Passwords are dead. Of course, passwords have been dead for over a decade, but the problem with this dead technology is that it just won’t die. The successful breach of security nearly one year ago on the RSA division of EMC targeted an all-too-weak two-factor authentication system.
For a moment during the Tuesday round of keynotes at the conference that bears his company’s name, RSA Executive Chairman Art Coviello, Jr looked despondent, helpless, like an executive pleading the Fifth. But this time, Coviello didn’t just blame the usual suspects. Striking a strange new theme that resounded through the entire conference, he cited employees’ irrepressible desire for a new mobile device, and companies giving it to them, as the eventual culprit.
“Employees are used to having powerful technologies, hardware, and applications as part of their everyday lives. Everything is an app now. Not only are they not waiting for IT organizations to catch up and provide these capabilities, employees and entire business units have been bypassing those IT organizations to achieve their business and personal goals,” Coviello pleaded like a suspect student at the principal’s office, someone getting no respect from the world. “And increasingly, they’re winning the battle to have all of their mobile devices supported. The point of all this is, while no one knows where these trends are going to take us, it’s clear: We’re well past the tipping point where our physical world and our digital lives can be separated.”
This just moments after a gospel choir belted out, shall we say, updated lyrics to the Rolling Stones’ classic, “You Can’t Always Get What You Want.”
No, businesses did not wait for the IT department to invent the “business edition” of the iPad. Yes, they made investments before they ever considered formally integrating it into their migration plans. (If they hadn’t, it would be the iPad 5 before they made the first move.) But it’s doubtful that the late Steve Jobs is to blame for the RSA breach. While a sizable chunk of presentations last week at RSA began with some variation on the dying proclamation that passwords are dead, their common theme was what followed: a reflection upon the notion that nothing has taken their place yet.
Last February 24, we previewed RSA 2012 in San Francisco with six “keys to the conference” that we said we’d be sure to follow. There’s more stories to tell from the conference this week, though let’s take a moment now to revisit these six key themes to see how RSA 2012 advanced their story line, if at all:
1. Who or what defines identity for cloud access? I found it a little shocking that, on several occasions, the news about how Windows 8 would use a kind of single sign-on (SSO) authentication sharing system (sometimes called “identity federation,” but in this case, not really) came from, of all people, me. I was the one who informed many security engineers and software experts about what will be called Microsoft Account.
So for some companies this week, Windows 8 will be an entirely new, if equally proverbial, monkey wrench. However, for members of the Cloud Security Alliance, who met in a special summit session last Monday, the news was certainly closer to home. The problem is something that experts readily acknowledge, and which many believe the authentication sharing scheme could actually exacerbate: It’s the proliferation of the same weak passwords which tends to weaken them further, as folks who use a password for one purpose will use it elsewhere. Case in point: Users of systems that identify them by their e-mail addresses (as opposed to their arbitrary usernames) and passwords, tend to use the same passwords. So a breach of a relatively weak password system anywhere on the Internet could impact Google, whose accounts are often secured by users’ Gmail account names. This is a topic we’ll discuss in greater detail this week, although for now, the boldfaced question above remains dangerously unresolved.
2. The rise of risk management. A new and very different class of RSA attendee arrived this year, in full volume and in native dress. Risk management professionals, whose background is in business management as opposed to software engineering or systems analysis, demonstrated that they’re putting more direct pressure on organizations to improve the way their information systems are designed, implemented, and maintained.
It’s a very welcome development, because it addresses Art Coviello’s problem head-on. Up to now, most security technologies have been either preventative or remedial in nature – systems designed to either maintain or restore normal functionality in the event of “bad stuff happening.” When risk management is applied (correctly) to the evaluation and purchasing or requisition process, components that are purchased must be resilient by design. You don’t reduce the risk of one purchase item by way of investing in another. This is changing the entire marketing scheme for security vendors, who can no longer present themselves as the fix. They have competition now, in the form of improved systems. If cloud technologies can resolve the identity issue, purchasing managers can use risk management procedures to justify replacing existing, on-premise software with cloud services and apps. And that leads directly to the next point:
3. The decline of endpoint security. There’s no longer a question mark at the end of that topic. The fortress mentality is dying. We did see this week, however, the last gasp of endpoint security providers, with the publication of charts either advocating a relocation of the firewall, or showing it already having been moved, beyond the data center boundaries and into the cloud.
