Standardisation key to future security, say experts

The adoption of security standards to enable automated self-healing systems is key to data protection in future

The adoption of security standards to enable automated self-healing systems is key to data protection in future, according to a panel of security experts.

“Open standards may not necessarily produce the best technology, but transparency is the best way to achieve security,” said Dan Griffin, founder of custom security software firm JWSecure.

“Deploying technologies we do not understand is inviting disaster,” he told the opening session of the Trusted Computing Group (TCG) seminar in San Francisco in the run-up to the RSA Conference 2014.

According to the panel, standards are essential to ensure interoperability between security technologies to enable machine-to-machine information exchanges and support automation.

“With data increasingly flowing between a diverse set of end points, we cannot keep up with that manually, we need to automate,” said Steve Whitlock, chief security architect at aircraft maker Boeing.

“With 50,000 suppliers, we need a standard way to exchange security information, and standard data formats is an important area of focus [for Boeing],” he said.

We need a standard way to exchange security information

Steve Whitlock, Boeing

According to Whitlock, the most progress in this regard so far is related to authentication, but information about the security state of devices remains the most challenging.

Griffin said that as organisations transition from traditional licensed software to cloud-based software as a service (SaaS), there is a growing demand for security templates to standardise processes.

“Security technology settings are sometimes difficult to understand, and templates provide one way of solving this problem at low cost,” he said.

David Waltermire, security automation architect at the US National Institute of Standards and Technology (Nist), said the goal should be to break away from periodic scanning of systems.

“We need to move to a real-time capability where an alert [or remediation action] is triggered automatically when attributes that an organisation cares about are changing,” he said.

For this reason, Boeing is already doing some continuous monitoring and plans to expand that across the business, said Whitlock.

“Our goal is to go beyond monitoring to enable a self-healing environment that can respond in real time based on set rules,” he said.

But for this vision to be realised, Whitlock said there needs to be a way of creating a trusted relationship between devices.

There also needs to be a standard way of communicating because security information tends to be product or platform specific, said Waltermire.

“Nist is working with suppliers to break down these barriers because for this [information exchange] to work the mechanisms must be seen to be consistent,” he said.

Waltermire also called on information security professionals to encourage their businesses to demand that security suppliers implement the standards they require.

Read more on Hackers and cybercrime prevention