Preparing for the Quantum Future: Setting Global Security Standards to Make Us Quantum-Safe

Recently there has been an increase in the perceived threat of the quantum computer to modern cryptographic standards in widespread use. During the last year, security agencies such as the United States Government National Security Agency (NSA) and the United Kingdom’s Communications Electronics Security Group (CESG) have called for a move to a set of quantum-safe cryptographic standards. The consensus is that today’s cyber security solutions needs to be retooled sooner rather than later, and the transition to quantum-safe security must begin now. The arrival date for a practical quantum computer is still up for debate, however, most experts believe we will see a quantum computer capable of breaking current public key cryptosystems within five to 15 years.

Recently the Quantum-Safe Security Working Group from the Cloud Security Alliance (CSA), released its ‘Applied Quantum-Safe Security’ paper, designed to provide individuals in the security industry and related fields with applicable knowledge regarding the quantum computer and its influence on cyber security. The white paper discusses how cryptographic tools must be adapted to fit specific types of data and serves as a call-to-arms for the available protection options for when the quantum computer arrives.

Digital and physical security
Computer security has primarily focused on digital security methods, however, physical security of data is also critical. Algorithms provide authentication and encryption for online communications and security of a cryptographic scheme is based on mathematics and resilience against large computing power to ensure digital security. Consider this physical security example – security breaches impacting governments and large organizations are often linked to insiders, capable of physical access not afforded the outside world. This breach occurs despite the fact that digital avenues may have been closed and intensive security protocols employed. Cryptographic keys are not only abstract random strings, but also real physical objects that should be stored in secured physical appliances. To be more quantum-safe, new tools must include all physical and mathematical security systems, each with its own practical application domain.

Impact of Cloud Computing
The ongoing move toward the cloud for all our IT needs greatly increases the reliance on data networks. Data is stored in huge data centers, and transferred between them at ever-increasing rates. The cloud model—with its associated storage and network requirements—enables a stronger and more reliable IT infrastructure. This heavily networked model also opens some serious new post-quantum threat vectors, with the most serious being a “data-vaulting” or harvesting attack where an attacker stores communications between the client and the cloud so that data can be decrypted in the future when general purpose quantum computers are available.  What we need to keep top of mind is that data stored today may already be compromised by future quantum computers, especially if the data is being monitored and stored.

Data “at rest” in enormous cloud data centers is also at risk since quantum computers will effectively reduce the keys protecting that data to half of their original strength. Additionally, post-quantum attack vectors will compromise the key management systems that generate, distribute and protect the keys needed to secure that data. Any connections and links between these large data centers must have the highest levels of protection possible. The need for quantum-safe cybersecurity is greatly compounded in a cloud-based IT environment.

As we move towards a world of quantum computers, organizations need to take the knowledge outlined in the ‘Applied Quantum-Safe Security’ paper and assess their own quantum-safe needs. Not every organization will require the same security measures and it takes time to change an infrastructure. The best way to prepare is to follow what is going on with the development of the quantum computer and its security solutions.

Since the cloud relies heavily on secure communications, quantum safety is a critical issue for the CSA. Enterprises will only use cloud services if they believe that their data is safe, both in the cloud provider servers and in transit. Quantum-safe security is a true requirement for further expansion of the cloud. The CSA encourages industry leaders to start thinking and talking about quantum safety. Quantum-related technology is evolving very quickly every day, both on the attack side and the defend side. Organizations should think about adopting some low-risk solutions now to improve infrastructure.

Cyber security technology never has and never will be a ‘one size fits all’.  There is no one universal solution that would provide the perfect security against all possible threats. What we have learned, however, is that we must prepare ourselves for emerging technology, especially when we know it’s coming. The key to quantum computer protection is the use of adaptable cryptographic tools. These tools must be tailored to fit specific types of data and specific applications. To download a copy of the full white paper, please visit here.

Frank Guanco, Quantum-Safe Security Working Group, Cloud Security Alliance

[Cloud Security Alliance Blog]

Demand for CISA Continues to Grow

Many of us ask ourselves: “How can I differentiate myself from others in the workplace? I have plenty of drive and ambition to improve my professional skills – what can I do to demonstrate this to employers?”

Increasingly, for many, the answer is professional certifications. The Certified Public Accountant (CPA) exam and associated credential were created in 1917. Since then, mostly within the past several decades, professional certifications have flourished. One can earn certifications in just about any professional field.

As the explosive growth of our reliance on information systems continues, in all aspects of our personal and professional lives, we all need to be able to place reasonable trust in these systems. This creates an increasing demand for competent professionals to review information systems, identify areas for improved security and quality, and make cost-effective recommendations for improvement.

This is where the Certified Information Systems Auditor (CISA) certification comes in. In the realm of technology, including all the associated risks and controls, there are a variety of well-respected certifications. The holders of these certifications have demonstrated their dedication to and achievement within their profession. The CISA has historically been one of the top-paying and most respected certifications. Many employers, including some government agencies, will not consider hiring someone to perform audits of information systems and technology unless they are CISAs.

