No passwords, no trust: The new frontier in cybersecurity
October is Cybersecurity Awareness Month in the United States, and this year warnings about observing proper digital hygiene could not be more critical. This past year has seen massive cyberattacks against supply chains as well as businesses, schools and government facilities in the U.S. and elsewhere, resulting in a flurry of headlines and increasing public awareness around the importance of cybersecurity.
Against this backdrop of activity, Rakuten’s premier business conference, Rakuten Optimism 2021, provided the perfect opportunity for Ann Johnson, Corporate Vice President of Security, Compliance & Identity (SCI) Business Development for Microsoft, Anthony Grieco, VP, Chief Information Security Officer, Cisco Systems, and Yasufumi Hirai, Group Executive Vice President, CIO & CISO of Rakuten Group, to swap views on computer security.
During their October 12 virtual panel session, entitled “Security in an Interconnected Digital Ecosystem,” the speakers emphasized that multifactor authentication, zero trust and a strong cybersecurity culture are indispensable for maintaining secure computer networks.
Combatting the rising tide of cybercrime
Security breaches can affect anyone, anywhere, from individuals and nonprofit groups to the largest corporations. Hirai, who moderated the session, described how he works with 5,500 engineers globally to drive innovation. Even with that level of human resources, however, there’s no resting easy.
“Being a CISO does not have any upside — it’s a very painful job,” Hirai said, kicking off a discussion about trends in digital security. Noting the high stakes nature of the position, he added, “I am always thinking about the scene in which I’m bowing in front of the press and expressing apologies for unexpected security incidents.”
Rakuten’s Yasufumi Hirai, Microsoft’s Ann Johnson and Cisco’s Anthony Grieco discuss the changing face of cybersecurity at Rakuten Optimism 2021.
Johnson helped provide further context on recent threats. Nation-state attacks, ransomware attacks and zero-day vulnerability attacks are all on the rise, while phishing remains an important attack vector. She pointed to the latest edition of the Microsoft Digital Defense Report, which describes how the landscape is changing. As the report states, anyone can now “buy the services needed to conduct malicious activity for financial gain or other nefarious purposes. Sophisticated cybercriminals are also still working for governments, conducting espionage and training in the new battlefield.”
Supply chain attacks, in which many users can be affected when one is attacked, are a megatrend that requires our attention, said Grieco, highlighting the hyper-connectivity of all players in the new digital economy. Grieco noted that Cisco has published a “New Trust standard” with five main pillars: zero trust architecture, trusted supply chain, data governance, transparency, and certifications and regulatory compliance. Transparency about what companies do with user data is particularly worrying to consumers, according to a Cisco survey.
“So often, we have a shared security posture amongst us,” said Grieco. “It is super important for us as a collective to think about what that means… These topics of shared dependencies and treatment of data are two essential things that we are thinking quite a bit about when it comes to the future state of cybersecurity.”
Embracing zero trust
The panelists also focused on the increasingly important concept of “zero trust,” which rethinks the traditional approach to security where all devices within an organization are trustworthy — instead, it holds that none should be trusted by default.
“The core of the philosophy… is really ensuring that you know who is doing what and what the posture of those connections are inside of your environment,” said Grieco. “Whether it’s end users connecting to applications, workloads talking to other workloads or IoT devices inside your environment, the fundamental notion of understanding and assuming that there is no trust and ensuring that you prove that there is trust is, I think, the big architectural and mental leap that comes with zero trust.”
“If you can completely eliminate the password, you can keep yourself more secure.”
Ann Johnson, Corporate Vice President of Security, Compliance & Identity (SCI) Business Development for Microsoft
“Zero-trust architectures are going to help us in this world of hybrid work,” said Johnson. “They’re helping us, from multi-factor authentication to using things like least privilege, to being able to interrogate every transaction that happens in a session.”
Cybersecurity in hybrid work
The panel also addressed the switch to working from home amid the coronavirus pandemic. Hirai noted that the new style of work also created security risks in the form of phishing attacks and other vulnerabilities.
Cisco addressed this problem in part by using behavioral technologies to determine what would be considered a normal action on the part of employees, Grieco said. The result was increased levels of security and the elimination of the need to reset passwords at regular intervals.
“Topics of shared dependencies and treatment of data are two essential things that we are thinking quite a bit about when it comes to the future state of cybersecurity.”
Anthony Grieco, VP, Chief Information Security Officer, Cisco Systems
It may sound counterintuitive, but eliminating passwords, often the target of phishing attacks, is another way to fight cyberattacks. Last month, Microsoft announced passwordless sign in for consumer accounts following enterprise customers in March. Users can use FIDO2-compliant security keys, biometrics and other means to log in.
“If you can completely eliminate the password, you can keep yourself more secure,” said Johnson, who also commented on the need to change people’s mindsets when it comes to cybersecurity.
“In this modern world, with the growing threats, but also with working from home, cybersecurity really needs to be more mainstream and be everyone’s job,” said Johnson. “Cybersecurity is not just the reaction to something happening, and how you’re going to get your business back online, but how are you as an employee thinking about cybersecurity every day?”
Visit here for more Rakuten Optimism news and highlights.
