Written by 
By Admir Abdurahmanovic, Co-founder and VP Business Development PrimeKey.
Insights from RSA Conference & ICMC.
The RSA Conference appeared to lose some relevance a few years ago but has since resurrected itself as an important IT security conference and exhibition. If you are a security practitioner, this event is once again a must-go, just to see the expo. The expo part of RSA conference is what a Comic Con is for science fiction fans, or Eurovision is for schlager devotees. At the expo floor, you see what is relevant and what wants to become relevant in IT-security.
This year, there were many vendors in “hot areas”, such as DevOps +Sec, securing containers and microservices, utilization of Machine Learning and AI to prevent intrusions, Endpoint protection detection and response. As usual, Clouds were present – as well as everything else. This year, we did not hear any new prevalent buzzwords though, most likely since Spectre & Meltdown occupied many minds.
One nice thing we would single out is FIDO (Fast Identity Online) evolving towards covering all types of user scenarios with FIDO2 standards. In a nutshell, FIDO was created to provide strong user authentication based on open standards using public key cryptography. FIDO alliance is working in collaboration with World Wide Web Consortium to provide a new standard for Web Authentication. The ambition here is to enable all browsers with standardized JavaScript API, and it seems that all browsers and platforms are involved. Finally, we may have a strong authentication from any device!
For PrimeKey, this year’s RSA Expo was our best yet, both in number of “leads” and in what we achieved. Besides our flagships, EJBCA Enterprise and PKI Appliance, the team showed our new EJBCA on AWS. We are very excited about interest shown. Additionally, great news for us was how much interest was shown in our SignServer – this year we saw a dramatic increase in questions about code signing. Some software vendors discover code signing only as a problem when the code signing keys get stolen. This is where SignServer helps to do code signing efficiently, controlled and in a centralized manner. Also available on Appliance!
A less known but quite interesting event is the International Cryptographic Module Conference (ICMC), held this year in Ottawa, May 8-11. Initially, the conference was covering FIPS and Common Criteria certification processes and best practices on how to (successfully) validate a product. In only 5 years, the ICMC conference has grown to cover several adjacent areas of cryptographic modules – for instance, advances in quantum safe computing. As usual, Clouds were present, and we will reflect on this shortly. For a first-time visitor, we recommend the Workshops during the day before the conference starts.
There is a good representation of open source related topics at ICMC – from Linux kernel to OpenSLL and LibreSLL libraries. We are very happy to have helped bring open source to a dedicated track – so much of industry and governments relies on security of open source projects, and we all owe great respect to engineers around the world that make contributions and create open source software. Looking at Linux and “bug lifetime”, the average time between introduction and fix is about five years. Once a bug is identified, the fix comes within weeks. If the five years scares you, it should be noted that for proprietary/closed software, this number is unknown and should be expected to be longer than that. As for the fixes, well, politely put – “it depends”.
Two more themes caught our attention – the first one concerns advances in Trusted Execution Environments. Intel and ARM have addressed this area and today enable cryptographic modules or entire applications be executed in a protected area on a chip through SGX and Trustzone respectively. At PrimeKey, however, we are bit more cautious – at the very minimum, several years will pass before we will consider these technologies as mature. Furthermore, it is unclear if a chip vendor can, for whatever reasons, “turn off” some security provisions.
Consider Spectre and Meltdown; a CTO for a prominent company recently remarked to us that IC’s have become so complex no human being is able to have insight into all relevant areas to be completely sure that the delivered technology is safe and secure. From our point of view, we would add that some regulations (for instance the CloudAct) raise concerns for some of our customers. With this in mind, we think that PrimeKey’s new product – Secure Execution Environment – is the right choice for many organizations.
It was interesting to see how (some) Americans and Canadians see the EU Cybersecurity Act. It appears that there is a small degree of misunderstanding and surprise that the EU have delivered two major pieces of legislation that impacts our industry – GDPR (well, it impacts everybody) and the EU Cybersecurity Act. We at PrimeKey are agnostic to politics and always respect local regulations, even though we prefer global and open standards. We could not avoid reminding ourselves that FIPS 140-2 has not yet seen its successor and is many years overdue (a standard from USA/Canada that de-facto governs HSM field world-wide).
This year at ICMC, as PrimeKey we shared our experience with the Common Criteria evaluation of EJBCA, that – as you probably know – is an open source PKI developed and maintained by us. We also shared our experiences with HSM technologies from the perspective of advanced “users”. In the last 15 years PrimeKey has been deploying PKI and in each of our PKI Appliance products, there is a built in HSM. Hence, our engineers know very well both what the HSM can deliver and what the customers expect. The last two are not always the same.