KuppingerCole Blog

Future-Proofing Your Cybersecurity Strategy

It’s May 25 today, and the world hasn’t ended. Looking back at the last several weeks before the GDPR deadline, I have an oddly familiar feeling. It seems that many companies have treated it as another “Year 2000 disaster” - a largely imaginary but highly publicized issue that has to be addressed by everyone before a set date, and then it’s quickly forgotten because nothing has really happened.

Unfortunately, applying the same logic to GDPR is the biggest mistake a company can make. First of all, obviously, you can only be sure that all your previous preparations actually worked after they are tested in courts, and we all hope this happens to us as late as possible. Furthermore, GDPR compliance is not a one-time event, it’s a continuous process that will have to become an integral part of your business for years (along with other regulations that will inevitably follow). Most importantly, however, all the bad guys out there are definitely not planning to comply and will double their efforts in developing new ways to attack your infrastructure and steal your sensitive data.

In other words, it’s business as usual for cybersecurity specialists. You still need to keep up with the ever-changing cyberthreat landscape, react to new types of attacks, learn about the latest technologies and stay as agile and flexible as possible. The only difference is that the cost of your mistake will now be much higher. On the other hand, the chance that your management will give you a bigger budget for security products is also somewhat bigger, and you have to use this opportunity wisely.

As we all know, the cybersecurity market is booming, since companies are spending billions on it, but the net effect of this increased spending seems to be quite negligible – the number of data breaches or ransomware attacks is still going up. Is it a sign that many companies still view cybersecurity as a kind of a magic ritual, a cargo cult of sorts? Or is it caused by a major skills gap, as the world simply doesn’t have enough experts to battle cybercriminals efficiently?

It’s probably both and the key underlying factor here is the simple fact that in the age of Digital Transformation, cybersecurity can no longer be a problem of your IT department only. Every employee is now constantly exposed to security threats and humans, not computers, are now the weakest link in any security architecture. Unless everyone is actively involved, there will be no security anymore. Luckily, we already see the awareness of this fact growing steadily among developers, for example. The whole notion of DevSecOps is revolving around integrating security practices into all stages of software development and operations cycle.

However, that is by far not enough. As business people like your CFO, not administrators, are becoming the most privileged users in your company, you have to completely rethink substantial parts of your security architecture to address the fact that a single forged email can do more harm to your business than the most sophisticated zero-day exploit. Remember, the victim is doing all the work here, so no firewall or antivirus will stop this kind of attack!

To sum it all, a future-proof cybersecurity strategy in the “post-GDPR era” must, of course, be built upon a solid foundation of data protection and privacy by design. But that alone is not enough – only by constantly raising awareness of the newest cyberthreats among all employees and by gradually increasing the degree of intelligent automation of your daily security operations do you have a chance of staying compliant with the strictest regulations at all times.

Humans and robots fighting cybercrime together – what a time to be alive! :)

"Archive != Delete": Bring Back the Delete Button

Why does it seem to be getting harder to delete information online? GDPR will take effect in just a few days. GDPR empowers EU people to take control of their personal information. When in force, GDPR will mandate that companies and other organizations which control or process personal information must comply with delete requests. Users around the world are more cognizant of the data they create and leave online. Even outside the EU, people want to be able to delete data which they deem is no longer useful.

Enter the “archive” button. On some social media sites and other popular applications, the archive button appears to have replaced the old familiar “delete” button. Why? It is ostensibly to make it easier for users to retrieve information that they want out of sight. App makers reason that you don’t always want to delete something once you hit delete. Sometimes, they’re right. But most of the time, “delete” should mean delete. If one searches hard enough, one can usually find ways to actually delete data, even though the top-level UIs only show options to archive.

Another reason “archive” has replaced “delete” is that all information has some value, or at least that is the guiding principle in Big Data circles. Just because a user wants data removed doesn’t mean that it doesn’t have value for others. Social network operators make money off user data, so they believe it must be retained for historical analysis.

Turbulence in the markets and bad press for social media companies may be a leading indicator as to the importance of personal data control for an increasing number of users worldwide. In advance of GDPR, and for the benefit of all users, we urge app makers to bring back the delete button.

