Automated Trust is Not an Oxymoron (when it comes to security)
Realize it or not, the unstoppable force of machine-to-machine, device, and ‘thing’ connectivity is in our faces every day. Twenty-four hours go by and another 14 Million devices come online for the first time. A hefty number of these devices are being connected to enterprise networks, and an astonishing number are being added to the Industrial Internet, which is the convergence of legacy and modern automation systems onto TCP/IP networks. For enterprises, the connectivity explosion is fueled by expanding partner and customer ecosystems, new business models calling for the cloud, and don’t forget plethora of mobile devices they need to support.
With respect to the massive surge in all these connected devices, recent surveys reveal that both end users and IT professionals rank cybersecurity as their top concern with this trend. They ought to be concerned. The fact is that enterprises and organizations have very porous perimeters, yet are still relying on traditional perimeter security models using IP and MAC as identifiers. It’s an understatement to say that our defensive lines are falling short under the sheer volume of configuration options that accompany this exponential growth in device connectivity. To expect manual (human) processes to address these configuration changes is unfathomable. Increasingly, you hear a lot about the need for ‘trust’ to bolster cybersecurity. I agree wholeheartedly, but would qualify that we require ‘automated trust’.
The recent revelations about China’s Great Cannon are a case in point. The Great Cannon report by Citizen Lab concludes with a call for end-to-end encryption. Without end-to-end encryption, data can be modified in-flight. However, encryption is easy, but the hard part is setting up the appropriate trust relationships on either end of the encryption. The recent blacklisting of a Chinese Certificate Authority (CA) illustrates this point, and the need for moving beyond the browser-based SSL/TLS trust model is shown by attempts like public-key pinning, Google’s Certificate Transparency project, CRLSets, OSCP, and others.
To Err is Human
Human error is inevitable, which is why automated trust is essential to achieve security. It is the only way to deal with what is no longer a tractable problem for humans. Automation, however, can also make a lot of things go wrong at once; therefore automation systems must be secure by default so errors are much harder to make. This is like building safety controls into industrial automation systems. Security must be impossible to bypass under normal operations. To achieve this, Tempered Networks’ has created a solution that is operationally-focused, not in terms of policy expressions, but in terms of what users are trying to accomplish. These operationally-focused statements are then turned into policy whitelists that enable trusted communications between the specified operational systems.
Standards play a vital role in our efforts to build well-tempered networks, and we are honored to lead some of TCG’s efforts to secure our nation’s business critical infrastructure and information. Government also plays a critical role in promoting adoption of these standards as best practices. Ultimately, industry plays a vital role by innovating and adding value while responding to realities on the ground.
Our Participation at RSA 2015
On Monday, April 20, we’ll be participating in TCG’s demonstration showcase, along with PulseSecure, where we demo our unique solution for implementing cryptographic overlay networks (CON).
Later in the day, we’ll be participating in the Cybersecurity and Consumer Protection Working Session hosted by NIST’s National Cybersecurity Center of Excellence, where we will discuss the capabilities needed for full situational awareness within the energy sector, with centralized management and distributed views.
The next day, April 21, Tempered Networks will be sponsoring SecurityCurrent’s inaugural Security Shark Tank – featuring the Security Sharks where cutting edge
Security vendors have 15 minutes to pitch to a room of seasoned security executives committed to protecting enterprises and government organizations in the United States and around the world.