RSA 2015: Security in the cloud undermined by poor credential management, says Charney
Despite the rush to the cloud, certificate authentication is still the Achilles Heel of the industry, according to Scott Charney, corporate vice president, Trustworthy Computing at Microsoft.
Despite the rush to the cloud, certificate authentication is still the Achilles' heel of the industry, according to Scott Charney, corporate vice president, Trustworthy Computing at Microsoft.
In a keynote address to RSA 2015 on Tuesday, he said there is a growing awareness in the non-security world that cyber attacks can have devastating consequences, which is driving a fresh interest in cybersecurity.
“It's not just all the breaches that continue unabated, it's that the attacks have become more destructive,” Charney said, citing examples of the hackers who destroyed oil pipelines in Saudi Arabia and caused significant harm at Sony.
“The fact is that destructive attacks will stop you doing your daily business, and it's the nature of those attacks that has changed the conversation outside of the security community and in the executive suites and the boardrooms,” he said.
Moving to a cloud service provider can help companies manage their cyber-security, but taking the data out of the organisation and into the cloud raises issues of control and transparency.
“It changes the relationship between the vendors, who used to provide the technology to the customers, to customers saying, all right, I'm putting my stuff in your cloud, how should I think about trust models in that environment” he asked.
Trust cuts both ways. As a cloud provider, Microsoft wants to trust all of its customers but realistically some of them are going to be criminals. So you build the cloud to protect it from the VMs, he said, but the customers can turn that on its head and ask how the cloud service provider is going to protect the VMs from the cloud?
“How do we protect our systems from your administrators? It's not that we don't trust you because if we didn't trust you we wouldn't do business with you, but there's a lot of concern,” he said. “We want technically enforced trust boundaries and transparency.”
Security in the cloud is about mitigating risk, not eliminating it, so the question that cybersecurity professionals need to be asking themselves is how to do a better job of policing this new environment. And how can companies like Microsoft and other cloud service providers start to think about control and transparency?
Charney believes that username and password credentials are the biggest risk.
“It's not just that they get stolen and phished but also that people use the same ones everywhere so if you lose them in one place, you have lost them in a lot of places," he said. "We all know we need to move to a different system.”
He says Windows 10 will help solve this problem with a more robust and secure authentication system based on biometrics.
"It's about more personal computing, that is, your computer will recognise you and you will have a relationship with your machine,” he said.