The Urgent Need for a More Effective Approach to Security
Philippe Courtot, Chairman and CEO, Qualys, Inc.
Philippe provided an excellent presentation about companies that are currently applying disruptive technologies and thus changing how we view a “norm”.
He spoke about both the Hiriko Project and a company called Pininfarina and how they are disrupting the personal transportation market for in-city transportation. He also updated attendees on how firms are re-thinking the whole security model and how they are trying to address issues like e-mail spoofing and SSL Certificate Authorities and the need for collaboration via a new trustworthy internet organization that he launched today. (2012-02-29)
The Hiriko Project - http://www.hiriko.com/
This “car-sharing” project has global breadth in that the design is from MIT, manufacturing in Spain and is involving many global participants in a consortium arrangement. Applying new technology to create disruptive models to personal in-city transportation. Set to go into production in 2013 these 2 person electric cars designed at MIT reduce parking requirements, provide short-term access to personal transportation and help the environment. The consortium is supposed to be speaking with San Francisco as another city for us of the cars and program.
disruptive technologies such as "car-sharing" for transportation inspire us to change how we view security challenges
Autolib - http://www.autolib.fr/autolib/
Another “car-share” project supported by Pininfarina allows anyone with a valid drivers license, program ID card and credit card to walk up and use these 4 passenger electric cars at charging stations throughout Paris. Already they have deployed 250 cars with plans to have up to 3,000 on the road in Paris in 2 years. Drop-off your car at a charge station and take a charged one that is there. So far 1,200 charge stations are being built.
Charge for use of the car at $8/hour with available cars found via phone apps that tell you where a free car is and where you can park your car for charging etc. The cloud “tracks” the car and keeps track of users of this on-demand car.
Imagine the impact of moving cars from a purchase to that of a service.
Thus disruptive technologies such as "car-sharing" for transportation inspire us to change how we view security challenges.
Philippe has attendees consider the survey of 1.4 million websites using SSL finding that only 221 were using the most current version of TLS 1.2. He suggested we go to SSL.com/org and test our websites to see how current our version of SSL is relative to standards.
He spoke about convergence.io for software embed in FireFox as a means of replacing Certificate Authorities in the browser. It relies on each organization configuring a dynamic set of Notaries to validate your communications. Based on work from Carnegie Mellon University. The solution looks to address the issues with authenticity within SSL and through Notaries provide backward compatibility and a means to provide authenticity via diversity instead of via a single CA.
See a presentation by Moxie Marlinspike given by him at BlackHat USA 2011: SSL and The Future of Authenticity on YouTube at: http://www.youtube.com/watch?v=Z7Wl2FW2TcA for a very detailed explanation of the issue with SSL and how the problems could be addressed by allowing individuals to determine whom they currently trust to sign their certs and thus change CA or trust authority upon need. This changes the paradigm by allowing the user to ask the authority to certify the site they are contacting and not the way we currently have the user contact the site and have the site ask the authority to certify their site to the user via the site. The new mode allows the user to use their own authority to certify the site they are looking to visit or use.
The use of convergence.io within browsers is yet again another disruptive approach to solving a security issue.
Philippe described a company called Agari ( http://agari.com ) in Palo Alto that is addressing e-mail spoofing. Its’ service clears 1.5 billion emails per day for spoofing and is a growing commercial solution. Supporters of their Trust Fabric include GMAIL, Yahoo, Microsoft and others. Agari.com tracks down domains pretending to send e-mail from your domain and allows you to write policies that are published to the major mail carriers that a rogue mail server is impersonating your company and its' brand. Thus when the spoofing attack hits major e-mail providers like Gmail and Microsoft etc the attack can be blocked.
“Agari allows you to reduce reputational risk and protect your brand. It’s not about customers trusting email—it’s about them trusting you. Agari allows you to proactively discover and eliminate threat attacks against your brand and prevents brand dilution from illegitimate senders posing as your company.” (source: agri.com)
Philippe also spoke about security and the cloud. The cloud is moving us back to more of a mainframe model of computing. Harden the perimeter of the cloud and provide very thin clients as endpoints and you improve security. The numbers of attack vectors are reduced and environments tend to be virtualized and thus provide for easier automated patching. Clouds should make it is easier to encrypt data and provide granular access control. This last item about granular access control is critical to organizations in multitenant clouds.
Philippe indicates that security professionals need to embrace the cloud and determine a security strategy with their enterprise architects that addresses how the corporation is using or going to be using cloud services and computing.
Philippe has created and announced today the Trustworthy Internet Movement http://www.trustworthyinternet.org (TIM), which is an initiative for making the Internet trustworthy. Philippe encourages all businesses to support the movement and focus on how they can assist with making the Internet trust worthy. TIM is a non-profit, vendor neutral organization. Philippe has personally pledged $500,000 to the formation of the organization.
Congratulations Philippe on providing a very thought provoking and informative talk without turning your keynote into a marketing soapbox. I recommend you viewing his talk at this RSA 2012 link.