With the holidays approaching and the last few months of the year upon us, it is always a good time to take stock and prognosticate on the future of security, technology and digital trust.
In 2022, we saw attacks intensify, and software supply chains became a hot target for criminals. In fact, a recent study of 1,000 CIOs finds that 82 percent say their organizations are vulnerable to cyberattacks targeting software supply chains. Simply put: the fun never stops for security pros. So what does 2023 hold? Our team of cybersecurity experts, including, Avesta Hojjati, Dean Coclin, Mike Nelson, Srinivas Kumar, Stephen Davidson, Steve Job and Tim Hollebeek weigh in on what to expect in the next year.
Cracking a 2048-bit encryption would take an unfathomable amount of time with current technology. But a capable quantum computer could conceivably do it in months. Last year we predicted major developments in the post-quantum computing world as the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) reviewed potential cryptographic algorithms that could withstand both traditional and quantum computers cracking.
Now NIST has chosen the first group of encryption tools that are designed to withstand the assault of a future quantum computer. The four selected encryption algorithms will become part of NIST’s post-quantum cryptographic standard. As this standard is developed, we predict an increased focus on the need to be crypto-agile as quantum computers pose a significant future threat for secure online interactions. While it may take several years to incorporate the NIST selected algorithms into various standards, organizations should begin to prepare now, as playing catch up in the post-quantum age will be futile.
The industry must prepare for the post-quantum cryptography age by improving crypto-agility, which is the ability of a security system to rapidly switch between encryption mechanisms and is centered on the visibility and dynamic movement of an organization’s crypto assets. While quantum may seem like a far-off reality, the fact is that communications taking place today, not just in the future, are in peril. Crypto-agility means organizations know how crypto is being used, they have the tools to identify and fix issues, and establish clear policies around crypto best practices. It also includes the ability to test new cryptographic algorithms. We predict cryptographic-agility will soon be a competitive advantage in the very near future.
Matter is a smart home standard and common language for smart home devices to communicate. It is a global standard that brings together the connected device industry. The goal of Matter is to simplify the market and enable smart home devices to work with each other across platforms. Some of the most well-known names in smart home technology, including Google, Apple, Amazon and Samsung are all on board with Matter, which is positioned to be a win for both consumers and manufacturers in the industry.
We predict the Matter logo will become the symbol that consumers look for in smart home technology. Consumers on their hunt for smart home devices will look for it by name. In 2023, smart homes will have Matter compliant device within the year. Matter will become a recognizable standard, like Bluetooth. As an example of its fast adoption, the latest Apple iOS 16 is now supporting Matter.
This rapid adoption also means manufacturers of connected devices do not want to wait to become Matter compliant. Compliant device manufacturers can issue the Matter logo on their devices so that customers can trust it to connect seamlessly and securely with their favorite products. It will undoubtedly become the standard consumers look for when they shop for connected home devices, so it is critical to ensure your device offerings are compliant now.
Code Signing Certificates are used by software developers to digitally sign applications, drivers, executables and software programs as a way for end-users to verify that the code they receive has not been altered or compromised by a third party. They include your signature, your company’s name and a timestamp. OV (organization validation) code signing certificates are required to prove legitimacy.
OV code signing certificates are changing. They will soon be issued on physical security hardware in a similar way to how EV code signing certificates are issued. In June 2023, according to the SSL industry regulator CA/B Forum, private keys for OV Code Signing certificates must be stored on devices that meet FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent security standards. This means certifications will be shipped to the customer on a USB device, delivered to the customer’s hardware security module.
We predict that these changes will mean customers move to cloud signing in large numbers, instead of dealing with replacing their hardware token. We also expect all code signing will be cloud-based in the future as customers will prefer cloud over having to keep track of a hardware key.
Software supply chain attacks, such as the headline-making incidents that impacted SolarWinds and Kaseya, have brought the importance of understanding your software dependencies into sharp focus. In 2021, U.S. President Joe Biden issued an executive order on improving the nation’s cybersecurity that requires software sellers to provide federal procurement agents with a Software Bill of Materials (SBOM) for each software application. An SBOM is a list of every software component that comprises an application and includes every library in the application’s code, as well as services, dependencies, compositions and extensions.
