RSA CONFERENCE — The importance of zero-trust security in the face of increasingly sophisticated cyber threats took center stage during day two of this week’s virtual RSA Conference.

In a keynote, Mary O’Brien, general manager of IBM Security, talked about her company’s zero-trust security efforts. She also spoke with Mauricio Guerra, Dow Chemical’s CISO, about that company’s switch to zero trust.

IBM’s Mary O’Brien

“Zero trust offers a better way to address the complexity in security that’s challenging our businesses today,” O’Brien said. “Traditionally, security focused on building a perimeter of protection around valuable assets. That worked well for decades for the majority of our valued assets. But that’s not the way we do business anymore. Today, it’s not uncommon to have all of your users, your data and your applications operating in different environments. And it all needs to connect to one another quickly, seamlessly and securely.”

At its core, zero trust is a multidimensional approach to addressing risk and protecting data where nothing is inherently trusted, she said.

Zero trust is helping Dow manage the new environment and ecosystem it has to support now, Guerra said.

“I’m referring to the new reality of the digital age where we have more mobile users, cloud applications, IoT and IoT devices … when internet is our new network,” he said. “So we had to transform our cybersecurity program and practices. And the answer we found was adoption of a zero-trust architecture.”

Dow’s Zero Trust Journey

Guerra said he started by understanding Dow’s digital transformation, the business’ outcomes and priorities.

“We decided to start with a zero-trust network architecture because that’s what we needed to enable our users to have full access to all forms of internet, cloud, services, etc.” he said. “So one of the first deliverables of our zero-trust model was secure access to internet. Second, we have delivered a secure access to our different locations, replacing data pools that we had before. We are replacing our telecommunications network, and zero trust is helping us with an SD-WAN solution.”

And being a manufacturing company, IoT is a big priority for Dow, Guerra said. So Dow is designing and implementing secure models to manage all the new devices that it’s implementing in the manufacturing space.

“And finally, it’s the whole area of conditional access and authentication,” he said. “So all in all, zero trust is a giving us the flexibility to support all the business needs, but in a secure way.”

When implementing zero trust security, it’s important to plan what you want to achieve and draft a detailed, multiyear road map, Guerra said. Also, be prepared to revisit it to make sure you meet your objectives.

A zero-trust approach done correctly will reduce the barriers to innovation by incorporating security and privacy into the design and development of new services, O’Brien said. In addition, it will facilitate migrating to a modern infrastructure that provides customers and your workforce with secure, frictionless access to the services they need.

“And it will enable prioritization of continuity and resiliency by facilitating contact-space monitoring of both internal and external threats that would jeopardize the availability of critical assets and operations,” she said.

Microsoft Big Proponent of Zero Trust

Vasu Jakkal is corporate vice president of security, compliance and identity at Microsoft. She said Microsoft is a “passionate proponent” of …

… zero trust as a framework for security and privacy protection.

Microsoft’s Vasu Jakkal

“And we think of zero trust as not only the practice of protecting against outsider threats, but also protecting from the inside out,” she said. “Addressing the area of compliance includes managing risks related to data and privacy in order to help organizations implement strong security and privacy protections across their entire digital estate.”

Today, security teams have access to more security, compliance, management and identity tools for protecting privacy than ever before, Jakkal said.

“Investments in these tools and technologies not only reduce risks associated with privacy and data laws, but they can also help to drive business growth,” she said. “Industry studies show that companies are realizing a meaningful return on privacy investment and that users are increasingly recognizing privacy as a differentiator and showing preference to those companies that demonstrate trustworthiness.”

Software Supply Chain Security Big Concern

Anne Neuberger is deputy assistant to President Biden and deputy national security adviser for cyber and emerging technology for the National Security Council (NSC). She said the Biden administration has elevated cybersecurity “in a way no other has.”

The administration summarizes its approach with three complementary and mutually reinforcing lines of effort, she said.

