Now more than a decade old, the RSA Conference in San Francisco this week remained predominantly focused on traditional security practices rather than hot new inventions for protection. The event was highlighted by keynotes from Internet co-inventor Vint Cerf, Wikipedia founder Jimmy Wales, and even former Secretary of State Condoleezza Rice.
SafeNet, for example, was on hand to talk about data protection through encryption. While one of the themes of this year’s conference was “Big Data Revolutionizes Security,” much of the discussion around Big Data was simply focused on encrypting it and locking it away with proper access controls.
Dave Hansen, president and CEO of SafeNet, said that there is a tremendous need for encryption in cloud-based data-driven applications. Unfortunately, he also said many companies only decide to encrypt their cloud data after a breach has occurred.
But Hansen also said that the focus of security products, like those SafeNet sells, have changed as time has gone on. While DRM and anti-piracy measures were popular in the past, license management is more popular today. To that end, SafeNet created Sentinel Cloud Services to allow developers to authenticate and license software remotely through an API and authentication service. Sentinel Cloud Services allows developers to add functionality similar to that used in Microsoft Windows Genuine Advantage, where software authenticates with a remote licensing server over the Internet to validate its license.
Elsewhere at RSA, Alan Karp and Marc Stiegler, both of HP Labs, discussed the principle of least authority, or POLA. POLA is a guiding principle for developing secure software by isolating objects.
Karp said that isolating objects prevents the abuse of object access privileges. “Some you will find already are using some of these standards,” he said. “Many places already say you’re not allowed to have global static mutables. This is just a continuation of things you’re already doing.”
Stiegler compared POLA to object-oriented programming, but said that POLA takes object orientation to its logical extremes.
“This is like object-oriented modularization put on steroids, or taken all the way,” he said. “It’s the real thing. Once we do that, we find we get security properties almost for free.”
Getting closer to the Internet of Things
RSA also saw a keynote speech by Vint Cerf, Google’s chief Internet evangelist, and co-author of the Internet’s most basic protocols. He discussed the types of encryption and authentication routines needed to keep up with the forthcoming “Internet of Things.”
“Toasters on the Internet used to be a joke,” said Cerf. “Back in the days when Interop was meeting here [at the Moscone Center], someone said as a joke, ‘Some day there’ll be toasters on the Internet.’ And someone actually built a toaster that could accept an SNMP packet to choose how burnt you wanted your toast. Since that time, a lot of these other devices are showing up with processing capabilities.
“I used to tell jokes about light bulbs having IP addresses. I can’t joke about that anymore because someone sent me an IPv6 light bulb,” he added.
Once all of these devices are online and using the Internet, they must also be secured just like any other Internet-enabled computer. As an example, Cerf pointed out that high-end refrigerators now include LCD screens, built-in Wi-Fi, and browsers. He mused that, perhaps if we’re not careful, we could see a major cyber disaster, like when refrigerators attack.
Compounding the problem, said Cerf, is the fact that many new Internet-enabled devices aren’t managed by the end user directly: They’re managed online through a third-party service.
“The solution is to put [all of these devices] on the local net at home, and use the mobile phone to control them,” said Cerf. “This also opens up the field to third parties. This notion of allowing third parties to manage things is very attractive.”
Thus, while it might be nice to adjust the thermostat by hand, perhaps it’s easier to simply let the computer maintain a reasonable default temperature throughout the house, instead of requiring a human to make the adjustments.
“All of that has to be authenticated, because someone could turn all the A/C units in the U.S. on and off and whiplash the power grid,” said Cerf.
He postulated that a black-box public/private-key generation system could be created to help with both identity and authentication of such devices. Such a device, however, he left for the audience to create as homework.