RSA Conference Day 2: IBM, Microsoft, SolarWinds Reaction, Zero Trust

… zero trust as a framework for security and privacy protection.

Microsoft’s Vasu Jakkal

“And we think of zero trust as not only the practice of protecting against outsider threats, but also protecting from the inside out,” she said. “Addressing the area of compliance includes managing risks related to data and privacy in order to help organizations implement strong security and privacy protections across their entire digital estate.”

Today, security teams have access to more security, compliance, management and identity tools for protecting privacy than ever before, Jakkal said.

“Investments in these tools and technologies not only reduce risks associated with privacy and data laws, but they can also help to drive business growth,” she said. “Industry studies show that companies are realizing a meaningful return on privacy investment and that users are increasingly recognizing privacy as a differentiator and showing preference to those companies that demonstrate trustworthiness.”

Software Supply Chain Security Big Concern

Anne Neuberger is deputy assistant to President Biden and deputy national security adviser for cyber and emerging technology for the National Security Council (NSC). She said the Biden administration has elevated cybersecurity “in a way no other has.”

The administration summarizes its approach with three complementary and mutually reinforcing lines of effort, she said.

“First is [to] modernize cyber defenses,” Neuberger said. “Second, return to a more active role in cyber internationally. And finally, ensure America’s better posture to compete.”

Following the SolarWinds incident response, “we were confronted by the hard truth that some of the most basic cybersecurity prevention measures weren’t systemically rolled out across federal agencies,” she said.

“Software supply chain security is an area of particular concern,” Neuberger said. “The current model of build, sell and maybe patch means the products the federal government buys often include defects and vulnerabilities. These are defects and vulnerabilities that the developers are accepting as the norm with the expectation they can patch later. Or perhaps developers decide to ship software with defects and vulnerabilities they decide to ignore. If they, the vendor, deems those defects and vulnerabilities are not sufficiently serious to merit fixing, that’s not acceptable. It’s knowingly introducing unknown and potentially grave risks that adversaries and criminals can exploit.”

Cybersecurity has to be a basic design consideration, she said.

“We’d never buy a car rushed to market knowing it could have potential fatal defects that the manufacturer may or may not choose to issue a recall to fix,” Neuberger said. “You wouldn’t buy that car and decide later whether you want to install seatbelts or airbags.”

Better Security Coding Needed

Coding security takes work, Neuberger said. But we can take pride in that work knowing with the cost and time, “we’re saving thousands and knowing that the best hackers around the world …