How (Not) to Achieve Instant GDPR Compliance

With mere days left till the dreaded General Data Protection Regulation comes into force, many companies, especially those not based in the EU, still haven’t quite figured out how to deal with it. As we mentioned countless times earlier, the upcoming GDPR will profoundly change the way companies collect, store and process personal data of any EU resident. What is understood as personal data and what is considered processing is very broad and is only considered legal if it meets a number of very strict criteria. Fines for non-compliance are massive – up to 20 million Euro or 4% of a company’s annual turnover, whichever is higher.

Needless to say, not many companies feel happy about massive investments they’d need to make into their IT infrastructures, as well as other costs (consulting, legal and even PR-related) of compliance. And while European businesses don’t really have any other options, quite a few companies based outside of the EU are considering pulling out of the European market completely. A number of them even made their decision public, although we could safely assume that most would rather keep the matters quiet.

But if you really decide to erect a “digital Iron Curtain” between you and those silly Europeans with their silly privacy laws, how can you be sure it’s really impenetrable? And even if it is, is that a viable strategy at all? The easiest solution is obviously geofencing – just block all access to your website from any known European IP range. That’s something a reasonably competent network administrator can do in under an hour or so. There are even companies that would do it for you, for a monthly fee. One such service, aptly named GDPR Shield, offers a simple JavaScript snippet you need only to paste into your site’s code. Sadly, the service seems to be unavailable at the moment, probably unable to keep up with all the demand…

However, before you even start looking for other similar solutions, consider one point: the GDPR protects the EU subjects’ privacy regardless of their geographic location. A German citizen staying in the US and using a US-based service is, at least in theory, supposed to have the same control over their PII as back home. And even without traveling, an IP blacklist can be easily circumvented using readily available tools like VPN. Trust me, Germans know how to use them – as until recently, the majority of YouTube videos were not available in Germany because of a copyright dispute, so a VPN was needed to enjoy “Gangnam style” or any other musical hit of the time.

On the other hand, thinking that the EU intends to track every tiniest privacy violation worldwide and then drag every offender to the court is ridiculous; just consider the huge resources the European bureaucrats would need to put into a campaign of that scale. In reality, their first targets will undoubtedly be the likes of Facebook and Google – large companies whose business is built upon collecting and reselling their users’ personal data to third parties. So, unless your business is in the same market as Cambridge Analytica, you should probably reconsider the idea of blocking out European visitors – after all, you’d miss nearly 750 million potential customers from the world’s largest economy.

Finally, the biggest mistake many companies make is to think that GDPR’s sole purpose is to somehow make their lives more miserable and to punish them with unnecessary fines. However, like any other compliance regulation, GDPR is above all a comprehensive set of IT security, data protection and legal best practices. Complying with GDPR - even if you don’t plan to do business in the EU market - is thus a great exercise that can prepare your business for some of the most difficult challenges of the Digital Age. Maybe in the same sense as a volcano eruption is a great test of your running skills, but running exercises are still quite useful even if you do not live in Hawaii.

Will Your Security Solutions Violate GDPR?

As the May 25th, 2018 GDPR enforcement date approaches, more and more companies are actively taking steps to find, evaluate, and protect the personally identifiable information (Personal Data) of EU persons. Organizations that do business with EU persons are conducting data protection impact assessments (DPIAs) to find Personal Data under their control. Many are also asking “do we need to keep the data?” and putting into practice data minimization principles. These are good measures to take.

IT and privacy professionals are inventorying HR, CRM, CIAM, and IAM systems, which is reasonable since these likely contain Personal Data. Administrators should also consider performing DPIAs on security solutions.

Security solutions such as SIEMs, EMMs, and Endpoint Security/EDR tools collect lots of data, including Personal Data, for analysis. Many of the following types of Personal Data (as defined by GDPR) are routinely harvested for ongoing security and risk analysis:

  • Username
  • Email address
  • User attributes, including organizational affiliations, citizenship, group membership
  • IP address
  • Geo-location
  • User-created data files

Most security solutions allow options for on-premise analysis or cloud-based analysis. As an example, most anti-malware products "scoop up" files for deep inspection at the vendor's cloud, which may be outside of EU. Some vendor solutions are configurable in terms of what attributes can be collected and/or sent elsewhere for analysis; some are not.

