Enterprise IT Context for the CTO

Bob Gourley

Subscribe to Bob Gourley: eMailAlertsEmail Alerts
Get Bob Gourley via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Blog Feed Post

Naturally Better Security: Leveraging the power of nature to enhance Internet security

Bob Gourley

Nature has provided insights for engineers for years, inspiring technical solutions to challenges that replicate the elegant perfection of approaches that work in the natural world. Solutions inspired by nature are being applied to diverse fields including energy production, medicine and healthcare, architecture, food production, transportation and manufacturing. Nature is now providing engineers with the missing link that can help with the most vexing challenge of our age: enabling both security and functionality in our interconnected IT systems. The next generation of cybersecurity is being enabled by the quantum nature of the universe itself.

Next generation cybersecurity is needed right now. Cyberattacks are increasing across multiple industries and every level of government. Over the last decade, attacks have been directed against governments, academia, financial institutions, businesses in every sector, and even individuals and their homes. In Europe, attacks have damaged the energy sector, and many believe more onslaughts against critical infrastructure and services are in our future. Attacks can even impact the safety of our cars, as hackers have shown they can successfully take over systems embedded in vehicles, and entire airports have been shut down by assaults against the aviation industry. Attacks in the healthcare sector have violated the privacy of hundreds of millions of patients and have disrupted hospital and emergency care. Attacks have also been conducted against political campaigns as far back as 2008. The escalation of these attacks in 2016 is raising fears that cyberattacks against electoral systems will threaten democracy itself.

All indications are that these assaults will continue. Adversaries, including cyber criminals, states seeking national security information, hackers seeking glory, and hacktivists pushing causes, have all come to realize the value of successful cyberattacks, and they show no sign of stopping. Defenders need to leverage security solutions that increase the amount of effort required by criminals while ensuring the freedom of action and functionality in our protected systems.  Current approaches are all variants of a security theme from the 1990’s called “Defense in Depth,” where security is layered on at every point in the IT stack. Security solutions are run on end devices, in networks, on servers, in the cloud and everywhere in between. This approach mitigates risk when properly engineered and overseen, but it is always expensive. Defense in depth has become expense in depth.  And still, adversaries find ways to get in.

Besides expense, today’s defense in depth faces several technological challenges. Engineers in academia, industry and government have designed approaches to address these challenges, including mechanisms like Hardware Security Modules (HSMs) to safeguard and manage security keys for authentication and conduct encryption and decryption. Until now, the state of art of HSM devices kept them out of reach of most businesses. Now, breakthroughs in innovation based on quantum effects, advances in key and policy management techniques are being coupled with HSM devices, turning them into more powerful tools capable of generating, managing, and safeguarding large numbers of the most secure encryption keys possible.

All encryption keys require random numbers. The most sophisticated random number generation algorithm that can possibly be created by humans using conventional computers will still only generate pseudo-random numbers. Pseudo-random algorithms are mathematically predictable.      The one place where nature appears the most random is in a special quantum effect observable by specialized equipment. At a quantum level, sometimes matter just appears. Then it disappears almost as fast as it appeared.  It does this in ways no one can predict, and can be utilized to generate truly random numbers. By building solutions based on a foundation of truly random numbers for key generation, new levels of trust and security can be engineered into our systems.

Quantum effects are being leveraged to generate random numbers at high rates and in ways that make guessing keys impossible, removing an important attack avenue for cyber criminals. Until this quantum effect was used, every other accepted method was not truly random, or was too slow to deliver the security really needed. This vulnerability has been the subject of years of research and community collaboration, including production of standards overseen by the U.S. Department of Commerce’s National Institute of Science and Technology (NIST).  Since 1997 NIST has coordinated community-wide participation in a Random Number Generation Technical Working Group to help improve the ability of encryption solutions to leverage increasingly hard-to-break keys. The state of the art today is to leverage a fundamental process of nature that is fascinating to contemplate.

QuintessenceLabs calls this new level of trust a “Trusted Security Foundation.”  The Trusted Security Foundation combines a high speed true random number generator based on quantum effects with very advanced key generation and policy management. It also ensures that an enterprise’s encryption keys are protected by an advanced hardware security module.  A Trusted Security Foundation like this enables enterprises to generate and manage enough keys to quickly encrypt and decrypt data in motion and at rest no matter where it is. Enterprise data can be encrypted in databases, in end-user devices, and even in the cloud - with enterprises retaining secure possession and control of their private encryption keys on premise. This increases confidence that their encryption is not weakened by sub-par randomness, low latency or limited key and policy management capabilities.

The use cases for a Trusted Security Foundation touch every user of the Internet. Consumers are wary of having their financial information put at risk through ecommerce, patients are fed up with having their medical and insurance records stolen, and all of us are sick and tired of our governments not protecting our personal information. Businesses are also at risk and are either over-spending on security or neglecting some huge business risks that place growth and even future jobs at risk.

The Trusted Security Foundation is key to many operational systems today, including a large deployment protecting the customers of NetDocuments. By building upon a Trusted Security Foundation, NetDocuments can offer their customers advanced collaboration and coordination capabilities with sophisticated security, encryption and compliance solutions, including built-in cloud-based document management users can access from any trusted device.

According to Alvin Tedjamulia, CTO of NetDocuments, “The underlying randomization technology is a critical component to our key management infrastructure, setting a new standard for best-of-breed encryption and now customer-controlled keys for each individual document”.

Everyone is facing a problem in cyberspace. We are all under attack. Until we can collectively raise the defenses of our interconnected information technology we will always be sub-optimized and we will never reach our collective potential. Of the many innovations underway today, finding a way to improve security naturally, based on the fundamental nature of the cosmos itself, is perhaps the most promising solution we have.

Read the original blog entry...

More Stories By Bob Gourley

Bob Gourley writes on enterprise IT. He is a founder of Crucial Point and publisher of CTOvision.com