The argument is that virtual systems essentially perform the same “palace guard” roles as components inside the traditional firewall of the data center. So virtual firewall appliances are essentially remote palace guards, sent “on assignment” to protect these new, remote outposts. The problem remains, though, that in versatile cloud models, the idea of “hardening” endpoints tends to fail. There are ever more relevant traffic monitoring services that use shared data and evolving criteria to judge patterns of questionable behavior, and to isolate malware before it ever becomes formally identified and catalogued. These new systems are indeed making progress; the problem of late has been that more sophisticated, industrially supported botnets are turning their attention to weakened access points, and are breaking through with a low degree of intrepidity.
4. Can privacy be delivered by technology? The moment for the Web to have become a harbinger of privacy was at the very beginning, when it had the opportunity to encrypt and authenticate all transactions. In the absence of a full-time Web authentication model, the capability for any big data service to aggregate multiple characteristics about any individual from disparate sources – as BT’s Bruce Schneier warned attendees Wednesday – rises exponentially.
“Yesterday’s enterprises tried to be more locked down,” stated Symantec President and CEO Enrique Salem during the Day 1 keynotes. “Today’s enterprises are more open, more distributed, and less secure than they need to be. And I think many of you are frustrated by how much complexity has been introduced. But this new world is one where we don’t control the devices. With the expanded use of the public and private cloud, we don’t know where our data necessarily resides. With the increasing use of virtualization, it’s not always clear where a specific workload is being run.”
Salem then picked up on Coviello’s theme of blaming end users, giving them the blanket euphemism “the digital data generation” (as if there has ever been any other type of data). “The digital data generation brings into sharp focus three questions: How do we manage online identities when our employees maintain dozens of them? Number two, how do we protect information when the workforce shares information freely, and isn’t that concerned about its security? Number three, how do we keep track of a substantially higher volume of online activity?” Step one, it would appear, is to appropriately enumerate all the questions.
5. Is infrastructure security a joke? As I’ll explain in a story later this week, analysts and engineers were openly snickering at the notion that a “smart grid” even exists at all. With almost trivial, if non-existent, security measures in place throughout the nation’s energy delivery and infrastructure networks, evidently the only thing truly protecting us from a random shutdown event is the continued vigilance of government security agencies.
One of the most poignant statements on this topic came from Kevin Gronberg, a senior counsel for the House Committee on Homeland Security. Actually, as you’ll see later, Gronberg made several brilliant observations, but this one deals with a cybersecurity protection bill introduced last month. “As of now, the cybersecurity mission is poorly defined in legislation. It has been more a function of executive order and public expectation. The Department [of Homeland Security] has filled that role admirably, but we would like to clarify those roles.”
6. Could government really lead the way in security architecture? Yes. In fact, as we saw plainly demonstrated on several occasions, including by Margaret Salter of the NSA, government is already leading. One of the most striking revelations of the week was that commercial security components, even the open source ones, are not interoperable with one another. It is as if they were all developed in separate vacuums.
The need for a secure government smartphone based on common hardware architecture is leading to an interoperable system of components that could be better than BlackBerry – and what’s more, that could be shared with the private sector without owing anybody royalties. The one good thing to come out of government budget cuts (perhaps there is only one) is that it has forced engineers to forge workable solutions from available parts. Making square pegs fit into round holes is something only governments know how to do. As the NSA’s Salter pointed out, buyers of commercial equipment have grown accustomed to purchasing only what’s sold to them. They don’t use collective influence as leverage to improve what it is they purchase, because the retail process whittles them down to mere individuals. The government cannot be whittled down like that; it’s either a big buyer or a non-buyer. That influence is changing security design, both on the part of NSA and DHS; and it was obvious last week that commercial endpoint security vendors will be the last ones filled in on those changes.