Any processing of Personal Data is controlled under GDPR. The definition of processing is so wide that it likely includes these forms of scanning and analysis

In light of GDPR, one question administrators should ask “Is this information collected with user consent?” In some cases, user consent will be required. However, according to GDPR Article 6, personal information collection may proceed for the following purposes:

  • for the performance of a contract or legal obligation;
  • to protect the vital interests of the data subject;
  • for a task in the public interest;
  • or where processing is necessary for the legitimate interests of the controller.

Moreover, there will be situations in which Personal Data may be processed by more than one Data Processor. In these joint-processor scenarios, all entities involved in processing share responsibility for ensuring that the use of Personal Data is authorized under one of the GDPR-specified purposes above.

Security administrators should work with their DPOs and legal team to address the following additional points:

  • Determine which of your deployed security solutions collect which kinds of data; in effect, do DPIAs on security solutions.
  • Ascertain where this data goes: local storage? Telemetry transmitted to the cloud? If so, does it stay in the EU? Could it go outside the EU? GDPR defines the notion of data protection adequacy with regard to countries and organizations outside the EU. The Official Journal of the EU will publish and maintain a list of locations for which no additional data transfer agreements will be required.
  • If the security scanning or analysis is performed by a third party or cloud provider, irrespective of wherever this is done there must be a written legal agreement as set out in Article 28 (3).
  • Do your security solutions permit Personal Data anonymization? GDPR Recital 26 states that data which is sufficiently masked to prevent the identification of the user will not be subject to the data protection mandates. However, SIEMs and forensic tools sometimes need to be able to pinpoint users. Specifically, IP addresses and user credentials are almost always necessary and serve as “primary keys” on which security analyses are based. Within your security solutions, is it possible to mask user data at a high level for external analysis, but leave details encrypted locally, so that they can be unmasked by authorized security analysts during investigations? This is a difficult technical challenge, which is not supported yet by many security vendors. Regardless, even local processing of data elements such as IP address falls under the jurisdiction of GDPR.

In summary, don’t forget your security solutions when running DPIAs. Check with vendors about what information they collect and how it is treated. Work closely with your DPOs and legal counsel to plan the best course of action if you find that remediation or some re-design is needed.

IAM for a Microservices World: Securing Agile IT

Ten years ago, for the second EIC, we published a report and survey on the intersection of IAM and SOA (in German language). The main finding back then was that most businesses don’t secure their SOA approaches adequately, if at all.

Ten years later, we are talking Microservices. Everything is DevOps, a small but growing part of it is DevSecOps. And again, the question is, whether we have appropriate approaches in place to protect a distributed architecture. This question is even more important in an age where deployment models are agile and hybrid.

So how to do IAM for this microservices world? Basically, there are two challenges: supporting the environments and supporting the services and applications.

The former are about securing containers. That includes privileged access to the environments the containers run in as well as the containers itself, but also the fine-grained access management and governance of such environments. It also includes the interesting challenge of segregating access to development, test, and production in the DevOps world, which is an even more demanding task than in traditional IT.

The second challenge is about how to secure communication between microservices. One of the technologies that inevitably comes into play here is API Management & Security. Beyond that, we will have to rethink authorization for services, but also how to manage and govern identities and their access at both the level of individual microservices and the orchestrated services and applications provided to the business.

Reasonably defined microservices, fully encapsulated and providing their functionality to connected services and applications exclusively via secure, authenticated and auditable APIs, are an important step towards secure architectures “by design”.

Notably, we must also start thinking about deploying security components as services, externalizing and standardizing them. I discussed this topic a while ago in a webinar – you might want to watch the webcast. With moving to a more agile approach of IT, where changes are quickly deployed to production environments, identity and security must become adequately agile. Automation becomes key to success. We see some interesting trends and offerings arriving, however most of them currently are focused on privileged users – which is a good start, but by far not the end of our journey towards secure microservices architectures.

It’s about time to make our IAM services ready to support the new way IT is done: agile and modular. Otherwise we will end up in a security nightmare.

IAM as Microservices: It’s About Flexibility and Agility

Since I’m observing the IAM business, it has been under constant change. However, there is a change on its way that is bigger than many of the innovations we have seen over the past decade. It is IAM adopting the architectural concept of microservices.

