Security experts emphasize the need for better IoT, enterprise, browser security; tell attendees at DigiCert Security Summit that collaboration is critical now before it’s too late
LAS VEGAS, NV (Nov. 19, 2015) — Security is getting better as awareness improves and organizations invest more in protecting data, but the industry needs further collaboration to improve the usability of security solutions for enterprises and end-users. That was the predominant theme security experts told attendees at the annual DigiCert Security Summit, held in Las Vegas Nov. 12 and 13. Conference-goers gathered to discuss best practices for Internet of Things (IoT), enterprise, cloud and browser security. Discussions included the essential role of public key infrastructure (PKI) and digital certificate management in protecting the massive amounts of data traversing the Internet in the IoT market.
Cigital Chief Technology Officer (CTO) and co-founder of the Building Security in Maturity Model (BSIMM) Gary McGraw told the audience that the rules have changed, as there is no defined perimeter in cloud computing models, but that he is optimistic in the growing investment in ‘security by design’ within organizations. Meanwhile, security researcher and TOR contributor Runa Sandvik emphasized the need for better user education and simplification of security in her efforts to help journalists protect their sources. Sandvik said these principles apply to all endeavors to secure connected communications.
“If we want people to be safer online, we need to find tools and methods that already fit within users’ workflows,” said Sandvik. “If we try to force them to change how they work, they won’t use it.”
Many of the discussions at the Security Summit focused on protecting data in the era of the IoT, as the number of connected objects and devices is expected to increase exponentially in the next five years. DigiCert Chief Security Officer (CSO) Jason Sabin spoke of the company’s investment in helping organizations efficiently deploy and manage large quantities of digital certificates to provide strong device authentication and encryption of data in transit.
“The IoT introduces a new scale for security, one that we’re prepared to help organizations efficiently implement,” said Sabin. “We’ve successfully tested our systems to handle deployment of billions of certificates. As the first to operate a Google Certificate Transparency log, our platforms have access to monitor 35 million certificates, giving organizations real-time access to their entire certificate landscape, to make sure they are following best practices and optimizing their deployments and configurations.”
One of the areas most affected by the IoT is healthcare, where the consequences of connecting networked medical devices with inherent security flaws, or devices that are not properly configured, may prove more catastrophic than in other industries. At the Security Summit, DigiCert brought together a panel featuring Protiviti Associate Director Scott Erven, a security researcher who has spent several years researching medical device vulnerabilities, alongside Royal Philips Global Product Security & Services Officer Michael McNeil, and GE Healthcare Principal Security Consultant Dan Birtwhistle. The panel, moderated by DigiCert VP of Healthcare Solutions Mike Nelson, also included Plex Founder & Chief Product Officer Scott Olechowski, who addressed his company’s recent work to provide TLS protection to all of its customers, deploying certificates across tens of millions of devices and servers.
Erven told conference attendees that securing networked medical devices is a shared responsibility between device manufacturers and the healthcare clinics, hospitals and other facilities that use them.
McNeil and Birtwhistle both emphasized that manufacturers are prioritizing security and addressing areas of improvement. They said that security is good for business and is now becoming part of the procurement requirements they see from healthcare organizations.
Erven said device manufacturers have to balance device functionality with security considerations and that sometimes these considerations make for tough decisions. The involvement of large manufacturers in providing responsible vulnerability disclosure policies is a positive step in the right direction.
Improving browser security begins with focusing on basic certificate implementation errors, according to Google Software Engineer Emily Stark, who spoke at the Security Summit. Stark told attendees that 17 percent of certificate errors in Chrome happen when users have bad clocks on their machines. This includes buggy antivirus software that often alters operating system clocks upon install. Additionally, many organizations’ certificates fail because they include mismatched names in their certificate chains – something free online checkers such as the DigiCert SSL Installation Tool can detect.
Stark also spoke about projects such as Google Certificate Transparency (CT) and Public Key Pinning that improve online trust. She highlighted new information to be provided in the developer tools security panel in upcoming versions of Chrome as well as new security warning messages.
Continuing on this theme, White Ops Chief Scientist and researcher Dan Kaminsky demonstrated practical security improvements in the browser to, for the ‘first time’ in his career, defeat clickjacking attacks. Kaminsky said, “This is the anti-hack. Security is working for the browser instead of against it.”
To keep up with evolving security threats, industry must collaborate to strengthen policies, improve trustworthiness and introduce new technologies that meet the needs of the IoT and emerging markets, said DigiCert Vice President of Business Development & Legal Jeremy Rowley at the Security Summit. Rowley spoke of several industry initiatives advanced by DigiCert to improve security, including leading the industry in implementing Google’s CT in the company’s systems and operating the first independent log trusted by Google. The DigiCert log recently captured a large case of certificate misissuance that was publicized by Google. DigiCert is pushing for CT logging to be required for DV and OV certificates as well.
Rowley also mentioned DigiCert’s support for Certificate Authority Authorization (CAA), which allows domain operators to specify which CAs they trust to issue for their domains, and a recent ballot proposed by DigiCert in the CA/Browser Forum to allow for so-called short-lived certificates. Rowley highlighted industry advancements led by Microsoft to enhance requirements for code signing certificates and software publishing houses storing and using private keys.
Blue Coat Systems Senior Principal Security Architect Tammy Green spoke of recent misuses of cryptography and the need for better understanding and implementation by administrators, stating that most of the recent issues have not been with the algorithms themselves but rather with poor implementation. Green highlighted the need to ensure entropy.
Rackspace Security Intrapreneur Jarret Raim spoke about increasing the use of encryption in the cloud. Meanwhile, OpenDNS Director of Security Engineering Tom Hash and Technical Manager of Site Reliability Engineering for Adobe Eric Stevenson spoke about using digital certificates in a way that protects, and even advances, operational excellence within dynamic content serving environments.
Enterprises are not left alone to be the experts in deploying these critical technologies. DigiCert helps simplify large-scale management of digital certificates across the enterprise, and ensures strong authentication and encryption for the IoT. Smart, automated certificate management solutions can help fill these gaps.
“Express, automated installation and real-time certificate monitoring and inspection provide organizations the scalabilities, efficiencies and real-time insights into their systems that make strong security of devices and data in motion feasible,” said DigiCert’s Sabin. “Leading organizations know that device authentication and data encryption are must-haves for the IoT era, and we have the platforms and expertise they are seeking to ensure consumer trust and secure the investments they are making for the future.”
DigiCert has combined all certificate management functions into a comprehensive portal named CertCentral®. For more information about DigiCert solutions for IoT, enterprise, cloud and web security, visit https://www.digicert.com/lifecycle/.
DigiCert is a premier, trusted provider of enterprise security solutions with an emphasis on authentication and encryption via managed PKI and high-assurance digital certificates for enterprise and the Internet of Things. Headquartered in Lehi, Utah, DigiCert is trusted by more than 115,000 of the world’s leading government, finance, healthcare, education, and Fortune 500® organizations. DigiCert has been recognized with dozens of awards for providing enhanced customer value, premium customer service, and market growth leadership. For the latest DigiCert news and updates, visit digicert.com , like DigiCert on Facebook® or follow @digicert on Twitter®.
Director of Public Relations