CISA is a globally recognized certification within the fields of technology audit, control and security. Of the many available technology-related certifications, CISA is the gold standard. It was created in 1978 by a non-profit organization known at the time as the EDP Auditors Association – now ISACA.

The CISA certification is ANSI-accredited and recognized globally. It has been earned by more than 129,000 professionals since inception. The exam is offered globally at computer-based testing centers.

ISACA offers a wealth of resources that candidates can use to prepare for this challenging exam, both through ISACA HQ and through exceptional review courses offered by local ISACA chapters.

After passing the exam, in order to become certified, candidates are required to provide evidence of at least five years of professional IS audit experience. Related work experience and higher education programs can provide credit against the five-year requirement. Candidates must also comply with the ISACA Code of Professional Ethics and adhere to ISACA’s auditing standards.

After obtaining the CISA, certification-holders must complete a minimum of 20 hours of training per year and a total of 120 hours in a three-year period to retain the certification.

The efforts are well worthwhile. CISA certification can be a career game-changer – now more than ever.

Being a CISA has certainly made a difference in my career. I was fresh out of IT, having spent 12 years doing everything you could possibly do in the data center, 24 hours a day, and wanted something else. I “stumbled” across something that would allow me to utilize my IT background without having people calling me in the middle of the night because the system crashed. One of the first things my new manager told me to do was “go take this EDPAA review course and pass the CISA exam.” The what course and exam?

I passed the exam after much hard work, and went on to better jobs, higher income and professional recognition. It also led me to try my hand at teaching. I volunteered to teach some sessions in our Chicago chapter’s CISA review course. That was more than 20 years ago. Not only have I been teaching CISA review ever since, the teaching experience I acquired enabled me to join the staff of Elmhurst College as an adjunct faculty member. I am now in my ninth year at the college, teaching accounting and technology courses. Recently, I have been asked to develop and present a course in IT auditing at a major university in Chicago.

None of this would have been possible without my CISA. Being a CISA will open doors for you that you may not presently envision.

Editor’s note: An ISACA webinar, “How to Prepare for and Pass the Certified Information Systems Auditor (CISA) Examination,” will be offered 14 March. To find out more, visit http://www.isaca.org/Education/Online-Learning/Pages/Webinar-How-to-Prepare-for-and-Pass-the-CISA-Examination.aspx.

Ken Schmidt, CISA, CISSP, CIA, CPA, Consultant with R&M Consulting

[ISACA Now Blog]

PAN-OS 8.0: Announcing New and Expanded Partner Integrations

The Palo Alto Networks partner ecosystem has over 100 industry-leading security and IT providers. To support the growing number of customer use cases, we proactively build integrations with a select few strategic partners to drive deeper engineering-to-engineering technology integrations. We’re pleased to announce a few new ones along with the recent release of PAN-OS 8.0:

ServiceNow Integration

Palo Alto Networks Next-Generation Security Platform, including WildFire and AutoFocus, now integrates with the ServiceNow Security Operations tool, reducing risk by speeding the time to mitigate incidents leveraging automated workflows. This integration drives compelling customer value by automatically enriching the context around security incidents, enabling security teams to make faster and more effective decisions, as well as driving automated creation of ServiceNow tickets to simplify workflows.

New MineMeld Ecosystem

The MineMeld application is now integrated with AutoFocus, allowing customers to drive automated prevention from any third-party source of threat intelligence. In order to provide the widest and deepest visibility into the threat landscape, we built an extensive ecosystem of threat intelligence partners, including commercial, open-source and private providers. In addition to the pre-built integrations, MineMeld is extensible and can easily aggregate, correlate, validate and drive automated prevention from other organizations.

Preventing Credential Theft and Abuse

Further enhancing our threat prevention capabilities, Palo Alto Networks is delivering new capabilities to prevent credential theft by addressing both the theft of passwords and the use of stolen passwords. One of the many ways this is being done is through implementing contextual control over access with policy-driven multi-factor authentication. This is done from the network firewall, without changing the application’s native authentication methods, and extends to integrations with Okta, Duo Security and Ping Identity.

Learn more about the new third party technology integrations within PAN-OS 8.0.

[Palo Alto Networks Research Center]

Addressing Technology Gender Gap is All of Our Responsibility

I recently met a young woman in Ireland who was working toward a technology-oriented degree, and she recalled being among three women in her course at the beginning of the semester. By the end of the semester, she was the last woman standing.

My new acquaintance suspected that her female classmates wavered on continuing their course of study because their classes were so male-dominated. And who can blame them? While some women are more comfortable than others being vastly outnumbered, the shortage of female mentors and role models in the technology sector poses a major concern, further illuminated by ISACA’s The Future Tech Workforce: Breaking Gender Barriers report.

