Ensuring Integrity in the Era of Unbound Networks: NASA’s Ernest Lopez Shares His Best Practices
This week we had the pleasure of catching up with Ernest Lopez, Director of Information Security at NASA’s Ames Research Center at Moffett Field in California.
As a government information security leader with many years of experience behind him, we were interested in hearing his perspectives on how next generation technologies are changing the information security landscape and how he’s finding solutions for these within his organization.
The conversation was enlightening and offers both insight and practical guidance to public sector information security teams. Here’s what Mr. Lopez shared:
The Access Granted (TAG): The enterprise-level security landscape has changed so much in recent years with the end of the IT perimeter and the advent of the cloud, apps, mobile devices, and other next generation technology. What are some of the strategies you would share with your peers about approaching an unbound security environment?
Ernest Lopez (EL): The issue is not so much about protecting the IT perimeter these days, since the perimeter no longer exists, but the issue is more about protecting the data, regardless of where it resides.
The number one strategy that we have to concentrate on is understanding what data we have out there, what type of data classification it is and how we protect it, based off classification. If the data is sensitive but unclassified (SBU), regardless of where it is stored, it must be encrypted. Public information, regardless of where it resides, is meant for the public and could afford to have lesser restrictions on storage and transmission.
The once-popular belief that firewalls were our silver bullet for protecting our assets and data is no longer the case. We can’t go to our cloud providers and expect them to put up firewalls to protect our data and assets. We can no longer go to our external service providers and ask them to slap in an Intrusion Prevention System to block attacks. We own the data therefore we should protect it, regardless of where it resides.
TAG: Another major change in the IT landscape is the Internet of Things (IoT). What are the key changes that’s introducing for cyber security teams?
EL: Standards. Standards. Standards. They simply don’t exist for IoT, or they are far behind the curve. The ability to connect our office door locks to the internet is a scary thing yet it is happening all over. Boilers and chillers that control the temperature of data centers that also connect via standard-less wireless protocols are scary, yet happening.
Every year I attend security conferences, such as DefCon and Black Hat, and listen in on the talks about how easy it is to hack a driverless car or hack a pacemaker that is controlled via Wi-Fi. Until those standards are set, we are way behind the curve.
TAG: Speaking of the Internet of Things, what do you see as being the biggest security risks from these connected devices? Can authentication help mitigate some of these risks?
EL: The biggest issue is that vendors and manufacturers of these devices are not concerned with the security of the device but more concerned about making it “convenient” for the end user. That has always been the challenge, working in the security industry for 15 years, is that there is and always will be a conflict between making IT convenient, over making it secure.
I think that authentication in the form of Two-Factor Authentication can help, but is not the solution. Strong password authentication used to be the norm and, today, is pretty much useless. 2FA may be the norm these days but the security professionals, both “white hat” and “black hat,” have already found ways to bypass that. Whatever the next authentication method will be, may give us the “warm-and-fuzzy” for a short time, but the attackers will always be ahead of us.
TAG: Being in the heart of Silicon Valley you’re right in the heart of cyber security innovation. What are some of the best disruptors in cyber that you’ve seen? What do you think of Google’s recent claim that it’s going to eliminate the password?
EL: I completely agree that getting rid of the password is the right thing to do but you have to understand the reason behind it. Are we getting rid of passwords because it is too hard for people to remember 12-character complex passwords? Are we back to the convenience-over-security dilemma?
I see these types of approaches by Google, as the right approach but it’s only temporary. Moving towards 2FA will only buy us some time before the hackers have completely bypassed those methods. In fact, I’m pretty sure they already have.
Again, we are behind the curve on authentication.
TAG: Taking a step like eliminating passwords would eliminate one of the greatest struggles between convenience and security. Do you think large organizations, like federal agencies, can find balance between these two competing goals? What are your top frustrations?
EL: Eliminating passwords to better protect our data would be the right move if we had been moving in the direction of a stronger form of authentication. Unfortunately, we took that stance that we, as an industry, had to make it more convenient for our users and use things such as body parts and hardware.
I, personally, think that with the concern from privacy organizations, the fact that we are collecting personal information, such as fingerprints, retina data and facial features, it won’t last that long. I don’t know if we will ever reach the balance of struggle between convenience and security.
NASA, specifically, is all about the NASA mission and we, as the Computer Security Community, must be the ones that enable our researchers, scientists and astronauts to perform the mission without interruption. There will always be that struggle within any organization and I just don’t ever see that going away. The key is finding the right balance between the two and I don’t think there is an easy formula for that.
TAG: Are there any initiatives or successful projects that you’d like to showcase and offer as best practices to other information security leaders?
EL: NASA has a wide variety of initiatives and projects in the works in the area of cyber security.
If there was one best practice that I think we, as an Agency, do well, it is threat information sharing. There are a lot of smart security professionals within the federal government and, while the ten NASA centers freely share cyber security concerns, issues and data between our centers, that is not always the case across the federal government.
Knowledge about threats and early warnings are key to succeeding in protecting our environments. But unless that data is shared between the federal government divisions, we will continue to have security holes, gaps and incidents.