A lunchtime roundtable with the Advisory Board for last week’s RSA Conference 2009 offered forward-looking advice on information security trends and cybersecurity threats based on research and conference discussions. Asheem Chandna of , Benjamin Jun of Cryptography Research, Tim Mather of RSA, Ari Juels of RSA Laboratories and Rich Mogull of Securosis enjoyed a spirited discussion with journalists from the BBC, USA Today and this author over a light lunch.
Security in the cloud
Cloud computing and trends in security dominated the roundtable, reflecting the overall focus of the conference. Juels said he thought the cryptographers’ panel, for instance, produced a more apt description for cloud computing: “swamp computing.” Swamp computing was coined by noted MIT computer science professor Ronald Rivest, speaking during the panel Juels moderated.
“Cloud computing sounds so sweet and wonderful and safe,” Juels said. “We should just be aware of the terminology — if we go around for a week calling it swamp computing, I think you might have the right mind-set.” Security issues in the cloud were top of mind everywhere.
Both Mather and Juels said they see significant issues with both risk and responsibility. Juels cited research at the RSA Labs into the decoupling that takes place in cloud computing models. “Where does data reside? Where are the trust boundaries?” Risk still resides with the organization that collects that data and gives it to the cloud provider, often without confirmation of the requisite controls for access and audits.
He also noted that RSA Labs has developed a technology to show where data has been moved across the cloud, addressing potential corruption issues, but issues of access and auditability remain. That’s going to be a headache for many companies, as Mogull noted, given the number of organizations that are already in the cloud and don’t know it. In fact, he said, 100% of the Fortune 500 are in the cloud on some level; are CIOs universally aware of their exposure?
Other issues with cloud computing were top of mind as well, including standards and interoperability. The Open Cloud Platform, for instance, touted by Sun as a way to deal with vendor lock-in, simply won’t go anywhere given the vested business interests of the cloud providers, unless customers band together to demand accountability and standards.
The gathering storm of RFID hacks
Such standards aren’t just relevant in the cloud, however, as issues with RFID security held the roundtable’s attention for a while as well. As privacy experts know, new U.S. passports now contain RFID chips. The issue raised by Juels is that the chip in passports can be scanned and cloned. He noted that research at the University of Washington called into question assertions by the government of the security of such tags; under optimal conditions, RFID data could be read more than 100 feet away.
Juels observed that there’s a design drift issue brewing: What happens when these tags are added to driver’s licenses under Real ID? If the technology isn’t implemented correctly, sensitive data could be exposed. These concerns aren’t academic; in the state of Washington, officials forgot to program the “kill pin” in distributed RFID chips, which could in turn allow third parties to disable the device at a point of sale or elsewhere if desired. (Neil Roiter, Senior Technology Editor at Information Security magazine, conducted a separate Q&A with Juels at RSA, RFID tags may be easily hacked, where they discussed his research, advances in multifactor authentication, cloud computing security, and his first novel, Tetraktys, which was launched at the conference.)
The so-called “Western Hemisphere Travel” card will have an RFID tag in it as well. RFID chips that are left exposed could leave travelers open to clandestine tracking. Such concerns are precisely why the RFID chips in U.S. passports are surrounded with a thin metal shield to prevent reading while closed. Jun said he’s concerned that mistakes in the way that RFID is being implemented and regulated by state and federal agencies may poison the industry. As Mogull observed, such mistakes have already created substantial headaches: MasterCard’s initial RFID deployment in credit cards left the devices actively emitting names and credit card numbers. The issue, as those at the roundtable seemed to agree, is that the cost and business use cases aren’t driving deployments that invest in the necessary protections, even with the Electronic Frontier Foundation acting as a watchdog.
Even in the context of major cybersecurity threats, however, the roundtable expressed cautious optimism that the trend lines for 2009 may lead to positive changes in the information security industry. Jun said he thinks that IT budgets slashed amidst the recession are actually a welcome challenge for information security professionals. Buying cycles are lengthening, except when there’s a data breach. The enterprise CIO isn’t allowing new appliances to be purchased. Instead, CISOs are being asked to build security architectures in-house, do complete risk assessments and map out vulnerabilities. Security practitioners must then defend what has been done to auditors. As Jun sees it, “this is what CISSPs were trained to do – not install boxes.”
Innovation may finally return to information security software
Tough times and tight budgets also mean that innovation around information security on the part of vendors and CISOs alike is necessary. Chandna, a venture capitalist, said he sees improvements coming to both physical and logical security. The winner of the innovation award at RSA this year, in fact, was a company that combined the two. AlertEnterprise, based in Fremont, Calif., focuses on detecting and resolving blended threats to a computer network, the building itself or both. Chandna posited that such technologies would have been useful for detecting ongoing fraud at Satyam, where checks were being issued to phantom employees.
Chandna said he also sees a clear need for innovation in Web security, a position echoed around the table and on the RSA Conference floor. Infection through Web apps and other Web 2.0 platforms is a cause of considerable concern for enterprise CISOs for the coming year. Given the long lines for the sessions on cybersecurity threats at RSA, Chandna’s concern regarding the growth of organized criminal networks online is matched by delegates.
Takeaways from RSA 2009?
Jun said he sees substantial concerns in the security community over the insider threats posed by the recession. Trade secrets and leaks aren’t likely to be publicized. CISOs have told him that they are “seeing an increase in access to customer files,” a trend that is likely to make data loss prevention a critical practice for the enterprise security officer in the months ahead.
Chandna saw similar threats to data security, noting that many vendors have now appended compliance to description of their solutions. Mather agreed with these assessments, adding that there is the potential for a “National Cyber Leap Year” where the big vendors make major adjustments to the changes in threat environments. He said he believes that the combination of the recession, consumer awareness of data breaches and identity theft and the federal government “waking up” to massive cybersecurity vulnerabilities to critical infrastructure will combine to create a sea change in the industry. He sees the potential for unprecedented collaboration in information security, both in reporting, coordination and systems management.
Given the pace of change that has already been set to date in 2009, those predictions may still hold water at year’s end.