By Bill Becker
National Defense - Link to Article
Cybersecurity will underscore most of the federal government’s military and civilian initiatives in 2016. That’s understandable considering data breaches are rampant and the government maintains essentially the world’s largest collection of IT networks. There’s a real need to ensure data security in various applications, both within and across agencies.
Many security professionals are predicting that the top cybersecurity trends for 2016 will focus on data breach prevention — that is, thwarting the hacks from the get-go. While this is a valid outlook, as breach prevention is absolutely a critical competent of a robust cybersecurity strategy, it is not the be-all and end-all.
There are three trends that are likely to be the hottest topics among federal security professionals this year: authentication, “roots of trust” and simplified security management through shared services.
Thanks to growing insider threats, the password is no longer strong enough to protect systems. Data identity and authentication technologies will evolve and flourish in 2016.
In our app- and cloud-centric culture, almost every user has privileged rights previously reserved for administrative users. Trends like the Internet of Things, Bring Your Own Device, and federal mandates such as the Office of Management and Budget’s 30-day Cybersecurity Sprint and the Cybersecurity Strategy and Implementation Plan (CSIP) have put greater emphasis on identity and authentication technologies. In fact, the CSIP calls for derived credentials solutions and other strong authentication solutions for mobile devices as a critical component of a broader effort to improve mobile device management.
It’s true that mature applications and workflows still require the use of public key infrastructure (PKI) credentials. Smartcards are a robust form of authentication for traditional endpoints. Enterprise computing has matured so that smartcard-based encryption and authentication are routinely used from end users’ laptop and desktop computers for applications such as secure email, virtual private network access, PKI-enabled web servers and network smartcard logon.
Unfortunately, PKI credentials on smartcards do not translate efficiently to mobile devices. Today’s endpoint landscape has shifted to a variety of devices: laptops, desktops, thin clients, smartphones, tablets and more. Users now expect access to information anytime, anywhere while still protecting their data with PKI-based security. Many find it cumbersome, or even impossible, to use smartcards with PKI credentials on mobile endpoints.
Recent attempts to solve this problem are still too complex. Smartcard readers can be cumbersome, microSD cards can be easily lost, embedded PKI only works on specific smartphones and software credentials must be replicated onto every device owned by a user. Additionally, each of these approaches usually comes with its own management solution, which is an administrative and security nightmare.
What is really needed is a solution that is compatible with today’s variety of endpoints and is secure, interoperable and easy to use. Hence, authentication technologies will be of particular interest in the federal security arena this year.
The Internet of Things is built on a network of uniquely identifiable devices with digital certificates. These certificates identify devices, sign firmware/software updates and facilitate encrypted communications with cryptographic key information.
Security for the Internet of Things depends on identifying devices and their masters — for example, device manufacturers, cloud service providers or Internet solution providers — and protecting the data managed and shared by those devices and masters. Unfortunately, the diverse set of devices that make up the Internet of Things means that not all of the private keys, that must be kept secret and used for information decryption can be maintained in trustworthy storage.
To solve this issue, Internet of Things keys will be cryptographically linked to keys maintained in a “root of trust,” a term used by the U.S. National Institute of Standards and Technology to define components that can be trusted to perform one or more security-critical functions. These functions include protecting cryptographic keys, performing device authentication or verifying software. Ideally, roots of trust must use tamper-resistant hardware.
As the Internet of Things grows in both civilian and federal agency usage, the term “root of trust” will be heard more frequently in 2016’s security conversations.
Today, data encryption is a necessity, not a luxury. Data encryption is becoming ubiquitous. It’s built in to various applications and infrastructure elements, which has led to an explosion in the encryption keys that need to be managed.
Most organizations can’t afford to have dedicated key management solutions for each application. Consequently, these organizations are moving to common key management, instead of managing encryption keys for each encryption system.
To simplify key management, new cybersecurity shared services will be emphasized. Enterprise IT teams will be able to offer their organizations centralized key management, encryption and tokenization, including auditing and compliance capabilities as an IT service.
Taking advantage of the “as-a-service” concept to make data encryption as simple as possible, IT departments can combine resources to provide their customers the ability to manage encryption and meet their data security and compliance requirements simply and securely. These shared services will work across different solutions, data centers, geographies or IT environments.
As efforts are consolidated in a “one-stop-shop” service, “build once” solutions can be replicated effectively and overlapping encryption solutions can be avoided.
Of course, many other security-related topics will bubble to the surface as we move further into 2016. For the most part, however, listen for these big three to dominate security discussions through the year. They’re the ones that make the biggest difference for the greatest number of agencies and programs.
Bill Becker is technical director for SafeNet AT.