By George Popovich, Motorola Solutions Security
The information security community faces increasing challenges from the wholesale migration to the cloud and the rapid evolution of modern software development/deployment models. DevOps, agile development (often lumped under the DevOps umbrella), and the ever-accelerating “cloudification” of applications/services create new challenges on mitigating today’s cyber threats. Combined with the need to address what is likely the weakest link in today’s enterprise security chain – the use of passwords as the sole way of authenticating users – security professionals are in in need of innovative technical solutions to ensure adequate mitigation of today’s cyber security risks.
It’s all about the cloud
Historically, enterprises deployed information systems where networks are designed/specified by the individual company, and operated as dedicated, on-premises deployments. IT and business productivity applications ran within the boundaries of these enterprise networks. This style of deployment ecosystem was relatively straightforward to control and secure, and lacked the broad attack surface that comes with virtual networks and disparate, cloud-based solutions.
In today’s IT world, these assumptions are thrown out. In order to stay competitive, companies now need to rapidly deploy applications/solutions via containerization technology running on highly scalable and elastic 3rd party clouds .
The elasticity of the Cloud adds new security challenges that must be addressed. The ephemeral nature of host virtual machines and the containers that run on them (spawning and destroying of microservices) requires security solutions that allow these services to be trusted in a very dynamic deployment environment. Long lived, manually provisioned secrets don’t work well in such an environment. The industry needs solutions that are highly adaptive and safely enable the leveraging of the elasticity gained through the use of the cloud. This involves solving the “secret zero” problem: namely, how does one securely provision that very first encryption key/credential into a newly spawned service?
Start-ups offering innovative solutions to the above problems will likely attract strong interest from the IT security community, as enterprises further embrace the cloud for economic and competitive motives. This is especially true around the “secret zero” cloud container space, where many new start-ups are attempting to solve this difficult problem.
Passwords are broken
It is well known that passwords have been the bane of security professionals for many years. Easily guessable passwords offer little protection, breaches into centralized password databases offer attackers unfettered access into target systems, and passwords have been shown to be easily phishable. One only has to monitor the news for a brief time to find evidence of headline grabbing security breaches attributable to stolen user credentials. A sobering statistic: the 2016 Verizon Data Breach Investigation Report found that 63% or confirmed data breaches involved weak, default, or stolen passwords. The October 2016 headline-grabbing Distributed Denial of Service (DDoS) Internet of Things attack can be attributed to the use of default usernames and passwords in IoT devices, making them unwitting participants in the world-wide Mirai Botnet.
The most practical solution to this problem is multi-factor authentication (MFA). MFA can utilize any combination of what you know (passwords/PINs), what you have (hardware token, smartphone), and who you are (biometrics). The adversary must attack two independent factors to gain access to the system. While MFA is no panacea, it is a big step forward in combating one of the weakest links in the security chain of most enterprises.
Companies like Motorola Solutions are looking to leverage promising trends in MFA, especially as they relate to simplifying and standardizing the way MFA could be deployed. Industry initiatives such as the Fast IDentity Online (FIDO) Alliance show great promise in this space. Essentially FIDO seeks to specify the plumbing between the user’s device and the back end, allowing for greater interoperability when utilizing multi-vendor MFA solutions, while simultaneously enabling an environment for innovation at the edge (at the user’s device). FIDO leverages public cryptography to combine a “what you have” factor with other authentication factors to provide stronger security. FIDO even enables passwordless MFA solutions (e.g. authenticating the user via a device credential combined with biometric authentication). Passwordless options are attractive when users require a “low friction” user experience, such as public safety first responders utilizing mission critical applications in the field.
Today’s security challenges can be met with innovations around greater automation for security testing/monitoring, “low friction” mechanisms for user authentication, greater use of data analytics to detect cyber threats, and cloud friendly security solutions designed for increasingly agile software development environments. Industry alliances such as FIDO show great promise for laying the groundwork for vendor-interoperable MFA solutions, allowing enterprises to wean themselves from the much maligned (but completely justified) use of passwords. Today’s forward leaning, security focused start-ups realize the opportunities these problems create, which is evidenced by the continuous stream of new players entering the marketplace with innovative solutions to these technical challenges.