This will have a massive impact on the way we can do IAM, and it will impact the type of offerings in the market. In a nutshell: microservices can make IAM far more agile and flexible. But let’s start with the Wikipedia definition of Microservices:

Microservices is a software development technique—a variant of the service-oriented architecture (SOA) architectural style that structures an application as a collection of loosely coupled services. In a microservices architecture, services are fine-grained and the protocols are lightweight. [Source: Wikipedia]

Basically, it is about moving to loosely coupled services and lightweight protocols for integration. Factually, this also includes lightweight APIs these services expose. Each microservice delivers specific, defined capabilities, which are then orchestrated.


When we look at the evolution of the IAM market, most applications have been architected more or less monolithic in the past. Most of them have some “macroservice” model built-in, with a couple of rather large functional components such as a workflow engine or an integration layer. Some vendors already have come a bit further in their journey towards microservices, but when looking at today’s on-premises solutions for IAM, for most vendors the journey towards microservices has just started, if at all.

Looking at IDaaS (Identity as a Service), the situation is different. Many (but not all) of the IDaaS solutions on the market have been architected from scratch following the microservices approach. However, in most cases, they do so internally, while still being exposed as a monolithic service to the customer.

The emerging trend – and, even more important, the growing demand of customers – now is for IAM being delivered as a set of microservices and via containers (which might contain multiple microservices or even a few legacy components not yet updated to the new model). Such an approach allows for more flexible deployments, customization, integration, and delivers the agility businesses are asking for today.

From a deployment point of view, such architecture gives business the option to decide where to run which of the services and, for example, support a hybrid deployment or a gradual shift from on-premises to private cloud and on to public cloud.

From a customization and integration perspective, orchestrating services via APIs with IAM services and other services such as IT Service Management is more straightforward than coding, and more flexible than just relying on customization. Lightweight APIs and standard protocols help.

Finally, a microservice-style IAM solution (and the containers its microservices reside in) can be deployed in a far more agile manner by adding services and orchestrations, instead of the “big bang” style rollout of rather complex toolsets we know today.

But as always, this comes at a price. Securing the microservices and their communication, particularly in hybrid environments, is an interesting challenge. Rolling out IAM in an agile approach, integrated with other services, requires strong skills in both IT and security architecture, as well as a new set of tools and automation capabilities. Mixing services of different vendors requires well-thought-out architectural approaches. But it is feasible.

Moving to a microservices approach for IAM provides a huge potential for both the customers and the vendors. For customers, it delivers flexibility and agility. They also can integrate services provided by different vendors in a much better way and they can align their IAM infrastructure with an IT service model much more efficiently.

For vendors, it allows supporting hybrid infrastructures with a single offering, instead of developing or maintaining both an on-premises product and an IDaaS offering. But it also raises many questions, starting with the one on the future licensing or subscription models for microservices – particularly if customers only want some, not all services.

There is little doubt that the shift to microservices architectures in IAM will significantly affect the style of IAM offerings provided by vendors, as it will affect the way IAM projects are done.

Blockchain for Identity – Myth or Potential?

During yesterday’s opening keynote at the EIC (European Identity & Cloud Conference), I brought up (and explained) a slide about the areas where Blockchain technology has the potential of helping solving existing identity problems, either by doing it just better than today or delivering entirely new capabilities. Notably: it was about the potential, not that this will inevitably happen.


Not surprisingly – an Opening Keynote should provoke thoughts and discussions – this lead to some discussions in the social media right after. Some found that I’m gone over the top with that slide. Honestly, I don’t agree – not, when following what I’ve said. Yes, if I would have stated that all these things are already getting better or will definitely and inevitably get better, that would have been over the top. But factually, I don’t believe that there is any single area marked green in that chart where I’m wrong in predicting a potential for improving what we do in identity with Blockchain technology and where Blockchain (or, even broader, Distributed Ledger technology) has a potential for solving some of the open challenges we are facing around identity.

Let’s just look at the left-hand side of the slide. Identification is something outside of technology, unless we are talking DNA. Verification is straightforward – there are so many KYC (Know Your Customer) use cases based on Blockchain these days, with valid business models, that this is already reality or at least close to becoming reality.

Authentication might definitely become simpler, by having various authenticators and IDs, from eIDs to social logins, associated with a wallet. Just one simple store to get access. Yes, there are challenges in creating secure, easy-to-use wallets, but there is potential as well.

Authorization and smart contracts, privacy and smart contracts: obvious potential.

