Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Podcasts

 

SHARED INTEL: FireMon survey shows security lags behind fast pace of hybrid cloud deployments

By Byron V. Acohido

Corporate America’s love affair with cloud computing has hit a feverish pitch. Yet ignorance persists when it comes to a momentous challenge at hand: how to go about tapping the benefits of digital transformation while also keeping cyber exposures to a minimum level.

Related: Why some CEOs have quit tweeting

That’s the upshot of FireMon’s second annual State of Hybrid Cloud Security Report of 522 IT and security professionals, some 14 percent of whom occupy C-suite positions.

Nearly 60 percent of the respondents indicated the pace of their cloud deployments have surpassed their ability to secure them in a timely manner. Notably, that’s essentially the same response FireMon got when it posed this same question in its inaugural hybrid cloud survey some 14 months ago.

That’s not a good thing, given migration to cloud-based business systems, reliance on mobile devices and onboarding of IoT systems are all on an upward sweep. “It doesn’t seem like we’ve moved the needle on security at all,” says Tim Woods, vice president of technology alliances at FireMon, the leading provider of automated network security policy management systems.

I had the chance to visit with Woods at RSAC 2020 in San Francisco recently. For a full drill down on our discussion, please give a listen to the accompanying podcast. Here’s a summary of key takeaways:

Shared burden confusion

Hybrid cloud refers to the mixing and matching of on-premise IT systems, aka private clouds, with processing power, data storage, and collaboration tools leased from public cloud services, such as Amazon Web Services, Microsoft Azure and Google Cloud. Hybrid clouds are being leveraged to refresh legacy networks, boost productivity and innovate new software services at breakneck speed, to keep pace with rivals.

NEW TECH: Can MPC — Multi Party Computation — disrupt encryption, boost cloud commerce?

By Byron V. Acohido

Encryption is a cornerstone of digital commerce. But it has also proven to be a profound constraint on the full blossoming of cloud computing and the Internet of Things.

Related: A ‘homomorphic-like’ encryption solution

We know very well how to encrypt data in transit. And we’ve mastered how to encrypt — and decrypt — data at rest. However, we’ve yet to arrive at a seminal means to crunch encrypted data – without first having to decrypt it.

Math geniuses and data scientists have been trying to solve this problem for more than half a century. It has only been in the past 10 years or so that commercial versions of homomorphic encryption, which I’ve written about, have slowly gained traction. Another solution is something called Multi Party Computation, or MPC, which I was unfamiliar with when heading to RSA 2020 recently.

I had the chance to visit with Nigel Smart, co-founder of Unbound Tech, a company which uses MPC technology to solve the problem of private key protection and key management. The company, based in Petach Tikvah, Israel, addresses the problem via a “virtual Hardware Security Module” as opposed to the traditional method of using physical infrastructure. Smart told me about how MPC has attracted the attention of the cryptocurrency community, in particular the purveyors of crypto currency exchanges and the suppliers of digital wallets.

And he explained how advanced encryption technologies, like MPC and homomorphic encryption, are on the cusp of enabling much higher use of the mountains of data hoarded in cloud storage by companies and governments. For a full drill down on our discussion, give the accompanying podcast a listen. My big takeaways:

NEW TECH: Byos pushes ‘micro segmentation’ approach to cybersecurity down to device level

By Byron V. Acohido

Many companies take an old-school approach to bringing up the rear guard, if you will, when it comes to protecting IT assets.

It’s called network segmentation. The idea is to divide the network up into segments, called subnetworks, to both optimize performance as well as strengthen security.

Related: A use case for endpoint encryption

At RSA 2020 in San Francisco recently, I learned about how something called  “micro segmentation” is rapidly emerging as a viable security strategy. Micro segmentation takes the fundamental principle of network segmentation and drives it down to smaller and smaller subnetworks.

One security vendor pushing micro segmentation just about as low as you can go — all the way to the individual device level —  is a Nova Scotia-based startup called Byos. I had the chance to visit with Matias Katz, founder and CEO, and Ryan Bunker, business development director, at RSA 2020. For a full drill down on our conversation, give the accompanying podcast a listen. Here are key takeaways:

Micro gateways

A network gateway is like a submarine’s bulkhead passageways, which can be sealed off in emergencies. It’s where traffic passes from one subnetwork to the next. It’s also where you can put a hard stop on the movement of anything dangerous.

SHARED INTEL: Bogus Coronavirus email alerts underscore risk posed by weaponized email

By Byron V. Acohido

It comes as no surprise that top cyber crime rings immediately pounced on the Coronavirus outbreak to spread a potent strain of malware via malicious email and web links.

Related: Credential stuffing fuels cyber fraud

IBM X-Force researchers shared details about how emails aimed at Japanese-speaking individuals have been widely dispersed purporting to share advice on infection-prevention measures for the disease. One of the waves of weaponized emails actually is designed to spread a digital virus: the notorious Emotet banking Trojan designed to steal sensitive information.

