Perimeter Security is Dead – Lessons from RSA 2016

I once again had the pleasure and privilege of attending the largest security conference in the world; the 2016 RSA Security Conference in San Francisco. This year’s conference was well attended with a reported 40,000 attendees. This is up from fewer than 20,000 just a few years ago. WinMagic had a full team attending the show including; keynotes, security sessions and staff at the WinMagic booth on the expo floor where we launched our new solution, SecureDoc CloudVM.

As I have done in the past, at the end of the conference I polled my colleagues for their overall observations and takeaways. Here their input is melded together with my own take on things:

  • First of all, the most talked about company at the conference was a company that wasn’t a sponsor and didn’t even have a booth or host a security session: Apple. This was of course with respect to the demand from the FBI for Apple to create software which would unlock the San Bernardino iPhone. It came up time and time again on the expo floor, in the sessions and in the keynotes. The security community rallied behind Apple with almost universal belief that backdoors are bad and cause more harm than good. That said, the technical community understands that the government and general public are not as convinced, therefore, they are encouraging a full and open debate on the subject.
  • The need to fight against backdoors isn’t the only thing the security community agrees on. The new Cyber Threat Alliance with founder Intel Security along with others is another example of co-operation.
  • Perimeter Security is dead; firewalls cannot keep the bad guys out any more. The gates have been stormed and IT security has to regroup. Most big enterprises are in a constant state of breach so new strategies and technologies are needed. First assume that your network is, or will be breached, detect it, minimize the impact and recover quickly. For example, I heard people talk about keeping the “blast radius” as small as possible (i.e. contain the damage any one breach can make) or backup every ten minutes so the restore point can be very recent.
  • Cloud is now: There is rapid adoption and the cloud is different from the real world in that it moves so fast. Dozens or even hundreds of new servers can be spun up in the blink of an eye. New “born in the cloud” companies have a strategic advantage over companies with established bricks and mortar IT in that they can scale up almost instantly without capital outlays, and have access to vast resources at relatively cheap by-the-hour rates. There is a lot of automation underlying this scalability and where there is automation there are opportunities for things to go wrong at scale. It makes me think that the famous saying “To err is human, but to really foul things up you need a computer” will soon be modified to add a next level of mess that can only be achieved with a cloud. With the security concerns there are new technologies and companies popping up to deal with them because in the end while you can move your data and processing into a third party cloud, the enterprise still has bottom line responsibility for keeping information safe.
  • IoT is next: well maybe. I heard the 50 billion IoT devices in 2020 prediction at least a dozen times. We even had our own “SEDs in the IoT” demo at the RSA TGG seminar, but I also heard people question whether everyone on the planet really needs an internet enabled tooth brush.   The benefit of buying and deploying the device has to outweigh the risk of the harm it could cause (I personally don’t have the imagination to foresee how or why someone would attack a tooth brush, but I am pretty sure there are people who do). If not 50 billion there will still be billions of IoT devices in the near future and authentication, attestation and encryption have a role to play in securing them.
  • AI is the future: It may take 10 to 20 years but human intelligence will be matched by artificial intelligence. Once it is, AI capabilities could quickly shoot past humans to the super intelligence level as argued by Professor Nick Bostrom, Director the Future of Humanity Institute. The idea, unlike the Internet, is to explicitly build “safety” or “security” into the AI from the very beginning. If we don’t then at RSA 2036 I can foresee sitting through a session on dissecting the first attack on humanity by a rogue AI.
Previous Post
IT Decision Makers have their Head in the “Clouds”
Next Post
Managing the Security of Critical Infrastructure