Over the past few years, we have learned so much about the threats facing every organization, regardless of size. These efforts include determining potential entry points as well as ones that provide broad access. Supply chain attacks are not necessarily more sophisticated than other attacks but, even so, they constitute an increasingly prominent threat.
Calls for security to be built-in and managed over time are growing in response to US Executive Orders, European National Directives, and other government mandates. True, organizations that lack resources can use cloud and hosted environments to achieve their security goals. But even hosted environments require resources to manage security controls. Also, the controls often vary between platforms.
The move to require built-in security from vendors signifies an opportunity to scale security management. As we transition to zero trust, security controls become more pervasive and granular. How we implement these changes and establish security management architectural patterns will determine if we have enabled a secure supply chain for the future. Simultaneously, it will reveal if we’ve made it sustainable.
A journey of making security simpler
At the Center for Internet Security (CIS), we strive to make the connected world a safer place. One of our goals is to improve security for the under-served and under-resourced, which includes US State, Local, Tribal, and Territorial (SLTT) organizations. This objective is a key reason why I joined CIS a little over a year ago as CTO.
Joining CIS marked a logical step in my journey. While researching evolving standards as a former Internet Engineering Task Force (IETF) Security Area Director, I came up with a path to make security simpler. I laid out this path in “Transforming Information Security: Optimizing Five Concurrent Trends to Reduce Resource Drain,” published in July 2020. The book challenges the architectural patterns we have been creating and deploying for software and operating systems, including add-on security products.
I recently developed the CIS white paper, ‘Simplifying Security,’ after seeing the hurdles that under-resourced organizations experience in implementing the foundations of a security control framework. The white paper provides examples of how we might automate at scale the foundational control areas to any security program from the vendor. It focuses on asset management, software asset management, and system posture assurance at purchase and over time. Along the way, it considers technologies, protocols, and open source initiatives that have the potential to democratize security if implemented with scale in mind.
Vendor support of a transformation
As the March 2022 chair for RSA Conference webinars, I had the opportunity to host a fantastic panel session on ‘Making Security Simpler’. The panellists included: Rudy Bauer from Dell, Luke Hinds from RedHat, Tony Jeffs from Cisco, and Kay Williams from Microsoft. The session provided much hope for the transformation of security over the next two to five years for built-in security at scale. The session was powerful and inspiring. The panellists offered insight into real projects that align to the goals outlined in ‘Simplifying Security’, with the CIS Controls and other control frameworks acting as a starting point.
Here are just some of the highlights from our discussion:
- Bauer touted Dell’s Secured Component Verification (SCV) program for supply chain assurance using attestation technology. This work demonstrates the ability of a vendor to assure a product to an expected set of policies and measurements with little expectation from organizations for ongoing management to assure a trusted boot process.
- Williams highlighted Microsoft’s robust platform to update client machines when new vulnerabilities emerge. Patching has improved greatly over the last few years, allowing for vendors to fully automate patching and for organizations to minimize, if not eliminate, the need for distributed testing across their environments.
- Hinds said that RedHat has been breaking ground with the SigStore open source project’s mission to create a free resource for code signing on Software Bill of Material (SBOM) manifests. It’s an initiative that’s similar to how Let’s Encrypt launched a free service to automate certificate management for web servers with the Automated Certificate Management Environment (ACME) protocol, thus helping to encrypt the web more fully.
- Jeffs stated that product development environments are an avenue for infiltration, with Cisco learning that scale and agility are very important as the world (threat landscape) changes. A combination of centralized security architecture and privacy to develop consistency across these areas will be necessary. It’s a journey that begins with automating the inventory of assets following a set of controls and principles, mitigating risks automatically in the process.
The right to expect security
Williams ended our panel session with a powerful pronouncement. “Security is like clean air and clean water,” she said. “Individuals should be able to expect it.”
This bodes well for the future of product security … and for making security simpler overall.
Kathleen Moriarty is Chief Technology Officer at the Center for Internet Security and the former IETF Security Area Director. She has more than two decades of experience working on ecosystems, standards, and strategy.
Adapted from the original on CIS Blog.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.