We sat down with Neil Weicher, CTO & Founder, NetLib Security, to discuss encryption technologies, the threat of legacy applications, the complexity of cloud security, medical IoT, and more.
You’ve been in the information security industry for a long time. Based on your extensive experience, how do you see encryption technologies evolving alongside the fast-paced threat landscape?
Many years ago encryption of data-at-rest was the somewhat neglected cousin to perimeter defenses. Companies thought all they needed was a firewall and a virus scanner. Encryption was the acknowledgement that attackers could sometimes get through and were, in fact, sometimes already on the inside. Even backups were often not encrypted, which resulted in some of the more notorious breaches of the previous decade.
Today, of course, encryption of data-at-rest is recognized as an important piece of the security landscape. We liken it to the red dye banks put in the money bags. Banks have all sorts of perimeter defenses: guards, vaults, etc. But they still put the red dye in the bags to render the cash useless if the perimeter defenses are breached. A company’s Intellectual Property and sensitive data is the money in the bags. If encrypted, it will be useless if it is stolen.
I have been in this industry since graduating from Columbia University with an MS in Computer Science. I founded NetLib Security many years ago specifically to deal with these problems, even though the industry had not yet recognized them as problems.
Legacy applications continue to represent a major security headache for global organizations. What can security professionals do in order to mitigate this problem?
There are millions of legacy systems out there that, due to the changing landscape of regulation policy and best practices now find themselves having to encrypt their data. The problems are that these applications may be impossible to modify. The source code might be long gone or might be impossible to modify and rebuild. If a third party system, the original vendor might be long gone. There is also the notion of if it ain’t broke don’t fix it.
Naturally the first important steps are to, if possible, upgrade to a newer operating system which may have a wider range of tools available to it. However, that might be impractical: we have one customer who has a legacy application on thousands of systems with Windows XP. Upgrading all those machines to Windows 10 would be prohibitively expensive. In addition, some legacy applications might not even run on the newer operating systems. To our knowledge we are the only company who can provide encryption-of-data at rest to legacy applications without programming.
Modern companies are often using a complex combination of physical and cloud environments. How can they effectively safeguard their data with minimal impact on performance and productivity?
Protecting data across multiple environments while minimizing the impact on performance and productivity are essential components of any business’s IT ecosystem in the digital age. A combination of a hybrid cloud architecture, which is one of the most secure ways of protecting stored data, it enables SMEs (small to medium enterprises) to garner the benefits of cloud scale and operational efficiencies.
Couple that with a data storage security strategy for companies’ stored devices and systems that focus on confidentiality, integrity, and availability. The goal is to keep sensitive data out of the hands of unauthorized users while ensuring the data is available to people in the organization who need access to it. It’s a balancing act.
At NetLib Security we fill a clear niche in serving easy to deploy solutions that encrypt stored data right out of the box, with virtually no impact on performance with a unique solution tailored specifically for the SME market.
Large enterprises have a wealth of custom applications and oftentimes security is an afterthought. How can they integrate application-level encryption into their proprietary solutions?
Application shielding is a growing concern for businesses across the board. More traditionally non-tech companies fashion themselves, on top of their normal operations, as software developers these days, and even those who don’t rely on applications interacting with their business critical data. Protecting this data is of the utmost importance. Organizations need to:
- Protect sensitive data entered into their applications
- Safeguard the business rules, algorithms, schema, and procedures incorporated therein
- Prevent data tinkering by curious users, network administrators, etc.
- Protect program code from reverse engineering
This, essentially, defines application security: guarding against external threats by securing the software the business deploys, detecting and preventing vulnerabilities in all of the applications.
Software vulnerabilities, meanwhile, are inevitably a tempting point of access for cyber criminals looking to compromise sensitive data. All applications have these weaknesses, from financial solutions to government and more. For a number of industries, there are also around 50% of applications that remain vulnerable in perpetuity.
Remediation of these vulnerabilities remains a problem, as well. This is particularly true for the most critical and complex ones. In IT alone, the remediation rate is less than 25%, and those vulnerabilities that are can take around 35 weeks to fix. In fact, this rate dropped between 2013 and 2015 from a high of nearly 50%. Banking also saw a rate shrink from 52 to 42%.
It is therefore imperative that organizations develop a comprehensive security strategy from the outset. Before even deciding on tools and solutions, priorities must be made along the lines of risk identification, assessment, fixes, learning from past mistakes and better planning for the future.
What can be realistically done to improve the security of IoT-enabled products in the medical field? Do we need more regulation? Fines? Industry recommendations are obviously not enough to make companies take notice and actually implement secure development practices.
We work with a number of medical device manufacturers and in our experience they are well aware of the security concerns. There are several players here that have to be accounted for. There are the medical device manufacturers, who to our experience are being proactive. However, there are also hospitals and laboratories that are using the medical devices. That is probably the weaker link.
They will often need to contact the medical device manufacturers to get the latest version of the software, which of course will be an expense for the hospital or laboratory. There are also the servers that will collect the data from the various medical devices. Those may need to be upgraded as well.
The situation gets more complicated, particularly in the United States, where sometimes changing the software on a medical device may require some interaction with the FDA. Whether the FDA will make the process more streamlined in light of the security crisis is anyone’s guess.