The changing face of internet security

In this episode we are talking to Bill Conner, CEO of Entrust who are a leader in identity based security solutions. Bill is one of the most experienced security and infrastructure executives in the world.

For more related podcasts click here.

To subscribe to receive new podcast episodes for free click here.

Lets start with some background on Entrust?

We have been around since 1994 so we are one of the old guys of security I might say and we do about 40% of our business with governments so people like HM Land Registry and Revenue and Customs, the Home Office use our technology most UK citizens have a password that you uses our technology to authenticate and encrypt and protect their information on that password. We do a lot with banks from securing their emails to their desktop and laptop stuff all the way to the web server certificates that protect the communication and their web presence that they deal with clients on.

Let's define exactly what we mean by enterprise mobility?

If you look at the enterprise mobility market it is increasingly “Bring your own device” or mobility that is provided as a choice of computing within enterprises. When we look at mobility it is perceived to be one of the more insecure platforms and you don’t have to read too many papers to see some headline stating that some mobile platform has been broken. What is interesting is that it is actually a more secure platform than desktops and laptops. In important identity based scenarios you can obviously still amass information like your pictures and information of contacts and both these can be stolen because you are on a shared memory part of the phone. Or, if you are using social networks that have APIs that can access your pictures or your contacts to them then malware can enter there. When you put your own individual identities in the non-shared memory side, that it is much more secure and we have not seen to-date any breach of your personal credentials on those mobile devices regardless of operating platforms whether it be android or IOS.

Are mobile devices safer due to the way that they talk to the outside world?

With smart phones, let’s assume it is not jail broken. A lot of people think they need to jail brake phone to get applications but once you get a jail broken phone then all bets are off in terms of security. But it starts with an architecture that has a shared side and a protected side and it starts with something called a sandbox. As many people would know Sandbox is much more secure in terms of looking at the applications, trying to check them and ensure that they don’t contain malware. Also then if the application is in that Sandbox, not having malware jump across applications in the Sandbox. Despite popular misunderstandings we are not aware of applications jumping across each other in that sandbox, usually it is when you have an API on a social network that connects between applications that how it happens but not in the sandbox itself in the store where those applications sit. I think it is also important that it is not just the enterprise employees. I know that I as a consumer and you as a consumer increasingly want to use my iPad and my IPhones as the way to communicate through the web to do whatever I am doing whether it is my banking, my insurance, my health or playing so I am thinking increasingly businesses, banks and governments are going to have to look and are looking at how they mobilise their applications because that is the number one drive for consumers.

What are the main issues and threats that are affecting businesses at the moment in your opinion then?

It is interesting when you see as much as we do in the States that every day there is 300,000 variants of malware being created. When you are dealing with that kind of volume of malware variants being created it’s just simply not possible to keep the perimeter up to date to keep those things out so the corporations are in an arms race between the bad guys trying to get in. That malware, whether it is Zeus, Spy eye, Man in the browser, Man in the middle - whatever type of alphabet soup malware is really trying to compromise or steal your individual identity by someone either external of the business or internal to the business. They want to do that to steal the money, the IP, or to impact someone’s critical infrastructure if you are a country.

Where do you think that the holes are in the defences of organisations at the moment? What are businesses not addressing enough currently?

I think people are still hoping that they are not breached and that their perimeters are holding up because they can’t find the malware inside. At our conference this week we were working through and talking with our customers like banks and government about how you can take and protect your digital identities ensuring that the transactions that you need are identity assured, not compromised and are secure with your digital identities. We do that with using a combination of your desktop security that you have today and the perimeter but we use that mobile device to put some secure mobile credentials or digital certificates, think of it as like a smart card on a mobile device. What that allows you to do is to take those sensitive transactions that would normally be completed and dealt with online through your desktop and laptop and that network to an out of band channel like mobile and to use digital signature and authentication techniques for those mobile virtual smart card for a generic answer to complete those transactions so they cannot be compromised by malware.

I know you an advocate of next generation firewalls what are the conversations that the industry are having around them at the moment?

