Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

New Tech

 

NEW TECH: DigiCert unveils ‘Automation Manager’ to help issue, secure digital certificates

By Byron V. Acohido

How do you bring a $9 billion-a-year, digitally-agile corporation to a grinding halt?

Related: Why it’s vital to secure IoT

Ask Spotify. When the popular streaming audio service went offline globally, last August, we saw a glimpse of just how tenuous digital transformation sometimes can be. Someone reportedly forgot to renew Spotify’s TLS certificate. The outage lasted about an hour, until the certificate in question got renewed.

The devil truly is in the details when it comes to how companies are hustling to leverage cloud infrastructure and spin up cool new apps. TLS certificates are a key component of all of this frenetic activity; they are part of the Public Key Infrastructure, or PKI, the system for authenticating and encrypting all human-to-machine and machine-to-machine connections.

If Spotify has an excuse, it is that the complexity of issuing and managing digital certificates has become prodigious. DigiCert’s Brian Trzupek has been tracking this trend across enterprise deployments of digital certificates.

MY TAKE: Why ‘basic research’ is so vital to bringing digital transformation to full fruition

By Byron V. Acohido

Basic research, also called pure research, is aimed at advancing scientific theories unfettered by commercial interests.

Related: The case for infusing ethics into Artifical Intelligence.

Basic research is the foundational theorizing and testing scientists pursue in order to advance their understanding of a phenomenon in the natural world, and, increasingly, in the digital realm. NTT Research opened its doors in Silicon Valley in July 2019 to help nurture basic research in three subject areas that happen to be at the core of digital transformation: quantum physics, medical informatics and cryptography.

Backed by Japanese telecom giant NTT Group, this new facility instantly jumped into the vanguard of basic research already underway that will eventually enable the routine use of quantum computers, which, in turn, will open the door to things like driverless cars and Star Trekkian medical treatments.

Along the way, of course, cybersecurity must get addressed. Ongoing basic research in advanced cryptography concepts is pivotal to putting the brakes on widening cyber risks and ultimately arriving at a level of privacy and security that makes sense.

I had a lively discussion about all of this with NTT Research’s Kazuhiro Gomi, president and chief executive officer, and Kei Karasawa, vice president of strategy. These senior executives wholeheartedly support the concept of basic research. Yet at the same time, they’re also charged with keeping an eye on the eventual “productization” of all this rarefied research. For a full drill down on this conversation, please give the accompanying podcast a listen. Here are a few key takeaways:

‘Big dreams’

Lots of big companies sponsor basic research; it’s how progress gets made. An estimated 60% of research and development in scientific and technical fields is carried out by private industry, with academic institutions and government accounting for 20% and 10%, respectively, according to the Organization for Economic Cooperation and Development.

NTT Group, for instance, typically spends more than $3.6 billion annually for … more

NEW TECH: Will ‘Secure Access Service Edge’ — SASE — be the answer to secure connectivity?

By Byron V. Acohido

Company networks have evolved rather spectacularly in just 20 years along a couple of distinct tracks: connectivity and security.

We began the new millennium with on-premises data centers supporting servers and desktops that a technician in sneakers could service. Connectivity was relatively uncomplicated. And given a tangible network perimeter, cybersecurity evolved following the moat-and-wall principle. Locking down web gateways and erecting a robust firewall were considered the be-all and end-all.

Related: The shared burden of securing the Internet of Things

Fast forward to the 21st Century’s third decade. Today, connectively is a convoluted mess. Company networks must support endless permutations of users and apps, both on-premises and in the Internet cloud. Security, meanwhile, has morphed into a glut of point solutions that mostly serve to highlight the myriad gaps in an ever-expanding attack surface. And threat actors continue to take full advantage.

These inefficiencies and rising exposures are not being ignored. Quite the contrary, there’s plenty of clever innovation, backed by truckloads of venture capital, seeking to help networks run smoother, while also buttoning down the attack surface. One new approach that is showing a lot of promise cropped up in late 2019. It’s called Secure Access Service Edge, or SASE, as coined by research firm Gartner.

SASE (pronounced sassy) replaces the site-centric, point-solution approach to security with a user-centric model that holds the potential to profoundly reinforce digital transformation. The beauty of SASE is that it accomplishes this not by inventing anything new, but simply by meshing mature networking and security technologies together and delivering them as a single cloud service —  with all of the attendant efficiency and scalability benefits.

To get a better idea of SASE, I had the chance to visit with Elad Menahem, director of security, and Dave Greenfield, secure networking evangelist,  at Cato Networks, a Tel Aviv-based startup that’s in the thick of the SASE movement. Here are the key takeaways … more

NEW TECH: Trend Micro flattens cyber risks — from software development to deployment

By Byron V. Acohido

Long before this awful pandemic hit us, cloud migration had attained strong momentum in the corporate sector. As Covid19 rages on, thousands of large to mid-sized enterprises are now slamming pedal to the metal on projects to switch over to cloud-based IT infrastructure.

A typical example is a Seattle-based computer appliance supplier that had less than 10 percent of its 5,000 employees set up to work remotely prior to the pandemic. Seattle reported the first Covid19 fatality in the U.S., and Washington was among the first states to issue shelter at home orders. Overnight, this supplier was forced to make the switch to 90 percent of its employees working from home.