One cybersecurity company, Tel Aviv-based Votiro, is taking a different approach to strengthen protection against such weaponized documents, using technology that disarms files before they are delivered to the recipient’s inbox.   I had the chance to visit with Votiro CEO and founder Aviv Grafi at RSA 2020. For a full drill down give a listen to the accompanying podcast. Here are a few key takeaways:

Filtering falls short

As a former penetration tester who specialized in testing employees aptitude for resisting email lures, Grafi saw time-and-again how – and why – attackers leverage timely events, such as celebrity deaths, holidays or tax deadlines to lure email recipients to click on corrupted Word docs or PDF attachments.

Votiro introduced their ‘Disarmer’ technology, called CDR, for “content, disarm and reconstruction” to the U.S. market in 2019. CDR takes a prevention, instead of detection, approach to disarming weaponized email and deterring document-delivered malware.

MY TAKE: Why speedy innovation requires much improved cyber hygiene, cloud security

By Byron V. Acohido

Speed is what digital transformation is all about. Organizations are increasingly outsourcing IT workloads to cloud service providers and looking to leverage IoT systems.

Related: The API attack vector expands

Speed translates into innovation agility. But it also results in endless ripe attack vectors which threat actors swiftly seek out and exploit. A big challenge security executives face is balancing speed vs. security.

I spoke with Greg Young, Cybersecurity Vice President at Trend Micro about this. We met at RSA 2020 in San Francisco. Trend Micro has evolved from one of the earliest suppliers of antivirus suites to a provider of a broad platform of systems to help individuals and organizations reduce cyber exposures.

For a full drill down of our discussion, please give the accompanying podcast a listen. Here are a few key takeaways.

Teeming threat landscape

Security leaders’ key priority is reducing exposures to the cyber risks they know are multiplying. Compliance penalties, lawsuits, loss of intellectual property, theft of customer personal data, and reputational damage caused by poor cyber defenses are now top operational concerns. Yet many organizations continue to practice poor cyber hygiene.

Cyber hygiene basics revolve around aligning people, processes and technologies to adopt a security-first mindset. In the current environment, it is vitally important for companies to secure vulnerabilities in their mission-critical systems, while at the same time remaining vigilant about detecting intruders and recovering quickly from inevitable breaches.

NEW TECH: Devolutions’ ‘PAM’ solution helps SMBs deal with rising authentication risks

By Byron V. Acohido

The cybersecurity needs of small- and mid-sized businesses (SMBs) differ from those of large enterprises, but few solutions cater to them. A 2018 Cisco Cybersecurity Special Report found that 54 % of all cyber attacks cost the target company more than $0.5 million — damages that would crush most SMBs. However, smaller companies rarely have the IT talent, tools, or budget to prevent such attacks.

Related: SMBs are ill-equipped to deal with cyber threats

Without a cohesive cybersecurity framework, SMBs are falling further behind as digital transformation, or DX, ramps up.  Embracing digital transformation becomes even more of a challenge without a dedicated platform to address vulnerabilities.

I spoke with Maurice Côté, VP Business Solutions, and Martin Lemay, CISO,  of Devolutions, at the RSA 2020 Conference in San Francisco recently. Devolutions is a Montreal, Canada-based company that provides remote connection in addition to password and privileged access management (PAM) solutions to SMBs. You can get a full drill down on our discussion in the accompanying podcast. Here are some of the key takeaways:

PAM 101

PAM is crucial to all companies because it reduces opportunities for malicious users to penetrate networks and obtain privileged account access, while providing greater visibility of the environment. Current PAM solutions cater almost exclusively for large organizations.

Suppliers simply strip down their enterprise versions to sell to SMBs, with their solutions being prohibitively expensive for SMBs. Poorly implemented authentication can also lead to network breaches and compliance headaches.

MY TAKE: Why IoT systems won’t be secure until each and every microservice is reliably authenticated

By Byron V. Acohido

Wider use of Internet of Things systems that can make daily living safer, healthier and more convenient is on the immediate horizon. However, to fully capture the benefits of an IoT-centric economy, a cauldron of privacy and security concerns must first be quelled.

Related: The promise and pitfalls of IoT

At the technology level, two fundamental things must get accomplished. First, the identities of any two digital entities – a sensor and a control server, for instance, or even a microservice and a container —  must be authenticated, and, second, the data exchanged between any two such digital instances must be encrypted.

The good news is that the technology to do this – on the fly and at the massive scale required — exists and is being reinforced. I’m referring to the Public Key Infrastructure, or PKI, and the underlying TLS/SSL authentication and encryption protocols.

The PKI framework revolves around distributing and continually managing digital certificates, issued by Certificate Authorities (CAs). PKI today appears to be in very good shape (link) and is on track to become even more robust, which it will have to be in order to function seamlessly at the massive scale required.

Consider this: just five years ago, a large enterprise was typically responsible for managing, at most, a few million digital certificates. But as IoT systems gain more and more traction, that number will climb into the hundreds of million, per company.

Setting priorities

The core IoT challenge, going forward, is not about technology —  it’s about corporate priorities. It is incumbent upon enterprises plunging forward with digital transformation to embed security and emphasize cyber hygiene – much more so than they generally do today.  IoT device manufacturers must embed basic security protocols at a granular level, and corporate captains must instill a security-first culture — to a level much deeper than is common today.

“If you’re not authenticating connections and you’re not encrypting your … more