Auditing: there was a cool use case presented by T-Mobile US in that space the evening before during the Blockchain ID Innovation Night.

And finally, all the use cases on the right-hand side are ones closely related to what is discussed as the potential of Blockchain.

Simply said: for all these areas, Blockchain (ID) technology delivers a potential of solving challenges better. Whether someone can deliver on that potential, is a different story. But there is potential.  

And to be very clear: we should not search for problems where we can apply Blockchain as a solution. But in the broad field of identity, we have masses of challenges where Blockchain, as one element of the solution, has a potential to solve the problems. We shouldn’t ignore that potential. Time to think beyond, I’d say.

Blockchain Identity – Success Factors and Challenges


When new things arrive, which are still in the pioneering stage and far from reaching maturity, there is always a lot of discussion. This is even more true for Blockchain Identity, where the massive hype around Blockchains, a long history of clever ideas failing, and a few interesting technical and security challenges come together. During my keynote at this year’s EIC, I addressed the challenges and success factors for Blockchain ID as well. That led to a discussion on Twitter about whether some of these success factors are contradictory.


That definitely is a good question worth thinking about. So where might be the contradiction lie?

  •     Critical mass vs. interoperability? No conflict.
  •     Critical mass vs. easy-to-use or secure wallets? No conflict.
  •     Critical mass vs. affordability? No conflict?
  •     There is anyway no conflict with Privacy by Design and Security by Design.


Anyway, if I make such pair-wise comparisons, I don’t find any obvious contradictions. I might have overlooked some, of course.

Obviously, there are some major challenges. Cyberattack resilience vs. cost vs. usability is not super-easy to achieve. That is why it is a challenge.

One factor where we definitely might have a discussion whether this is a contradiction in itself is the “easy-to-use, easy-to-secure wallet”. Making things both secure and easy to use is a challenge in itself, and it is a success factor for Blockchain ID in general, I admit it.

However, while it is not easy, I doubt that this is impossible, i.e. contradictory in itself. We have seen many improvements in usability of more secure solutions in the past years. Fingerprint biometrics might not be perfect, but it is better than 4-digit PINs. And it is quite easy to use. And that is just one example. In other words: there are ways to combine an acceptable level of usability with good-enough security. Yes, you can always use security as the killer argument. But we also know that there is no 100% security – it is always about finding the right balance.

But what we really should do is actually quite easy: stop arguing what might hinder us in delivering better identity solutions and start figuring out how we can deliver them by using Blockchain technologies wherever appropriate, combining it with what we already have (Identity Relationship Management, OpenID Connect, UMA, PKI, whatever else), and joining our forces.

Email Encryption Is Dead™. Or Is It?

As we all know, there is no better way for a security researcher to start a new week than to learn about another massive security vulnerability (or two!) that beats all previous ones and will surely ruin the IT industry forever! Even though I’m busy packing my suitcase and getting ready to head to our European Identity and Cloud Conference that starts tomorrow in Munich, I simply cannot but put my things aside for a moment and admire the latest one.

This time it’s about email encryption (or rather about its untimely demise). According to this EFF’s announcement, a group of researchers from German and Belgian universities has discovered a set of vulnerabilities affecting users of S/MIME and PGP – two most popular protocols for exchanging encrypted messages over email. In a chain of rather cryptic tweets, they’ve announced that they’ll be publishing these vulnerabilities tomorrow and that there is no reliable fix for the problems they’ve discovered. Apparently, the only way to avoid leaking your encrypted emails (even the ones sent in the past) to malicious third parties is to stop using these encryption tools completely.

Needless to say, this wasn’t the most elegant way to disclose such a serious vulnerability. Without concrete technical details, which we are promised not to see until tomorrow, pretty wild speculations are already making rounds in the press. Have a look at this article in Süddeutsche Zeitung, for example: „a research team… managed to shatter one of the central building blocks of secure communication in the digital age“. What do we do now? Are we all doomed?!

Well, first of all, let’s not speculate until we get exact information about the exploits and the products that are affected and not fixed yet. However, we could try to make a kind of an educated guess based on the bits of information we do have already. Apparently, the problem is not caused by a weakness in either protocol, but rather by the peculiar way modern email programs handle multipart mail messages (those are typically used for delivering HTML mails or messages with attachments). By carefully manipulating invisible parts of an encrypted message, an attacker may trick the recipient’s mail program to open an external link and thus leak certain information about encryption parameters. Since attacker has access to this URL, he can leverage this information to steal the recipient's private key or other sensitive data.

