As we have one of the most used PKI products in the world, it's important to keep up with current trends and happenings in the IT Security society. As part of this effort we attend several events, conferences etc. all over the globe to meet and mingle with the actors in the business. If you've been to busy to attend, or if you're perhaps just interested in our point of view - here are some insights from two of the latest conferences we've attended.
Insights from RSA Conference 2018
The RSA Conference part had a little dip before but is now improving. That being said, if you are a security practitioner, this event is a must-go, just to see the expo. The expo part of RSA conference is what a Comic Con is for science fiction fans, or Eurovision is for schlager devotees. At the expo floor, you see what is relevant and what wants to become relevant in IT-security. This year, there were many vendors in “hot areas”, such as DevOps +Sec, securing containers and microservices, utilization of Machine Learning and AI to prevent intrusions, Endpoint protection detection and response… As usual Clouds were present, and everything else. This year, we could not hear a new prevalent buzzword tough, most likely since Spectre & Meltdown occupied many minds.
For PrimeKey, this year RSA Expo was our best yet, both in number of “leads” and in what we achieved. Besides our flagships, EJBCA Enterprise and PKI Appliance, the team showed our new offering EJBCA on AWS. We are very excited about interest shown. Additionally, great news for us was big interest in our SignServer – this year we saw dramatic increase in questions about code signing. Some software vendors discover code signing only as a problem when the code signing keys get stolen. This is where SignServer helps to do code signing efficiently, controlled and in a centralized manner. Also available on Appliance!
Insights from ICMC
A less known but quite interesting event is the International Cryptographic Module Conference (ICMC), held this year in Ottawa, May 8-11. Initially, the conference was covering FIPS and Common Criteria certification processes and best practices on how to (successfully) validate a product. In only 5 years, the ICMC conference has grown to cover several adjacent areas of cryptographic modules – for instance, this year we could learn about advances in quantum safe computing, or advances in outside of North America. As usual, Clouds were present, and we will reflect on this shortly. For a first-time visitor, we recommend the Workshops during day before the conference starts.
There is a good representation of open source related topics at ICMC – from Linux kernel to OpenSSL and LibreSSL libraries. We are very happy to have helped bring open source as a dedicated track – so much of industry and governments relies on security of open source projects, and we all owe great respect to engineers all around the world that make contributions and create open source software. Looking at Linux and “bug lifetime”, the average time between introduction and fix is about 5 years. Once a bug is identified, the fix comes within weeks. If the 5 years scares you, it should be noted that for proprietary/closed software, this number is unknown and should be expected to be longer than that. As for the fixes, well, “it depends” to be polite.
Execution environments and chips
Two more themes caught our attention – the first one is advances in Trusted Execution Environments. Intel and ARM have addressed this area and today they enable making cryptographic modules or entire applications be executed in a protected area on a chip tough SGX and Trustzone respectively. At PrimeKey, we are bit cautious here – at very minimum, there are several years before we will consider these technologies as mature. Furthermore, it is unclear if a chip vendor can for whatever reasons, “turn off” some security provisions. Then, consider again Spectre and Meltdown. To our point, the CTO for a prominent company told us that the chips have gotten too complex and no human being is able to have an insight in all relevant areas to be completely sure that the delivered technology is safe and secure. From PrimeKey side, we would add that some regulations, for instance CloudAct, raise concerns for some of our customers. In that perspective, we think that PrimeKey’s new product, Secure Execution Environment is the right choice for many organizations.
New standards and regulations
It was interesting to see how (some) Americans and Canadians see the EUs Cybersecurity Act. It looks like there is a small degree of misunderstanding and surprise that EU comes with two major things that impact our industry – GDPR (well, it impacts everybody) and EU Cybersecurity Act. We at PrimeKey are agnostic to politics and always respect local regulations, even though we prefer global and open standards. We could not avoid reminding ourselves that FIPS 140-2 has not seen its successor yet, yet so many years overdue, a standard from USA/Canada that de-facto governs HSM field world-wide. This year at ICMC, PrimeKey shared our experience on the Common Criteria evaluation of EJBCA, that - as you probably know - is an open source PKI developed and maintained by us. We also shared our experiences with HSM technologies from the perspective of advanced “users”. In over 15 years of experience PrimeKey has been deploying PKI and in each of our PKI Appliance products, there is a built in HSM. Hence, our engineers know very well both what the HSM can deliver and what the customers expect. The last two are not always the same.
Interested in IT Security?
Want to know more about trends in PKI, Crypto and other related IT Security topics? Come to PrimeKey Tech Days 2018! You'll get:
- PKI, Crypto, IoT, Cloud, Open Source etc.
- Networking with some of the best in the business from around the world
- Social evening activity in Stockholm
- And much more...