“First is [to] modernize cyber defenses,” Neuberger said. “Second, return to a more active role in cyber internationally. And finally, ensure America’s better posture to compete.”

Following the SolarWinds incident response, “we were confronted by the hard truth that some of the most basic cybersecurity prevention measures weren’t systemically rolled out across federal agencies,” she said.

“Software supply chain security is an area of particular concern,” Neuberger said. “The current model of build, sell and maybe patch means the products the federal government buys often include defects and vulnerabilities. These are defects and vulnerabilities that the developers are accepting as the norm with the expectation they can patch later. Or perhaps developers decide to ship software with defects and vulnerabilities they decide to ignore. If they, the vendor, deems those defects and vulnerabilities are not sufficiently serious to merit fixing, that’s not acceptable. It’s knowingly introducing unknown and potentially grave risks that adversaries and criminals can exploit.”

Cybersecurity has to be a basic design consideration, she said.

“We’d never buy a car rushed to market knowing it could have potential fatal defects that the manufacturer may or may not choose to issue a recall to fix,” Neuberger said. “You wouldn’t buy that car and decide later whether you want to install seatbelts or airbags.”

Better Security Coding Needed

Coding security takes work, Neuberger said. But we can take pride in that work knowing with the cost and time, “we’re saving thousands and knowing that the best hackers around the world …

… won’t find a hole.”

“On the government side, we want to begin taking aggressive steps to do our part to ensure that the software the government buys is built more securely from the start by potentially requiring federal vendors to build software in a secure development environment,” she said. “Our efforts will pay dividends outside of the federal government because much of the software the government buys is the same software that schools, small businesses, big businesses and individuals buy.”

The starting point for building more securely is where you build your software, Neuberger said. It should be in a separate and secure environment. That includes using strong authentication, limiting privileges and encryption.

“It also includes knowing the provenance of the code you include in your builds, and using modern tools to check for new and potential vulnerabilities,” she said. “These basic practices are not universal.”

First Solution From Thycotic/Centrify Merger

At RSA, ThycoticCentrify, formed by the merger of privileged access management (PAM) providers Thycotic and Centrify, unveiled its cloud provider solution to centrally manage AWS billing accounts, identity and access management (IAM) accounts, and AWS EC2 instances in real time.

The ThycoticCentrify cloud provider solution for AWS provides privileged access management capabilities to continuously discover and manage AWS EC2 instances in real time with password vaulting, access controls and privilege elevation.

AWS IAM accounts and associated access keys are eliminated or vaulted to reduce the attack surface. Continuous EC2 discovery and post-discovery automations ensures visibility. And EC2 instances and their privileged accounts are secured and brought under centralized management.

David McNeely is ThycoticCentrify’s CTO.

“The cloud is a game-changer when it comes to scalability and availability,” he said. “But it has also changed the game for cyberattackers looking to leverage new vulnerabilities created by disparate controls and resulting identity management challenges.”

Synopsys Unveils New Technology Alliance Partner Program

Also at RSA, Synopsys unveiled its new Technology Alliance Partner (TAP) program. It’s part of the cybersecurity provider’s global partner program.

The TAP program has more than 40 DevOps partners. It simplifies and accelerates partner integration with intelligent orchestration and other Synopsys application security solutions.

Through the TAP program, development, DevOps and security technology providers can partner with Synopsys to integrate the company’s application security and risk management solutions with their products. These integrations make it easier for organizations to build automated application security controls into their existing DevOps toolchains.

Synopsys recently introduced its Intelligent Orchestration solution. It’s a dedicated application security automation pipeline that integrates with DevOps tools to make security testing easier to manage for development teams. Intelligent Orchestration integrates with CloudBees and GitHub Actions.

Anders Wallgren is CloudBees’ vice president of strategy.

“Through our strategic partnership with Synopsys and integration between our respective tools, CloudBees and Intelligent Orchestration, customers can utilize automation and risk-based intelligence to run the right tests at the appropriate stages in the pipeline, which can dramatically reduce unnecessary friction,” he said.