I think where next generation firewalls are right is within the map that I have explained earlier. A traditional AB firewall or Intrusion just cannot keep up with those variants because every time one of those comes in first you have got to find it and then take that in digital signature map and that can take 7-30 hours per signature. Then you have got to get it back out into the systems and people have to deploy it. These latest threats don’t have traditional community control, so traditional IP white lists and black lists are not useful relative to that because they are stood up in 3 hours and torn down in 3 hours and it is just not practical to deal with that. So many of these next generation firewalls are really trying to either explore the Malware or watch the Malware and they claim to be signature-less, but in reality if you are putting that in somewhere and incubating it and waiting for it to do something (I call that sleepy malware) it is not hard to program around that.

What we believe is that while they are collect and why that will help it is good layer it is better than what existed before on the layers on the perimeter that is still not going to protect you if that malware gets in because it is in so now your IP your money or your critical infrastructure how do you stop it you cannot stop it from the perimeter. Second, if you just look at the math you will not be able to keep it out not even with the more advanced perimeter technologies that are there. So our view is go and protect the identities or your employees or your clients or your citizens and then use mobile as an out of band technology with the proper mobile device security so the device itself is secured. Then use your mobile smart credential that has your personal information that can authenticate you and sign important transactions and there you can completely beat the malware even it is in your network.

The big change here I guess is that it is no longer about protecting data it is about protecting both data and identifies at the same time isn’t it?

That is really a very good point, so many people now are saying that people are getting through so I need to work on that identity and focus on that but then the other thing they then say is that must encrypt all my data, well if you have encrypt your data you are going to have to manage it over time and that is quite important. The second thing you have got to think about is what is the standard of encryption that you need to use to make sure that you are protected. At the end of the day someone with their proper identity encrypts and unencrypts that information when they want it so if you don’t have the identity side strong and identity assured that malware can encrypt or unencrypt at will.

You mention that you work a lot with financial institutions and governments, are those organisations doing enough to protect the ordinary man on the street?

I think financial institutions have made considerable progress and if you look at the faster payments in the UK and its regulations, I can assure you that the UK has much better legislation and regulation than we have with FSIC in the US. I think that on that stand point the UK has done a very good job and the banks have done a very good job of upping the pace of defending themselves and their clients. The problem is the rate of change on the bad side keeps escalating. I think the UK governments are increasingly trying to do a better job but increasingly there are more bad actors and once some of this malware goes into open source the people that have to write it it don’t have to do much anymore, it is just point and click. You can go online today and buy Malware with support 24:7 that will guarantee you through the top 40 perimeter technologies that exist today. That is a hard thing to keep up with for governments and banks. But I think the rate of pace that they are on is certainly better than it was even 12 months ago. Critical infrastructure on the other hand I think we need to pick up that pace as there is a lot of risk in those systems. It’s a complicated architecture with different components and I think we all need to double our efforts in the US much like the governments and banks have done here in the UK.

Well I always think it is fasinating field to work in where you are in this one to one battle with criminals who if they got the freedom to do what they wanted to do could actually cause big problems for the globe couldn’t they!

Yes. We just announced that we are working on the security on the Afghanistan National ID and the UK, the US and quite a few other countries have put quite a few lives into giving them democracy and hopefully some freedom away from the Taliban. That national ID is a pretty important thing to keep voting as a democracy, identity, healthcare and many of those government services running.

You have had a lengthy career in security so; based on your vast years of experience what can you see as the main things to watch for in the future?

I think security providers have to realise that it is an arms race and we have to find ways to embrace next generation architectures to take advantage of the security capabilities. Back to where I started, if I asked a 100 of your listeners today probably 90 of them would think your mobile phone is probably more insecure than your desktop or laptop and that is where we have got to really take the time as security people to make security fit the needs of businesses and government to make security easier to use. We also have to really think through how to take advantage of these different architectures for an advantage like these other people are taking advantage of them for not hacking for harm but hacking for non altruistic purposes.