How to protect yourself from the exploit now? Well, the most obvious solution is not to use HTML format for sending encrypted mails. Of course, the practicality of this method in real life is debatable – you cannot force all of your correspondents to switch to plain text, especially the malicious ones. The next suggestion is to stop using encryption tools that are known to be affected (some are listed in the EFF’s article) until they are fixed. The most radical method, obviously, is to stop using email for secret communications completely and switch to a more modern alternative.

Will this vulnerability fundamentally change the way we use encrypted email in general? I seriously doubt it. Back in 2017, it was discovered that for months, Microsoft Outlook has been sending all encrypted mails with both encrypted and unencrypted forms of the original content included. Did anyone stop using S/MIME or decide to switch to PGP? Perhaps, the researchers who discovered that bug should have used more drama!

Yes, however negatively I usually think about this type of sensational journalism in IT, maybe it will have a certain positive effect if it makes more people to take notice and update their tools promptly. Or maybe it gives an additional incentive to software vendors to develop better, more reliable and convenient secure communication solutions.

RSA’s 2018 Conference Starts Bi-Polar and Ends with a Minor Breach

It is a world of great turmoil and considerable fear amidst incredible human progress. No wonder the RSA keynotes seemed bi-polar - mixing fear one moment, hope and inspiration the next.
 
RSA opened with a somber act from rapper poet Kevin Olusola to the conference theme: "Now Matters"
 
“Together we rise, together we fall
Now matters, for one and for all”
 
Rohit Ghai, President of RSA Security, introduced the conference with the message that - despite the headlines - cybersecurity is getting better, not worse.
 
Why better? The world reads about breaches, not protection successes. You don't see headlines about the complex, often confidential work performed by many members of RSA’s audience. You don't see how multi-factor authentication, privileged access management, and other layered security measures prevent or mitigate breaches of so many systems.

Ghai continued in a positive vein; we paraphrase him below as he advised the industry to focus on the following “silver linings” of security:
 
1.    End of the silver bullet fantasy
2.    Quicksilver law of cyber-defense
3.    Magic of sterling teamwork (inside and outside the boat)

End of the Silver Bullet Fantasy
 
The industry has finally abandoned the idea that ultimate security can be provided by some new silver bullet solution. Like the highly-successful British cycling team in recent Tour de France events, security teams must get the big things right, and work incrementally to improve the little things. Getting the big things right is all about risk management - understanding the company's business context and learning to protect its crown jewels. Only by hardening or denying a small number of key outposts can one finally create defenders' asymmetric advantage over attackers.
 
Don't ignore the little things. Use threat intelligence and vulnerability analysis to learn where the vulnerabilities are and patch them.
 
Quicksilver Law of Cyber-Defense

Like basketball, cybersecurity is a high-velocity sport. Players must anticipate the next offensive move and get protection in place first. With new technologies, there is always a learning curve; Ghai called it the “cybersecurity afterthought gap." The only way to counter Murphy’s Law of new technologies is to develop an ability to adopt security measures sooner and better.

Ghai asserted technologies like Intelligent security operations centers (SOCs), automated orchestration, and user behavior analysis (UBA) are working well. We have state of the art visualization in the SOC - “beautiful security” delivered through Slack-like UIs and chatbots.  We are getting better at getting to the ball before our opponent.
 
The Magic of Sterling Teamwork (Inside and Outside the Boat)

Continuing with athletic metaphors, Ghai recalled the US women’s eight rowing team, which had an 11-year winning streak. In the long boat, only the cockswain can see ahead, but the team digs in with trust and coordination. For the crew, teamwork isn’t just needed in the water, but also in other areas such as university programs to recruit a depth of talent.
 
In cybersecurity, protection must also go beyond the SOC and all the way up to the Board room. It requires contributions from executives, users, and business stakeholders. Regulators must set the tone. Ghai praised GDPR for putting privacy front and center, and The U.S. Cloud Act for balancing tech sector needs with public sector anti-terrorism concerns.
 
We need to build diversity and inclusiveness into security programs, or we’ll struggle to get security right. We need to build in, not bolt on. We should move security up the software development life cycle (SDLC) and engage developers long before the first pen test of the finished system.

