Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Uncategorized

 

FIRESIDE CHAT: New automated tools, practices ascend to help companies wrangle PKI

By Byron V. Acohido

Arguably one of the biggest leaps forward an enterprise can make in operational reliability, as well as security, is to shore up its implementations of the Public Key Infrastructure.

Related: Why the ‘Matter’ standard matters

Companies have long relied on PKI to deploy and manage the digital certificates and cryptographic keys that authenticate and protect just about every sensitive digital connection you can name.

Reliance on PKI is only intensifying – as a direct result of the rise of massively interconnected digital systems. This has created a daunting operational and security challenge for many enterprises.

The good news is that a new batch of technical standards and protocols, as well as advanced tools and services, are on the ascension, as well.

Guest expert: Mike Malone, founder and CEO of Smallstep

One technology start-up in the thick of helping companies more effectively “wrangle” PKI is San Francico-based Smallstep, as Mike Malone, founder and CEO, puts it.

Smallstep launched in April 2022 with $26 million in funding, including a seed round of $7 million led by boldstart ventures with participation from Accel Partners, Bain Capital Ventures and Upside Partnership, LLC., and a Series A of $19 million led by StepStone Group.

I recently had the chance recently to visit with Malone; we discussed how advances in automation can help companies begin to proactively manage the swelling volume of digital certificates and encryption keys that are part and parcel of the massively interconnected digital systems. For a full drill down, please give the accompanying podcast a listen.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

RSAC insights: Concentric AI directs Google’s search techniques towards locking down data sprawl

By Byron V. Acohido

In order to extract value from the Internet, data sprawl first must get reined in. This has always been the case.

Related: Equipping SOCs for the long haul

What good is connecting applications, servers and networks across the public cloud if you’re unable to securely operationalize the datasets that these interconnected systems store and access?

Solving data sprawl has now become a focal point of cybersecurity. It’s about time. Much of the buzz as RSA Conference 2022 happens this week (June 6 – 9)in San Francisco will be around innovations to help companies make sense of data as it gets increasingly dispersed to far-flung pockets of the public cloud.

I had the chance to visit with Karthik Krishnan, CEO of San Jose, Calif.-based Concentric AI, which is in the thick of this development. Concentric got its start in 2018 to help companies solve data sprawl — from the data security and governance perspective – and has grown to 50 employees, with $22 million in venture capital backing. For a full drill down of our discussion, please give the accompanying podcast a listen. Here are a few key takeaways.

Crawling, classifying

Jeff Bezos solved data sprawl for selling books and gave us Amazon. Larry Page and Sergey Brin solved data sprawl for generalized information lookups and gave us Google.

In much the same sense, companies must now solve data sprawl associated with moving to an increasingly interconnected digital ecosystem. And addressing data security has become paramount.

MY TAKE: A path for SMBs to achieve security maturity: start small controlling privileged accounts

By Byron V. Acohido

The challenge of embracing digital transformation while also quelling the accompanying cyber risks has never been greater for small- and mid-sized businesses.

Related: How ‘PAM’ improves authentication

SMBs today face a daunting balancing act. To boost productivity, they must leverage cloud infrastructure and participate in agile software development. But this also opens up a sprawling array of fresh security gaps that threat actors are proactively probing and exploiting.

Somehow SMBs must keep pace competitively, while also tamping down the rising risk of suffering a catastrophic network breach.

There’s a glut of innovative security solutions, to be sure, and no shortage of security frameworks designed to help companies mitigate cyber risks. Leading-edge cybersecurity systems in service today apply machine learning in some amazing ways to help large enterprises identify and instantly respond to cyber threats.

However, this is overkill for many, if not most, SMBs. Day in and day out their core security struggle boils down to making it harder for intruders to attain and manipulate remote access. And it doesn’t take enterprise-grade security systems to accomplish this.

I’ve had several discussions about this with Maurice Côté, vice president of business solutions at Devolutions, a Montreal, Canada-based supplier of remote desktop management services. We talked about how Devolutions has been guiding its SMB customers

MY TAKE: How ‘CASBs’ are evolving to close the security gaps arising from digital transformation

By Byron V. Acohido

The Cloud Access Security Broker (CASB) space is maturing to keep pace with digital transformation.

Related: CASBs needed now, more than ever

Caz-bees first took shape as a cottage industry circa 2013 to 2014 in response to a cry for help from companies reeling from new Shadow IT exposures: the risk created by early-adopter employees, quite often the CEO, insisting on using the latest smartphone and Software-as-a-Services tools, without any shred of security vetting.

A wave of acquisitions absorbed a half-dozen early CASB startups. One company still actively innovating as an independent CASB is San Jose, CA-based security vendor CipherCloud. I had the chance to visit with CipherCloud CTO Sundaram Lakshmanan at RSA 2019.

We discussed how the basic notion of flowing all data coming into a company’s network — from whatever device or web app — through a cloud gateway for security scanning has become elemental. For a full drill down, give the accompanying podcast a listen. Here are the key takeaways:

Shifting role

As with almost any security solution, the bottom line for CASBs is all about protecting the data — without detracting from users’ experience, and thus eroding productivity.  This is especially important within the cloud. CASBs began by closing glaring security gaps created by the rapid  adoption of mobile devices and cloud tools. Quite naturally, that role is now shifting and expanding.