As jarring as this abrupt shift to remote work has been for countless companies, government agencies and educational institutions, it has conversely been a huge boon for cyber criminals. The Internet from its inception has presented a wide open attack vector to threat actors. Covid19 has upgraded the Internet — from the criminals’ point of view — to a picture-perfect environment for phishing, scamming and deep network intrusions. Thus the urgency for organizations to put all excuses aside and embrace stricter cyber hygiene practices could not be any higher.

It’s a very good thing that the cybersecurity industry has been innovating apace, as well. Cybersecurity technology is far more advanced today than it was five years ago, or even two years ago.

NEW TECH: A better way to secure agile software — integrate app scanning, pen testing into WAF

By Byron V. Acohido

The amazing array of digital services we so blithely access on our smartphones wouldn’t exist without agile software development.

Related: ‘Business logic’ hacks on the rise

Consider that we began this century relying on the legacy “waterfall” software development process. This method required a linear plan, moving in one direction, that culminated in a beta deliverable by a hard and fast deadline. To set this deadline required a long, often tortured planning cycle. And this invariably led to the delivery of a bug-ridden version 1.0, if not outright project failure.

By contrast, the agile approach, aka DevOps, thrives on uncertainty. DevOps expects changes as part of being responsive to end users. Agile software development is all about failing fast — discovering flaws quickly and making changes on the fly. Agile has given us Netflix, Twitter, Uber, TikTok and much more.

Of course the flip side is that all of this speed and agility has opened up endless fresh attack vectors – particularly at the web application layer of digital commerce. “The heart of any business is its applications,” says Venky Sundar, founder and chief marketing officer of Indusface. “And application-level attacks have come to represent the easiest target available to hackers.”

Based in Bengalura, India, Indusface helps its customers defend their applications with a portfolio of services that work in concert with its flagship web application firewall (WAF,) a technology that has been around for about 15 years. WAFs have become a table stakes; any company with a public-facing website should by now have a WAF. Fundamentally, WAFs monitor all of the  HTTP traffic hitting a company’s web servers and block known malicious traffic, such as the threats listed in the OWASP Top 10 application level attacks

A few of the big-name vendors in the WAF space include Imperva, Cloudflare, Akamai and Barracuda and even Amazon Web Services offers a WAF. Indusface has differentiated itself by … more

NEW TECH: Cequence Security’s new ‘API Sentinel’ helps identify, mitigate API exposures

By Byron V. Acohido

Application Programming Interfaces – APIs. Without them digital transformation would never have gotten off the ground.

Related: Defending botnet-driven business logic hacks

APIs made possible the astounding cloud, mobile and IoT services we have today. This happened, at a fundamental level, by freeing up software developers to innovate on the fly. APIs have exploded in enterprise use over the past several years.

However, API deployments have scaled so high and so fast that many companies don’t know how many APIs they have, which types they’re using and how susceptible their APIs might be to being compromised.

Cequence Security, a Sunnyvale, Calif.-based application security vendor, today is launching a new solution, called API Sentinel, designed to help companies jump in and start proactively mitigating API risks, without necessarily having to slow down their innovation steam engine. I had the chance to discuss this with Matt Keil, Cequence’s director of product marketing. For a full drill down, please give the accompanying podcast a listen. Here are key takeaways from our conversation:

API 101

Digital transformation took off when companies discovered that instead of developing monolithic applications that were updated annually – at best – they could tap into the skill and creativity of their developers. This was possible because APIs – the conduits that enable two software applications to exchange information – are open and decentralized, exactly like the Internet.

NEW TECH: Silverfort helps companies carry out smarter human and machine authentications

By Byron V. Acohido

Doing authentication well is vital for any company in the throes of digital transformation.

Digital commerce would fly apart if businesses could not reliably affirm the identities of all humans and all machines, that is, computing instances, that are constantly connecting to each other across the Internet.

Related: Locking down ‘machine identities’

At the moment, companies are being confronted with a two-pronged friction challenge, when it comes to authentication. On the one hand, they’re encountering crippling friction when attempting to migrate legacy, on-premises systems to the cloud. And on the other hand, there’s no authentication to speak of  – when there needs to be some — when it comes to machine-to-machine connections happening on the fly to make digital processes possible.

I had an enlightening discussion about this with Dana Tamir, vice president of market strategy for Silverfort, a Tel Aviv-based supplier of agentless multi-factor authentication technology. We spoke at RSA 2020. For a full drill down of the interview, please listen to the accompanying podcast. Here are excerpts, edited for clarity and length:

LW: Can you frame the authentication challenge companies face today?

Tamir: One of the biggest changes taking place is that there are many more remote users, many more employees bringing their own devices, and many more cloud resources are being used. This has basically dissolved the network perimeter. You can’t assume trust within the perimeter  because the perimeter doesn’t exist anymore.

And yet we know that threats exist everywhere, within our own environments, and out in the cloud. So that changes the way security needs to be applied, and how we authenticate our users. We now need to authenticate users everywhere, not only when they enter the network.

LW: What obstacles are companies running into with cloud migration?