RSA Conference 2018: Data Privacy and Regulations Take Center Stage
Published on April 26, 2018 by Gabriel Torok
2018’s RSA Conference is in the books; IT professionals and C-suite executives are heading back to work, ready to leverage what they’ve learned and put it into practice. This year’s stand-out? The changing role of data privacy and protection regulations. Attendees made it clear that these topics were top-of-mind — hackers are finding new ways to compromise app security, even as emerging legislation puts more pressure on companies to keep data safe.
The result? A sea-change for application security. Here’s what it means for your organization.
All the usual suspects showed up at the RSA conference: Panels about IoT devices, cryptography and national security along with scores of interesting and innovative vendor booths. As noted by Security Intelligence1, however, the conference itself came with “a healthy dose of reality and a strong undercurrent of optimism about the future of cybersecurity.” The reality shows up in RSA founder Adi Shamir’s comment during the annual cryptographers panel: He noted that the only “silver lining” in cybersecurity was the guaranteed job security — in general, the cryptography panel was less-than-optimistic about the future of effective infosec.
But if there’s one concept that dominated RSA 2018, it’s the evolving notions of data privacy and handling regulations. Attendees pointed to the evolution of laws and standards which see governments and regulators responsible for defining basic security guidelines, while organizations are now on the hook to deliver front-line data privacy and protection on a per-application basis.
Put simply? Encryption, identity management and endpoint security are no longer enough to secure apps against emerging threats; failure to defend against these attacks leaves companies at risk for data breaches, remediation costs, reputation damage and regulatory consequences.
So what’s forcing the change in application defense and the focus on data privacy regulations? Evolving attack vectors combined with increasing public awareness of data security risks. As noted by a recent Harris Poll2, for example, users are now more concerned about cybersecurity than war, and 75 percent of those asked said they wouldn’t buy from a company with poor security practices — no matter how great their products.
Attackers are also changing tactics. According to Computer Weekly3, account takeover (ATO) attacks are up tenfold in the past year as hackers look for ways compromise everything from email to financial accounts without users knowing, then leverage stolen credentials to open new accounts and wreak havoc. Memory-based attacks are also on the rise as cybercriminals look for ways to compromise applications in use — SC Magazine4 points out that most infosec teams are still focused on file-based attacks while hackers are leveraging persistent, memory-based attacks that let them silently infiltrate systems, remain hidden and then emerge when IT pros aren’t looking; WannaCry, Petya and SystemD all leveraged this kind of in-memory infiltration. And it gets worse: A new study from security firm Trustwave5 found that 100 percent — yes, 100 percent — of all web applications are vulnerable to attack.
Law and Order
The Harris Poll also noted that 70 percent of consumers worldwide support increased government oversight of data privacy and regulations — and it appears the message is getting through.
Government-backed standards such as the EU’s General Data Protection Regulation (GDPR) and evolving American HIPAA legislation now put the onus on companies to properly transmit, store and destroy data. As noted by Forbes, for example, any company that stores or handles the data of EU citizens must obtain consent and must use this data only for the purpose specified. Non-compliance could result in fines or sanctions. HIPAA, meanwhile, makes it clear that first-party organizations handling patient data — not third-party services such as cloud providers — are responsible for security. And the newest version of PCI DSS standards demands ongoing, verifiable compliance for any company handling payment card data.
The Inspection Effect
Conference concerns about increasing app security are well-founded, especially as governing bodies step up their efforts to secure consumer data. While increased oversight is step in the right direction, it also leaves companies with a tough question: How do they secure inherently-vulnerable apps and meet evolving standards?
The answer? Clearly define who, how and what.
Consider the oversight-focused role of government food inspectors. They’re not satisfied with previous consumer reviews that the food is safe, nor are they convinced by one-time evaluations of quality or process. Instead, they want to know who’s preparing the food, how ingredients and tools are stored and used and what steps are taken to ensure safe preparation.
The same goes for government-evaluated app security: One-off protection isn’t enough — auditors want to know who’s building your software, how data is managed and what steps you’re taking to actively secure consumer information. Addressing these concerns means finding trustworthy code partners, defining clear processes for data handing which address current regulations and leveraging in-app defenses such as code obfuscation and runtime protection to confound hacker efforts.
RSA 2018 offers a snapshot of current infosec affairs: Governments are getting more involved in data regulation, even as hackers update attack methods. The result? Apps are now the front line of data defense — companies must evolve beyond identity management and endpoint detection to actively secure and protect their applications.6