Now that CASBs have been around for half a decade, companies are figuring out how to utilize them to reinforce specific silos within their IT and security teams. More enterprises are rethinking their internal processes, seeking a more centralized, convenient approach to securing web apps, Lakshmanan told me.

“At the end of the day, it is about business productivity and helping users get their job done,” he said. Enterprises are starting to understand that as they pursue velocity and scale,

MY TAKE: Why privacy regulations are a must for next-gen cars and trucks

By Byron V. Acohido

With wide deployment expected in the next decade, the driverless automobile landscape looks fraught – from road safety to data protection.

Driverless automobiles, long-haul trucks and military transport vehicles are on a fast track for wide deployment over the next five to 10 years. That much is clear.

Related: Security ramifications of autonomous transportation.

Vehicle manufacturers are all in, and innovation is racing forward. Meanwhile, captains of industry and political leaders are eager to reap the benefits of autonomous transportation.

The big pros: more efficient travel, less pollution, improved vehicle utilization and a leadership role for the United States in autonomous vehicle innovation. This is according to a 2017 report from The Center for the Study of the Presidency and Congress, a nonprofit and nonpartisan think tank.

Of course, allowing a computer to autonomously control powerful, fast-moving machines carrying fragile humans implies safety risks. However, the major safety concerns are clearly delineated and should be straightforward to address. And experts say vehicle travel actually should be much safer with a computer behind the wheel.

The stickier matter is how to address a slew of murky privacy concerns spinning out of the rise of driverless cars and trucks. State and federal regulators have begun shaping regulations to address both safety and privacy concerns, and industry standards are being hashed out as well. However, it’s anyone’s guess, at this point, what blend of rules and best practices will ultimately emerge.

“We should expect legislative requirements related to vehicle upkeep, including mechanical, electrical and software systems,” said Rusty Carter, vice president of product management at Arxan Technologies, a San Francisco–based supplier of application security systems.

When it comes to preserving the privacy of the occupants of driverless vehicles, however, the burden still rests with the individual.

“Consumers need to remain vigilant and exercise their rights to limit collection and use of any data that is collected,” said Elizabeth Rogers, a privacy and … more

MY TAKE: These 7 nation-state backed hacks have put us on the brink of a global cyber war

By Byron V. Acohido

Nation-state backed hacking collectives have been around at least as long as the Internet.

However, evidence that the ‘golden age’ of cyber espionage is upon us continues to accumulate as the first half of 2018 comes to a close.

Related podcast: Obsolescence is creeping into legacy security systems

What’s changed is that cyber spies are no longer content with digital intelligence gathering. Military operatives and intelligence units today routinely hack to knock down critical infrastructure, interfere with elections, and even to exact revenge on Hollywood studios.

Recently, one of the most powerful and notorious cyber spies on the planet, North Korean General Kim Yong Chol, stepped from obscurity into global celebrity status.

Last month President Trump invited the heretofore obscure General Kim into the White House for an impromptu state visit. For about two hours, Trump exchanged pleasantries with the man who orchestrated North Korea’s devastating hack of Sony Pictures in 2014, the aforementioned revenge caper. The tête-à-tête unfolded as Trump prepared for his summit in Singapore with General Kim’s boss, North Korean despot Kim Jong-un.

Rise of North Korea

It’s notable that, since the Sony Pictures hack, General Kim has steadily gotten more powerful and adept at the cyber spy game. Today he commands a cyber army, some 7,000 hackers and support staff strong, that has emerged as a potent and disruptive force. The Wall Street Journal recently reported that North Korea is cultivating elite hackers much like other countries train Olympic athletes.

Meanwhile, Iran-sponsored cyber operatives are making hay, as well. Trump’s decision

MY TAKE: Why Google is labeling websites ‘unsafe’ — what publishers need to do about it

By Byron V. Acohido

One of the things Google’s security honchos have long championed – for the most part out of the public spotlight  — is to make HTTPS Transport Layer Security (TLS) the de facto standard for preserving the integrity of commercial websites.

TLS and its predecessor, Secure Sockets Layer, (SSL), rely on digital certificates to validate that a website is really what it claims to be. In an environment where spoofed and booby-trapped websites have come to clutter the Internet, this is a vital function.

Related article: How the PKI ecosystem can secure IoT

TLS also leverages public key infrastructure (PKI) encryption to protect the data submitted by users at legit sites. Companies, known as Certificate Authorities (CAs,) play a pivotal role issuing TLS certificates and assisting website owners with implementation of PKI.

For the most part, this arrangement has worked very well, although, like anything else in security, it can be improved. On March 15, Google will take a bold step to strengthen TLS – it will advance the process of ending trust in hundreds of thousands of TLS certificates issued by Symantec, the former kingpin CA. With the release of the beta and stable versions of Chrome 66, Google will begin issuing “distrust” alerts to those who visit web sites using any Symantec-rooted certificates issued prior to June 1, 2016.

Engendering trust

Starting Thursday, March 15, this could play out as a rude awakening for web site publishers who haven’t been paying attention. However, the good news is that, thanks to the sudden — and remarkably smooth — handoff of Symantec’s digital certificate