It’s been a miserable couple of years for enterprise security. The list of Fortune 500s, US (and other) Government, university, even outing an ex-NSA director’s emails have been both frightening, and perhaps a little bit amusing.
There is a certain pomposity, that vague smell of we-can-do-it flatulence, which tends to make me shudder at RSA. Security is a moving target. But even ICANN let its https certificate expire earlier this year, so the problem is pervasive. Lifting all boats, to use that hackneyed phrase, is tipping some of them over. I’m surprised my fellow journalists gave ICANN a pass.
But Mozilla via Firefox gives a pass to Symantec to let some dead certificates float for a little while longer, like flotsam in the septic—somehow permitted. Microsoft infuriates its users by jamming Windows 10 down their throats, although its enterprise clientele is given a forcefeed-pass.
IoT devices phone home, merrily getting past firewalls. Whole hospitals are held hostage as their network infrastructure is opened like a can of tuna. Even the IRS is broken into, and aren’t really sure just how many records were stolen, and we have no clue the end-damage to tax records being exposed.
Yes, there are some very diligent, and perhaps very lucky organizations whose components aren’t being broken into. Some of them are cloud companies. Let’s examine for a moment, why cloud organizations seem to have fewer breaches:
- Cloud use if often, at minimum, based on the use of certificates. You can expire certificates, unlike the millions of server admin software passwords that never expire.
- You can mandate the depth of the certificate, and totally eschew some namby-pamby SHA-128 that can be cracked by a tortilla chip.
- Cloud organizations not only support, but have full documentation on secondary auth schemes. Your Yubikey might work. No more silliness about this fingerprint reader, or this token device not being supported. From what I’ve found, secondary auth can be the norm, and everyone’s up to speed.
- Most breaches come on the front end, the public-facing side because of this, and the diligence of OS payloads from a cloud vendor source are so far, known to be backdoor-free. We hope. Are the payloads patched before you spin them up in the cloud? I lay awake at night, wondering about this.
- Cloud organizations have a lot to lose if their payloads or infrastructure are breached. They may go dark from time to time, but to have stock payloads go foul would be their end. Amazon knows this, Microsoft knows this, Google knows this, and Docker is learning this.
Is cloud infrastructure, the IaaS/PaaS stuff—safe? Probably. SaaS vendors perhaps have more difficulties associated with employee data theft and corruption. In my testing of CASB apps, soon to appear (Ed note: When??), I’ve watched in fascination at the baseline of good practice in using Salesforce, doing the right thing by watching session length, letting me use secondary auth if I so desire, and generally being the good security doobie. Yet I’m almost certain that Salesforce gets pounded on a minute-by-minute basis by those not seeking to use Salesforce in the way intended.
My own NOC gets hundreds of hits an hour, bot-probes wanting a piece of something. That no one goes after them, wherever they are across the planet, just chills me. They’re like the Craigslist scammers—law enforcement is so busy trying to find terrorists and drug users that the white-collar crime of the Internet seems to go unpunished.
At RSA, there will be many organizations selling risk information, filtration systems, profound behavior analysis software, and endless bastion services with electric ear wipers. These products will battle the BYOD phenomenon, unpatched systems, hacks we don’t know about, user and administrative carelessness, and the inability to create cultures of organizational security awareness—asking first, rather than apologizing later.
Servers, PCs, notebooks, tablets, phones, connection equipment, even a tea kettle, represents a potential threat.
Yes, there is a reason for RSA: No one is listening, and no one is getting hung by the yardarm, or better still, the visited by a well-targeted drone.
Oh yes, drones. Let’s not go there.