Since I issued a podcast with Mike Janke of Silent Circle about enterprise security, the FBI vs. Apple encryption brouhaha has faded. The unsurprising news that the phone under dispute yielded no useful information was a media afterthought (though some articles contest this). Either way, I doubt that would bother Janke: he’s more interested in getting companies to get serious about enterprise security, because, as he put it on our podcast, "Everybody's going to be breached,"
Taping Janke’s views on security amidst the startups at Collision 2016 was a contrast. But security must now be part of design from the get-go, no matter how sexy the startup idea. Here’s my rundown of Janke’s enterprise security advice and common pain points. For those who want some encryption fodder, I’ll share a few of Janke’s choice words for the FBI’s approach at the end.
Janke co-founded Silent Circle in 2012 with Phil Zimmerman, an Internet hall of fame inductee and the creator of PGP (Pretty Good Privacy). The third co-founder was Jon Callas, who was heavily involved in Apple's whole disc encryption, and also one of the co-founders of PGP.
Founded in Switzerland, Silent Circle has built an "enterprise privacy platform." That means an encrypted way to communicate rather than risking that competitors, or perhaps a government agency here or abroad, might listen in on your conference calls. Silent Circle are also the creators of Blackphone, billed as “the world's very first secure mainstream Android device.” 90 percent of Silent Circle’s customers are enterprises; 10 percent are consumers.
Janke told me that when he advises enterprises, his views are informed by Silent Circle’s work in 140 countries. He’s also one of the founders of a cyber security startup incubator called Data Drive.
Enterprise security pain points
I asked Janke for his top enterprise security pain points:
1. Security gets the budget squeeze - The CIOs, CTOs, and Chief Compliance Offers Janke talks to are not going to add new security solutions lightly:
They say, "Look, we have limited budgets, we have limited amount of people, so we need to get the most bang for the buck." The key here is your product or service, although it may be great, can not be additive. I've got nine products that I'm running to "secure" our network. You's may be good, but I'm already at my capacity. Your product has to come in and replace two or three, and it's got to be better.
2. Every new device is an unpredictable "end point" - BYOD and wearables are adding layers of security exposure. Each "end point," aka a new way into the back end system via a device, brings issues. And each security tool added to the mix has its own analytics dashboard that needs monitoring:
It's happening so quickly - a wearable, or a new WiFi hub popping up.... BYOD is still a big issue. The second one we see is analytics... How many damn dashboards can the security people monitor?
3. Err, we do need one more dashboard - for security monitoring - Call is Janke's dashboard caveat. He does want to see one more dashboard, one that finally puts key security metrics across tools in one place:
There isn't a real conglomeration going on that pools all these products into one good dashboard that you can use. The only way it's solved today in an enterprise is to have five or six IT security people who are monitoring different parts of the network.
4. Legacy systems are vulnerable. Enterprise security is only as strong as it's weakest link. That means legacy apps can offer a big loophole for an intruder to wedge open. With security budgets tight, it's hard to keep older software updated:
It doesn't matter if you're Disney or Exxon, you don't have an unlimited budget. You can't be ripping out stuff and upgrading to the newest greatest stuff that comes out every year. That means legacy is a huge pain point in every company.
Janke warns that "legacy" can mean hardware as well as software:
Think about routers, or WiFi end points. Nowadays if you're not upgrading them every week, there's vulnerabilities. Cisco [et al] aren't exactly pushing out fixes every day for this stuff. You're a victim of legacy no matter who you are.
So what's a company to do?
Sound advice, but what does Janke tell a company that wants to address risk without losing financial shirts? Janke starts with tough love: you're never going to get to breach-free living. Instead, prioritize and address the big threats:
There is no such thing as 100% security. The arms race is never won. What the enterprises look at is they say, "What can I do to mitigate the big threats?"
Given that breaches are inevitable, Janke advises clients to ring fence vulnerable areas:
That's really where cyber security is headed. You know you're going to be breached. Everybody's going to be breached. How do you maybe sandbox those breaches, so you mitigate the size of the damage.
Think concentric rings, with supporting walls to prevent breaches of edge systems from compromising the core:
What do you have in place to ensure you can stop it from taking the family jewels of the company's IP.
Beware of security-related user experience fails
The problem I see with Janke's advice: some companies will get carried away and heighten security to the point of user experience fails, like Intuit validating my Quicken sign up with an extra verification step even though I only access it from one computer - ever. For enterprises, adoption is the high stakes issue. So how do you balance UX design and security? Janke thinks biometrics could easy this particular pain:
Yeah, two-factor authentication is great, but now everywhere I go, I've got 15 texts I need to plug in this two-factor authentication. I believe technology in the next 24 to 36 months will catch that. Where they're at now with biometrics, eye recognition, and stuff like that, that's going to overtake it.
But user experience is still at risk from security design:
The other issue is people working within the security department of a company don't have time to work with complicated UX's. As a security guy, you need to be able to get a notification on your Apple watch that there's an alert. You don't have time to log in facial recognition. It has to be real time stuff.
The wrap - revisiting encryption absurdity
There was plenty of interesting content I didn't get to here, including Janke's counter-intuitive view that cloud gives CIOs an out when it comes to security, because if there is a breach, they can deflect blame. We also talked about how the next generation - particularly girls who have to learn at a young age how to ward off online stalkers - have more privacy configuration savvy than we give them credit for.
As for the FBI vs Apple debate, we can sum Janke's view up with this: a government agency can record your movements all day long from a "little black van." But you can stymie them with encryption, or simply with burner phones (as in the HBO drama "The Wire"):
If I'm a bad guy, I can walk down to the CVS and buy a throwaway phone, and no black van in the world is going to catch me.
Janke argues that the FBI's justification they used for the San Bernardino phone debate is a familiar refrain: he's been hearing the FBI warning "we're going dark" for a full twenty years now. Meantime, if the FBI is serious about encryption dangers, they better pay a call on Facebook next. (Facebook Lets Messenger Conversations Go Dark)
Janke thinks Germany has a better approach:
German intelligence comes out and says, "Look, we've got a lot of ways to gather intel on the bad guys. Breaching private security, our privacy, and the security of someone's sanctum isn't required for us."
Talk about doing more with less:
German intel has like 1/100th of the budget we do. They live in harmony with the fact that they have other tools that they can use to find bad guys.
Our final questions explored how Janke's prior career as a Navy Seal impacted his security pursuits, including a different appreciation for day-to-day life. Janke has a different view of risk as a result. Hopefully that will lead to a longer career in the security fray, where his views are needed.