) and security issues with Internet of Things (IoT) devices. These are complex issues that may require help from device manufacturers as well as strong cybersecurity practices within IT. Blockchain is starting to look like a promising way to address some of these issues.

TPG: What are some of the evolving demands of public key encryption and management?

AM: Public key encryption management requirements can vary to some extent based on the environment and the challenges but the fundamentals are always the same as is the goal – to protect data both at rest and in transit. Obviously, cryptographic keys and certificates must be carefully protected and access should be granted very selectively and carefully. Those two points are usually summarized as protecting physical/logical access and limiting user/role access to keys. The U.S. NIST has published useful best practices in this area. One of the other key points is managing key lifecycle – in other words having a means of control for initiation of the key until its retirement.

TPG: What do you see as the next generation PKI?

AM: PKI needs improvement to keep up with the rapidly worsening threat picture. One of the most promising ways of doing this is with blockchain. With blockchain, any crucial piece of information is distributed and updated across nodes in a network. The blockchain concept is a reference to the data held and updated by each participating system or node in a network. Blockchain differs from a usual client-server system in that it does not have a centralized server or controller to route and store the data – and the underlying mathematics ensures that data is immutable to unauthorized changes. Blockchain has been used to power so-called “smart contracts” and that, in effect, is a way of managing, sharing, and protecting keys. All this creates a new way to operate and manage PKI transparently via a publicly auditable smart contract.

TPG: What are some of the security concerns with the modern web?

AM: Well, it is a picture that is constantly evolving. I know that the most recent 2019 Verizon Data Breach Incident Report (DBIR) claimed to find a big increase in nation-state attackers over prior years and if I remember correctly, one quarter were cyber-espionage attempts. The specific methods are varied and changing but the threat as a whole continues to grow.

TPG: Where do you think identity and access management is headed?

AM: We see a natural evolution toward bringing PKI and IAM together. The same things that make blockchain suitable for PKI also apply to IAM; transparency and widespread availability through a network of nodes, for example, which blockchain makes possible.

So, with that shared technology core, the ability for IT systems to verify certificates through the use of APIs as an interface to the blockchain, would maximize interoperability with all kinds of platforms. This reflects that fact that solutions built on blockchain technology are standards-independent when it comes to working with the data handled by the blockchain. So, when PKI and IAM are blockchain-based the additional benefits include not only integrity, because records are reconciled against each other and are protected from unauthorized changes, but also transparency, since the logic within the smart contract is accessible to all and the audit trail is accessible. Additionally, the use of blockchain means information is durable since the blockchain includes duplicate data. There are even efficiency gains because the blockchain/smart contract can function in the middle, mediating interactions. IAM and PKI both benefit from all these characteristics.

TPG: Tell us about your platform for certificate lifecycle management.

AM: We’ve put together a comprehensive plan for our products. Over the next two years, we plan to bring our Auth and Keyhub into an IAM platform. We have come to see existing practices in this space as deficient. Blockchain offers a clear path forward, it is one that we are pursuing vigorously. Blockchain meets the needs of the future for IAM. It is important to remember that we are now in an era when it is not just people that need carefully online curated identities – it is things. The number of things that connect to the Internet is growing exponentially and a blockchain technology-based IAM is not only extensible, it also offers the kind of inherent certainty that reduces or eliminates many of the management challenges. We believe our approach simplifies the whole picture, whether it is creating digital identities or managing those identities and each of our offerings is part of that picture.

TPG: When do you recommend using blockchain?

AM: Blockchain technology provides near certainty that only authorized entities can get to any given data set. A quick review of how blockchain handles data leads one to the conclusion that it is a technology that offers important advantages over data simply stored in a centralized database. A traditional database is not only a clear target for an attacker it is also a single point of failure. By contrast, data is both distributed and highly protected on a blockchain. Because it so fully embodies desired characteristics such as non-repudiation, availability, and integrity, it is an inherently trustworthy source and highly resistant to normal cyberattack methods. Furthermore, blockchains effectively reduce the human element – the human error element – which so often contributes to data losses. Blockchain can’t eliminate all IT challenges but it greatly improves sending data, encrypting data, and showing who is accessing it. In particular, where IoT has been reinforced by blockchain, many of the most worrisome security issues fade away. User are no longer dependent on a third party to provide security – it is built in. This has really shown a benefit in supply chain and logistics implementations – particularly where a high degree of control needs to be maintained over a product. Consider the so-called “cold chain” where a food product or pharmaceutical must be kept at the correct temperature from manufacture until it reaches the consumer. This is currently a somewhat cumbersome process of transmitting and logging temperature data but blockchain could make this simpler, more certain, and much less complex.

TPG: What are the top three things you recommend organizations do when it comes to managing sensitive data?

AM: First of all, organizations should use encryption keys for data – including data at rest. Second, event logging and monitoring can help alert you to any potential misuse of data and potentially help you stop that misuse. Finally, some organizations put particularly sensitive data in distinct environments with stronger controls and oversight. As noted, though, broader application of blockchain can contribute importantly to both managing and protecting sensitive data.