With the end of the year approaching, it’s a perfect time to look at what’s ahead for enterprise cybersecurity in 2019. As data breaches continue to pose security threats across every industry, planning for operational enhancements while getting ahead of the latest risk is more important than ever.
I recently participated in a webinar with other cybersecurity experts hosted by the Information Systems Security Association (ISSA) on 2019 Cybersecurity Trends to Watch, including:
- Quantum computing
- IoT insecurity
- IoT security
- Cloud-first and containerization
Here’s why you should be on guard for these emerging cybersecurity trends in 2019 – and how your enterprise can prepare.
Trend #1: Quantum Computing and Cryptography
During the past two decades, we’ve been looking at quantum computing as a threat of the future that’s yet to become a near-term concern – but that outlook is shifting.
While the timelines vary, most experts in the field now predict that quantum computing will become viable sometime between 2024 and 2030. And the scale of the potential impact to cryptography is immense: NIST reports that while algorithms such as AES and SHA-2 will be "wounded" – that is, weakened but salvageable with larger outputs or key sizes – the asymmetric algorithms that underpin such as RSA and ECC will effectively become unsecure and unsalvageable, even with larger key sizes.
Quantum aside, all cryptographic algorithms will eventually become ineffective. Planning and successful execution is more complex than just auditing and adjusting. You need both methodical preparation and runway.
What does this mean?
- The cryptography you’re deploying today will not be secure in the future. This has particular impact on IoT devices which may stay in the field for longer periods of time.
- The need for comprehensive crypto-agility starts now.
The basic principle of having a crypto-agile stance is knowing what you have and how to deliver secure updates at scale. To get started, consider the following:
- Know what you have: Gather and maintain your certificate inventory. When it comes to certificates, know how many you have, where they are, what they’re used for, and when they expire.
- Develop response plans: Outline the actions and create processes you’ll need to implement if and when crypto events happen – certificate expirations, algorithm breakage, public root breaches, and quantum breakthroughs.
Trend #2: IoT Device Insecurity
There's no doubt that 2018 was a bad year for IoT security, and unfortunately, 2019 will likely be worse, with more devices sending data and allowing connections in.
IoT brings huge potential, but it drives a need for strong security engineering into a group of architects, implementers and practitioners who aren’t used to thinking that way. Furthermore, strong cryptographic engineering skills are rare and expensive. And the economics in many cases don’t drive perceived value in extra security – margins are often low, and customers don’t want to pay extra for security (but expect it to be there).
Creating a secure foundation at the start of manufacturing just makes good sense. It’s during the design phase where you want to incorporate cryptography, binding digital identity, so it’s inherent in the device. When the firmware is designed correctly, it becomes extensible to all those in the device ecosystem – so two-way communication not only works, but maintains the security of every engaged device.
Device manufacturers must work to control risk, and device users must do the same. Enforcing policies, extending certs throughout every device across the enterprise, keeping data siloed and protected … when these practices become the standard, the insecurity of things transforms into what IoT is supposed to be.
Trend #3: New IoT Security Standards
While IoT security has taken a hit this year, there is still hope for improvement.
Governing bodies and other organizations have begun to release more guidelines, regulations and best practices around IoT security. There is legislation and proposed legislation on the horizon that helps counteract the “economics of security” problem described above.
Additionally, the automotive and healthcare industries are taking security more seriously, recognizing that insecure medical devices or vehicles can lead to fatalities. Both of these industries have been wounded by previous breaches and are taking device design and security into the next generation.
As more industries follow the lead of automotive and healthcare, we’ll see IoT security become a higher priority.
Trend #4: Cloud-First and Containerization
In 2019, we can expect more of a cloud-first and containerization approach to PKI management.
Digital security in the cloud allows for agility and transformation. As a collaborative environment, being able to detect and respond to threats on a global scale becomes easier. Additionally, the securing of data can help drive behaviors of end users. And if those benefits aren't enough, enterprise PKI management in the cloud is a preferred method by many organizations because it allows for outsourcing the process as a managed service.
We're also seeing a rise in containerization, a lightweight alternative to full machine virtualization that involves encapsulating an application in a container with its own operating environment. Containers help software run more reliably when transferring from one environment to another by removing limitations of various OS and infrastructure fragmentation. This is often a more cost-effective approach that allows a company to use its cloud resources more densely.
Be Ready for New Cybersecurity Trends in 2019
All-in, organizations will be more challenged than ever to protect their identities next year and beyond. And while these trends may make us uncomfortable, highlighting them isn't intended to scare anyone. As a CTO, my job is to look at the horizon of the industry and build solutions to address the biggest needs.
Whether you’re an IoT device manufacturer or an organization needing to protect digital identities across your entire enterprise, we’ve got new capabilities and use cases to share. To learn more, visit us at www.keyfactor.com or watch my recent webinar.