December 3, 2020
Ready to change: Four security trends that organizations must prepare for in 2021
2020 is a year dominated by the tragedy of the global pandemic. However, even as workers embrace home working, cyber-attacks show no sign of abating. The potential targets have continued the process of strengthening security controls with Gartner expecting worldwide spending to reach $123.8 billion in 2020. For many, the most concerning issues is the likelihood of a global scale security event. Looking forward to 2021, we can identify four critical trends that will likely impact the security industry, commercial organizations, and the society at large.
Typically, a large-scale security issue may impact a popular application, operating system – or even family of microprocessors. We have not experienced truly worldwide security issue that simultaneously impacts almost everything (“pandemic”). At events as Blackhat or SXSW, security professionals find the idea of a “super code” that could instantly unlock all the world’s encryption and security control absurd. This may change. The issue is quantum computing, and the next few years could see such a global event. At a basic level, encryption is based on mathematical formula that with the right key can solve complex problems that aid in the encryption and decryption of data. For certain encryption schemas, trying to break these codes using brute force methods would take all the computing on planet earth working together for hundreds of years. However, quantum computers could solve certain mathematical functions in just a few seconds. The impact is that some common types of encryption systems may well be utterly broken by quantum computing in the next five to ten years. As security controls form links in a chain, having an entire category of device or encryption family suddenly become compromised – might make entire complex workflows also insecure. This scenario is not just theoretical, there are projects taking place around the world where researchers are looking at both breaking encryption – and creating new “quantum-proof” encryption methods. The next few years will see one or both sides bring potentially game changing technologies to market. At PrimeKey we are well positioned should the quantum computing create tidal wave of swift changes. We own and develop all parts of the cryptographic supply chain, from the cryptographic libraries up.
Regulators get tough
If quantum is the boogeyman outside the door, then another major trend for 2021 onwards is a recognition that both the technology industry and vertical markets must do more to tighten security. This is of course what everybody would like – but without a regulatory big-stick to ensure that best practice is carried out from design through to implementation, the incentive to change is limited. As such, the next few years is likely to see more national and international regulation around cybersecurity. We have already seen some of this happen within critical national infrastructure (CNI) and including power generation with tougher regulation from NERC in North America, the NIS Directive of the European Union or the IT security law by the Federal Office for Information Security in Germany. However, much of the industrial IoT landscape was built many decades ago and there is little incentive to add-in new security control in areas such as manufacturing. However, Industrial IoT regulation will gain a big boost in 2021 onwards with the arrival of automated vehicles. The idea of a hacker taking over a manufacturer’s production line might be bad enough – the idea of a hacker taking over a 7 ton automated delivery truck and using it as a terrorist weapon is something that governments cannot overlook. As such, mandated IoT security regulation for the automotive industry may become the catalyst that forces change across the entire IIoT landscape.
The first two trends have a common theme. They both intersect with technology change forcing a response from the cybersecurity industry to meet a new or evolved threat. Although IT in general is a software centric and inherently quite agile sector, it is still surprising how much fundamental technology is hard-coded into appliances and systems. While much is made about the strength, intelligence, analytic capabilities of cybersecurity – there is less regard given to flexibility, more catchy called crypto agility. Focusing on encryption as just one area, in a scenario where an cryptographic algorithm is retired, for example SHA-1, moving to a new standard should be simple and should not create interoperability issues. The inherent problem is that many systems were not designed with the assumption that core security elements may need to be swapped out quickly. Other way to look at this problem, is that we do not have standards that are generic in manner how classes of cryptographic operations are used. Internally, PrimeKey’s engineers have been working to deliver solutions that can change the underlying algorithms as well as rapidly re-generate trust hierarchies. Crypto agility is heading to the top of the design philosophy for many more suppliers – and customers alike.
Flexibility around a security is part of a wider shift in technology that is embracing more security delivered from the cloud. Many organizations realize that they do not have time nor resources to have own security infrastructure, especially in situations where performance requirements may fluctuate widely. In fact, on average, it is safer to run from a cloud (private or public) than from a traditional IT department. However, some industries have additional concerns. For instance, manufacturing industries must assure that production is on-going, even if a factory has temporarily lost connectivity to the cloud provider. Because security controls are central to a spider’s web of connected processes, a failure of a major security control that is only available via the cloud – can lead to a ripple effect that can stop entire businesses in their tracks. Hence, there is a lot more emphasis of having security everywhere and anywhere and the list of possible combinations is growing including on-prem, private / public cloud, hybrid and - most recently we see some of this based on country or political block. Over the last year alone, we have seen more of our own customers build out major projects that simultaneously span multiple deployment options to provide scale and resiliency. The conversation around where a particular service will be hosted to comply with EU, US or third-party country law are now common in every scope of work – and the talk of a GAIA-X as a Federated Data Infrastructure for Europe may well raise the stakes even higher.
Ready for change
There are a few other trends such as blockchain, geopolitics and COVID (changes in consumer behaviours may have impact for several years) that may intersect with the issues of quantum computing and IoT regulatory tightening. And even, with deep experience of the industry, there will always be additional surprises that nobody foresaw on the horizon. However, if organizations are looking for one major advice, then they must stress the need to staying agile and flexible across your organization and technology choices. If 2020’s global pandemic taught us anything, uncertainty is the only certain outcome – and being able to adapt to the challenges should be part of all planning.
Let us know if you have questions or comments: Contact PrimeKey