Last week I had the privilege of attending the 2019 RSA Security Conference in San Francisco. As in past years, the keynotes, technical sessions and sidebar conversations were a great opportunity to learn what is top-of-mind in the security industry. Here are five observations that I came away with:
- GDPR is Alive and Kicking – Stats Show Most Enterprises are Still Not Ready
50M Euros was the number hot on everyone’s lips. The EU’s General Data Protection Regulation came into force on May 25th, 2018 and regulators have been busier than expected. On January 21, 2019 the French regulator CNIL set the record for the largest GDPR award to date by fining Google €50M for failing to comply with its GDPR obligations. While this is the largest fine to-date, I note that it was a relatively small sum considering that GDPR allows regulators to impose a maximum fine of the greater of €20M or 4% of an entity’s worldwide turnover the preceding financial year. While CNIL did not disclose how it arrived at €50M ($56.5M USD) in its decision, the amount appears to be about 1% of 4% of the maximal fine allowed by GDPR given Google’s Q3 turnover was $33.74 billion in 2018.
While the Google penalty is the largest to date, it is not the first to be handed out since May 25th, 2018. In this first year it appears enforcement agencies are focused on entities that are mostly unaware (or willfully unaware) of the data they have collected and stored. Meanwhile, the world continues to wait on European courts to clarify the definition of “appropriate technical and organizational measures”.
There is some good news for enterprises that have no EU presence, however: The extra-territorial clause remains untested. So for those late to the game, there is still time to shore up GDPR-readiness. That said, CISOs shouldn’t wait too long since over 41,000 breaches qualifying for the 72-hour notification requirement have occurred since May 26, 2018 (as of January 31, 2019) – sparking investigations into over 250 unique commercial entities across the EU. These are meaty numbers given that the GDPR is less than a year old. At RSAC 2019, investing in GDPR-readiness remained a recommended best practice across the board.
- The Debate is Over: Cloud Computing is Here to Stay – Shifting from “Shifting Left” to “Feedback Loop”
We previously reported organizations are either about to enter the cloud or are already there and looking to secure their workloads and assets. The concerns of that time were: (1) the cloud operates in a shared security model, meaning enterprises are ultimately responsible for the security, privacy and compliance of their data; (2) one needs better control over who accesses data and the process by which users go through to authenticate; and (3) cloud security should not be operated in a bubble.
Two years later, the conversation has shifted. Cloud computing is now widely accepted as a mainstay of IT infrastructure. The hot topic of discussion has now turned from whether the cloud is a secure environment to how best to secure it. Specifically, the focus now is on developing governing principles for cloud security architecture. Organizations such as the Cloud Security Alliance and AWS have offered their own guidelines with CSA’s EA Guiding Principles and AWS’ Well-Architected Framework. At the moment, it appears that neither guideline has taken a firm hold of the industry yet – the EA Guiding Principles have been criticized for being too complex and the Well-Architected Framework may be overly-simple and may be biased towards AWS solutions. In this evolving environment, a common-sense approach would be for cloud architects to build security into every layer of the stack, specifically at the hypervisor level. Many experts at RSAC who support this fully-embedded-at-the-far-left approach continue to recommend encryption (and key management in particular) as the best solutions for this level of embedded security.
In 2017, the industry was talking about “Shifting Left” which is the idea that cloud security should be shifted to the earliest point in the design cycle. In 2019, that has evolved to “Shifting Left with Feedback Loop” which is the idea that we need to build cloud environments that are already enabled with all of the event monitoring and triggered events to tell administrators what is going on in the environment at-all-times in-real-time. For the moment, logging remains the leading methodology for this feedback control.
- IOT, the Near Future
The robots are coming, and they are connected to the Internet. Other segments of the IT industry are currently asking if we are prepared to defend this new attack surface, which is significantly greater than what the IT industry has traditionally protected. The IT industry’s primary focus of the last decade was identifying and containing costly data breaches. The new frontier of connected devices represents the next generation of threats. For IT professionals, this work is causing a paradigm shift from securing PC-based systems in “carpeted” environments (i.e. offices) to PLC-based systems in “uncarpeted” (i.e. industrial) environments. It’s an exciting time to witness the merging of these two worlds.
- Quantum Cryptography, the Distant Future
Research into quantum cryptography continues and looks surprisingly similar to traditional asymmetric encryption (at least in mathematic representation) — however the main challenges currently faced by QKD commercialization appear to remain rooted in photonics (specifically of the fiber-optic lines). These challenges notwithstanding, panel discussions at RSAC 2019 suggest that capital investments continue to grow in this area so it will be a sector to continue to watch. For a primer on QKD refer to our former blog.
- Zero Trust – A New Buzzword but the Question Remains — Is It Really Effective?
Zero Trust appears to be another emerging buzzword that is hotly discussed. However, one wonders whether Zero Trust will end up being like DLP of the past: cool but not really effective and very difficult to do right. While Zero Trust could help in some areas, one wonders if theft-evident authentication combined with endpoint presence including device encryption, is the more secure and immediate solution.
On the Expo floor: RSA vendors continue to grow – but how many of these companies are offering reactive solutions? In addition to the technical sessions, I also walked the expo floor. It seems the number of RSA vendors continues to grow. This is encouraging as it indicates ours is a disruptive industry doing important work. That said, I observed one disconnect between the messaging of industry leaders in the sessions and the commercial solutions being offered at the expo. Keynote speakers and panelists consistently recommend preventative solutions over reactive ones (as these are generally more cryptographically secure), yet many companies at the expo appeared to be offering solutions that chase threats rather than embed security “at the far left” of IT infrastructure. Taking our sector as an example, it appears that a leader is needed to offer both “far-left” solutions while providing administrators with the ability to nimbly respond to threats as they arise. I may be biased, but WinMagic could be that leader.
As with past years the WinMagic team came back energized and charged with inspiration for 2019. It was great to listen and connect with other industry leaders working on these important problems. Feel free to share your thoughts on your top observations. Until next year.