A few main themes emerged from this year’s RSA Conference. Let’s discuss.
What’s the Secret Password?
- RSAC 2020 brought a lot of conversation around the coming “death” of passwords. All over the show floor were discussions of “passwordless access” married with difficult to steal factors like biometrics and physical key fobs. While most people are years away from a true “passwordless” enterprise environment, there is a key takeaway: identity and access management is and continues to be one of the most important security vectors that exists today.
- As security practitioners we often like to get spun up around malware and sophisticated zero-day attacks that are trying to steal our data. But far too often the problem isn’t malware. It is the inability to validate that a user is who he says he is and provide access to only the systems and data that he needs for his job functions.
A Security Team and a Developer Walk into a Bar…
- Security and Application Development have been handled separately for far too long. It’s officially time to let the developers out of the basement and into the light.
- DevSecOps was a critical talking point at RSAC 2020. The explosion of cloud usage has not only widened the gap between the application teams and security teams, but it has exposed all the organizational silos that create risk to our organizations. Rather than security being seen as a roadblock, it must be seen as an enabler.
- There is no silver bullet with DevSecOps because it is not only a technology problem, but a people problem. There is a mindset change that must occur for organizations to truly be successful. It is critical that security teams are brought into application development from the beginning and provide constant feedback to the development teams.
XP Ain’t Dead…. Especially in our most critical infrastructure
- Operational Technology (OT) runs the critical assets of many businesses around the world, including manufacturing. Yet, many of these machines run outdated and critically dangerous OS versions. Everyone knows the risks, but manufacturing can’t stop, so unfortunately businesses continue on as they always have.
- RSAC 2020 saw a large jump in discussions on how to identify and protect OT devices throughput enterprise environments. The old adage still applies: if you can’t see it, you can’t protect it. Visibility is key.
- Once we have visibility into what is on the network, how do we properly segment those devices utilizing a zero-trust model? This is not a simple project, but it is a project worthy of our time. If we can no longer trust any humans OR any machines, we must move to a model where everything must be verified.
- Zero Trust must incorporate many different security technologies including: network access control, identity management, segmentation, user behavior analytics and more.
CCPA? GDPR? WTH?
- The big bad wolf of data privacy regulations was once again on the prowl at RSAC. These regulations are coming down fast and hard on companies all over the world. Europe was first, and now real regulatory control for data protection is coming to America. What does all this mean? All of these regulations boil down to a few core concepts: do I know where my data is, do I know who has access to it, and is it leaving the organization?
While all of these areas were front and center at the show – they’ll continue to be prevalent across organizations worldwide for the foreseeable future, as well.