The scarcity of mentors and female role models were the main barriers to career advancement cited by the survey’s respondents, with workplace gender bias and unequal growth opportunities also rating among the main factors.

I can empathize with the respondents, having experienced more than my share of conferences and board meetings lacking friendly female faces. I recall attending one conference where I was one of two women among about 200 delegates.

While there has been occasional progress during my 25-plus years working in IT and information security, the gender disparity in the technology field remains pronounced – a source of major concern from both societal and workforce perspectives. A Deloitte Global projection indicated less than 25 percent of IT jobs in developed countries would be held by women at the close of 2016, and nearly 9 in 10 respondents to ISACA’s study indicated they are concerned with the number of women in the technology sector.

Addressing this gender gulf is everyone’s responsibility – men, women, employers, educators and industry associations such as ISACA, which last year launched its Connecting Women Leaders in Technology program. Promoting networking and mentorship is a key piece of the program. Women should be encouraged to be confident and persistent in pursuit of their technology careers, and a mentor in the field – whether male or female – can be the most effective person to make that case.

There also is much that enterprises can do, such as ensuring they are offering equitable pay for men and women and providing flexible working arrangements. Having ‘Keep in touch’ days when women are on maternity leave, in addition to encouraging professional development opportunities such as webinars and online courses, are other worthwhile ways to ensure that women remain connected to the organization while on leave.

In addition to promoting a more just society, enterprises have bottom-line motivation to hire and promote women. Research from The Peterson Institute for International Economics and EY shows that an organization with at least 30 percent female leaders could add up to 6 percentage points to its profit margin.

This does not surprise me. The women I have worked with are highly motivated, focused and encouraging of their colleagues. They are as knowledgeable – if not moreso – than their male counterparts.

Yet even at a time when more women are urgently needed, given the global shortage of skilled technology professionals, women still deal with too few career opportunities and too many barriers to advancement. Even as technology transforms the global economy at a staggering pace, we are still dealing with gender bias that hampered our mothers and grandmothers.

A challenge this large and this persistent can feel overwhelming, but there are steps each of us can take to make meaningful progress. If we are resolute, the day will come when our classrooms, offices and board rooms are filled with empowered women ready to make their mark on the technology workforce.

Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, FACS CP, board director of ISACA and director of information security and IT assurance at BRM Holdich

[ISACA Now Blog]

Faces of ISACA: Babiak Motivated to Help Women Take Final Career Steps

Jan Babiak draws upon her decades of high-level career experience to work toward expanded opportunities for women working in technology – all the way to the top.

Babiak, a longtime ISACA member and board member with Walgreens Boots Alliance., Inc., Bank of Montreal and GHD Group, has made advocating for women advancing to upper management one of her core priorities. She is involved in the International Women’s Forum and Women Corporate Directors, among other organizations, in her efforts to connect women with leadership opportunities.

“There aren’t a lot of women who have been successful in the C-suite themselves available to help women make that last step, and that last step is actually one of the most difficult, so that’s an area I have real passion around,” Babiak said.

Babiak has encountered many of the barriers noted by respondents in The Future Tech Workforce: Breaking Gender Barriers report throughout her career, which included 28 years with EY – 20 of those based in London working in leadership roles related to information security and regulatory issues. She has been in hundreds of meetings – counting those with clients – in which she was the only woman, given the male-dominated state of the field.

“Sometimes I was welcome, but sometimes there was clear resentment or, worse yet, patronization,” Babiak said. “As I earned the right to influence who else would be admitted to leadership, I worked to sponsor the best talent, and that included both men and women in equal measure. Interestingly, I found I always had a much higher percentage of women in my leadership teams than my male peers, and our results were usually much better. Now that really feels great, and is a testament to the tangible benefits of diverse experiences.”

Babiak believes a comprehensive approach must be taken to seriously address a wide range of systemic issues that have created the gender disparity in the technology field.

“A great starting point is having measurement, transparency and accountability for gender equality at every level – in the schools, in the workplace, in government, etc.,” Babiak said. “Another key area of emphasis would include educating the parents and teachers of young girls about the opportunities in technology for their daughters. They are the greatest influence and, sadly, they often have biases that actively discourage interests in STEM related areas.”

In addition to promoting career advancement for women, Babiak directs much of her focus toward helping boards and senior management better understand cyber security priorities, as well as advising those on technical career paths how they can grow into management roles.

While Babiak has lived in Nashville, Tennessee, since 2010, she considers herself “a global citizen.” She returns to the United Kingdom several times a year and travels extensively on a global scale.

“It’s interesting seeing how wonderful it is when you mix the different experiences of people from different cultures and people with different challenges from a regulatory standpoint,” Babiak said. “To see how global the world is has been a tremendous and wonderful enlightenment for me. I wish everyone had that experience.”

[ISACA Now Blog]

English
Exit mobile version