Much of what I learned at RSA has stayed with me. Some things surprised me; others confirmed some trends I have been noticing on my own for a bit. More on those later.
However, one particular quote really got my attention.
It came from keynote speaker Dr. Neil deGrasse Tyson, one of my personal heroes. He was talking about how very important the role of cybersecurity was in this increasingly digital world. To paraphrase, he said: “All of us here at RSA…you are the Night’s Watch. You are the ones standing on the wall.”
My affinity for that metaphor will out me as the Game of Thrones geek that I am. (Then again, to those who know me, my geekdom is no surprise. We’ve named the conference rooms at our Atlanta Simeio headquarters things like “King’s Landing” and “Winterfell.” Yes, really.)
But Dr. deGrasse Tyson has it right: the importance of the cybersecurity’s professional’s role cannot be overstated. Online security and protection of customer privacy isn’t just one of the hottest topics in boardrooms…with the recent political climate, it’s a widely discussed topic even across kitchen tables.
That’s why gatherings such as the RSA Conference are so crucial. When 40k+ people descend on a town to trade notes on cybersecurity, the world needs to pay attention.
Here are some of my key takeaways from the RSA Conference.
Identity Comes Into Its Own
In previous years, identity was tucked away in a corner of this conference. Not so this time around. I was pleased to find identity as a full-blown track. It shows quite clearly that while security previously was thought to be just network security, IAM is becoming a cornerstone of security. For the first time at this conference, identity was being seen as a critical piece of security, and a necessary partner of privacy. That says, one cannot maintain a privacy posture without identity.
A Short-Staffed Industry
One of the things that was discussed was that the CyberSecurity industry has a talent shortage, yet not many realize just how severe it is. And more importantly, most people don’t realize what corporations who are struggling with the problem must do to get a grip on it.
Here are some stats for you: there’s zero percent unemployment in CyberSecurity. There are 1 million unfilled jobs worldwide.
What does that mean? It means the industry is seeing an increase in services spend. It means that a lot of companies cannot hire the people they need, or simply just can’t find them. Or they don’t need them all the time, but when they need them, they really need them – like for incident response.
So a lot of companies are reaching out to MSSPs rather than building in-house. Companies look to solve their skill problems by developing their own corporate training, but often that’s not enough. And as bonus, companies that have gone to the cloud find themselves with IT staff who can now be retrained on critical security skills like incident response – and that has a big impact in closing this skills gap.
The Internet of Vulnerabilities
With last October’s Dyn attack fresh in minds, one of the most heavily discussed topics was about the Internet of Things (IoT) security. Many sessions described criminal methods (like skimming) in detail and exposed common device vulnerabilities.
But few offered real solutions. IoT vulnerabilities were cautioned by the SANS Institute’s annual keynote called the “The Seven Most Dangerous New Attack Techniques and What’s Coming Next”. The session explored the relatively simple means in which regular home automation devices can be used as an entry point for hackers to enter, and then move laterally within a corporate network.
With the recent explosion of crypto-ransomware, which has become an ideal mechanism for the “bad guys” to hold company data hostage, this talk also highlighted the looming danger of IoT as a new attack surface for ransomware.
Given how much money criminals make with ransomware, it is logical they would use that tool to exploit IoT vulnerabilities. Gartner predicts that by 2020, more than 25% of identified attacks in enterprises will involve IoT devices, so the industry needs to quickly agree on and universally enforce a security model for IoT.
The Future of Device Identification
The problem with identity of things is that all devices are not the same. Hugh Thompson touched on this topic in his keynote presentation on “Revolutionizing the Future of CyberSecurity,” where he presented a really interesting concept that struck me as the way forward for device identification and IoT security.
The idea is to tie something that resembles a food label to every single IoT device. It could be captured by the identity system at time of device registration, and then transmitted in the ID Token as part of a handshake.
This “label” could be used to communicate various immutable properties of the device such as voice recording capabilities. So, if it can indeed record voice, then maybe I want to apply special security policies & data restrictions, like not permitting it in boardrooms.
But it might also communicate security information about the device, such as when it was last checked, vetted, had maintenance – so that I can trust that device. And wouldn’t it be great if every device came with a behavioral graph describing how it should be functioning normally – and then we could apply UEBA tools to better understand when it’s behaving strangely and is a risk?
This ties in quite well with what we are doing at Simeio with our Identity Platform.
We believe that once you are able to establish the identity of a device, you can start fingerprinting the device and establishing an identity footprint. So if it is a brand-new device, the footprint is fairly new, so you know there is a certain amount of risk involved with that device. And you might apply a different type of authentication policy for that device.
You might trust a device if it has been working there for years. You’ll know the geo-location of the device, that it is coming from the right place, that the manufacturer ID is correct. If it is a phone, you’ll then know that the IMEI is registered with this user.
There are a lot of variables involved in this kind of situation. What we have been doing is developing a trust model solution for identities, and to establish a confidence score based on the information we know about the device, and this identity can be a person (physical user) or a device.
One Fate We Must Prevent
The conference presented several more captivating presentations on advancements in digital identity standards, including methods to secure customer access, ways companies can prepare to be compliant with GDPR, etc. And we will get into those topics in future blogs.
But today, I’d like to close out this post with a quick shout out to Ian Glazer’s inspiring call to arms on professionalizing the identity management industry in a talk named “One Fate We Must Prevent.”
In his presentation, Ian spoke on the long overdue need for a professional organization for identity, and presented a sound maturity model for achieving what he calls the “de-weaponization of identity systems” model.
In today’s world, digital identity is being sought after as a basic human right (United Nations ID2020) as a means to end trafficking and ensure basic human services. So we, as identity professionals, need to answer this call today, to come together and find ways to prevent identity systems from being harmful. (All while ensuring they deliver services that everyone expects from our society.) To this purpose, we have signed the Kantara Initiative’s Identity Professionals pledge.
After all…we are the Night’s Watch, the guardians on the Wall.
Vice President of Product Management