Private sector companies are also increasingly required to have SBOMs as many large enterprises now demand them as a part of their Master Service Agreement (MSA) with a software provider. Security industry analysts believe SBOMs will soon become standard practice as part of the procurement process.
A more recent memorandum from Office of Management and Budget (OMB) goes even deeper and includes new security requirements that federal agencies must comply with on software supply chain security matters. The memo requires software producers to attest to compliance with NIST Guidance, so companies that want to sell their software to the government will need to assess and attest their compliance with the NIST guidelines.
All of this means software producers will be required to get more involved in the process of ensuring their products are secure – and visibility will be key to that. Because of the information and visibility, it provides into software supply chains, we predict the SBOM will be widely adopted in 2023. While most of the requirements are taking place at the federal level now, expect the SBOM to spread to commercial markets soon.
Many are familiar with Subscriber Identity Module (SIM), a removable card on a mobile phone that must be physically swapped when the host device changes networks. Newer to the scene is Embedded eSIM (eSIM), which was introduced as an alternative to traditional SIM technology. An eSIM is still a physical card, but it’s attached permanently to a device. Updating data on an eSIM can be done with a remote SIM provisioning solution (RSP).
Now, enter the Integrated SIM (iSIM) which is much smaller and more secure than physical SIMs. iSIM does not require a separate processor, and it is considerably smaller, so it does not take up much room in the hardware. The iSIM is contained within a secure and trusted area inside a device’s system-on-a-chip (SOC) architecture. It embeds the SIM functionality into the device’s main processor.
Some industry leaders, including Qualcomm and Vodafone, have demonstrated an iSIM proof of concept that could do away with both the SIM slot. We predict the next generation of smartphones will remove traditional SIM hardware functionality and move to eSIM and iSIM as the root of trust.
The EU Digital Identity Wallet is a European Commission initiative under the eIDAS Regulation that will create a unified digital identification system across Europe. The EU Digital ID Wallet will allow European citizens to carry eID versions of their official government ID documents in a secure mobile wallet application for use in online authentication and electronic signatures. In addition, the wallets will carry ”electronic attribute attestations” – supplemental aspects of identity like a professional qualification – that can be presented either with the personal identity or separately. The EU has significant cross-border projects lined up in financial services, education and healthcare.
We predict that much like Apple Pay and Google Pay have become widely adopted as a means for digital payments, the EU Digital Identity Wallet will become the model for digital identity that the rest of the world will seek to emulate. With the legal framework and policies in place for adoption on the continent, users will begin to feel more comfortable turning to a digital wallet to store and share credentials when needed. Of course, the move to widespread wallet adoption for identity means we must also ensure we expand the landscape of digital trust.
DNS will continue to grow in importance based on the continued growth of DevOps automation and Infrastructure as Code.
As development teams continue to grow remotely and globally the increased dependency on continuous integration and continuous development has been never more important to keep with productivity targets. With developers connecting to deployments and systems worldwide the ability to automate the DNS changes has never been so important.
Infrastructure as code will continue its growth as being a best practice for organizations of all sizes. Large server environments will be deployed and automated to provide automation and predictability.
DNS services that have high uptime, fast speeds and fast DNS propagation will be crucial for organizations to have as a toolset. Well-defined APIs, SDKs and integrations will be highly vital to the success of organizations’ efforts to be productive and reliable.
As Zero Trust makes its way to become the standard security approach for IT systems, we predict adversaries will change their attack approach to be able to overcome Zero Trust frameworks.
Adversaries will deploy new technologies as well to increase their success rate in future attacks. Technologies such as Artificial Intelligence and Adversarial Machine Learning could potentially be deployed by a properly versed attacker to find weaknesses in an unproperly deployed Zero Trust framework. This is yet another example that deploying a new framework won’t be the end game. The constant evolution for security frameworks is a must-given that adversarial approaches will change as we design and deploy new barriers.
We have already experienced how adversaries can use AI and ML to neutralize off-the-shelf security solutions or deploying AI-based fuzzy attacks. The future will only tell how a dynamic Zero Trust approach can protect us against a well-versed adversary.