Ghai acknowledged there are major issues. Cybersecurity is impacting financial results of breached companies. Breaches of trust have moved beyond loss of personal information. In the wake of the U.S. 2016 election, purveyors of “fake news” continue to shake citizens’ faith in the media, each other, and democracy itself. Trust in technology is tenuous.

Still, Ghai argues that across the social spectrum cybersecurity is getting better not worse. Cybersecurity provides the protection underlying technological breakthroughs in AI, robotics, and other fields. He highlighted the importance of inclusiveness and noted (to applause from the audience) that twice as many girls, and three times as many ethnic-minority students are enrolled in advanced computer classes.

Ghai closed with: “To protect – it is our great adventure!”

Taking Protection to the Next Level
 
It was left to Brad Smith, President of Microsoft, to recall the darker moments of 2017 with videos depicting scenes of Wannacry ransomware causing chaos on UK National Hospital Service (NHS) floors, and Notpetya ravaging Ukraine.

Both Wannacry and NotPetya are suspected of being state-sponsored attacks. If so, the world has gone backwards from the days after World War II when states came together to codify civilian’s rights to safety from government attacks. We need a Digital Geneva Convention, Smith said, that stops governments from attacking private sector technology and technology companies. For all this doom and gloom, Smith too had words of encouragement, announcing a new Cybersecurity Tech Accord in which 34 major vendors pledged to uphold principles of civilian protection in cyberspace.

Two Steps Forward, One Step Back

It seems the Cybersecurity Gods delight in irony and don’t appreciate corporate Presidents saying cybersecurity is getting better. News of an apparently minor breach broke toward the end of the conference. Per Paul Ducklin from Sophos: “Well, it looks as though it’s happened again: another insecure app published as part of an RSAC cybersecurity event.” In a late-night tweet, RSA Security acknowledged that 114 first and last names of RSA Conference Mobile App users were improperly accessed. I suppose it is easier for executives to talk about paying attention to the little things and moving security up the SDLC than for the company’s developers to actually do it.

Other Views

Many feel the Clarifying Overseas Use of Data (CLOUD) Act does not represent the good balance Ghai described, but tramples privacy rights. McAfee CEO Christopher Young’s keynote, which compared the state of cybersecurity to the state of skyjacking in the wide-open skies of the 60s and 70s, seemed (at least loosely) to imply an increasingly centralized and regulated future. If our Internet user experience is to become like U.S. Transport Security Agency (TSA) lines in the airport, many might oppose that, and centralized systems might not be safe or resilient enough. Other paradigms, such as decentralized blockchain-based solutions, were barely mentioned until the Cryptographer’s Panel took the stage.

Conclusion: We Need Not Agree with Everything the RSA keynoters Said to Welcome a Positive Message

Despite RSA’s closing contretemps, a reasonable argument can be made supporting Ghai’s premise that cybersecurity is getting better. It may not seem this way with 2017 logging 45% more breaches than the previous year. However, 2017 also saw vastly increased digital utility and digital transformation in the world. Did the increase in economic value of the Internet exceed the value of cyber-losses? I would have to say “Yes!”

What about the equally reasonable argument that cybersecurity is getting worse because losses are increasing at an unacceptable rate? Losses are going beyond the economic: If many are losing faith in democracy due in part to the cyber-abuses and cyber-conflicts that divide us, could we ultimately face the incalculable loss of democracy itself?

To that also a positive message is the only answer. Per John F. Kennedy: “We have nothing to fear but fear itself.” For the professionals among us: We can go to work each day and make our living, knowing that we stand for safety and privacy. Let that inspire us to work a little harder, do a little better, and do it ethically. We are living the life of making cybersecurity better.

Discover KuppingerCole

KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected

Blog

Spotlight

Compliance, Risk & Security Learn more

Compliance, Risk & Security

Whether public, private or hybrid clouds, whether SaaS, IaaS or PaaS: All these cloud computing approaches are differing in particular with respect to the question, whether the processing sites/parties can be determined or not, and whether the user has influence on the geographical, qualitative and infrastructural conditions of the services provided. Therefore, it is difficult to meet all compliance requirements, particularly within the fields of data protection and data security. The decisive factors are transparency, controllability and influenceability of the service provider and his [...]

Latest Insights

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00