Synopsys’ Tim Mackey on GDPR, IoT security, and cloud-based DevOps
Tim Mackey is principal security strategist with the Synopsys Cybersecurity Research Center (CyRC), which researches the identification and mitigation of software vulnerabilities.
The Daily Swig sat down with Mackey in the wake of his Black Hat Europe talk on the compliance challenges posed by evolving data protection rules on software development and application security.
As well as the impact of GDPR and the fiendish complexity of reconciling seemingly incompatible data protection regimes, the former Citrix staffer also offers advice on migrating to cloud-enabled systems securely and laments the persistence of disincentives to prioritizing internet of things (IoT) security.
Where does your expertise predominately lie, Tim?
Tim Mackey: I take a multi-disciplinary approach to security. I came to Synopsys by way of its acquisition of Black Duck Software, which focused on open source governance. Prior to that, I spent 10 years at Citrix doing virtualization and cloud.
My early career was in mission-critical engineering, where software must work otherwise really bad things – like explosions or chemical plant leaks – might result.
Are you seeing the impact of GDPR on application development yet?
TM: It’s starting to, but it’s early days.
Privacy and security are two sides of the same coin. A lot of people think GDPR is fundamentally about data breaches, protecting [data], and reporting, but in reality, it applies to product design and development [too].
In January 2019, the French regulator CNIL fined Google €50 million because the Android onboarding experience [lacked] transparency and consent, so regulators are starting to express opinions on these things.
One of the biggest challenges for developers is addressing the global patchwork of data privacy regulations, says Tim Mackay
What are the primary challenges facing developers due to new data protection regulations around the world?
TM: The biggest challenge is the patchwork of regulation globally.
The next biggest equivalent to GDPR came online on January 1: the California Consumer Protection Act. Everywhere else in the US has its own view, some of which are incompatible – so how do you design something [that complies] with multiple [contradictory] regulations?
The regulation working its way through the Indian legislature [prescribes] that all data on Indian citizens must be maintained within India – which is fundamentally incompatible with GDPR.
It is exceedingly complex. From a security perspective, [there are] decisions to make around consent to collecting data, who has access, and under what conditions.
And consent is temporal – I consent now, but I might change my mind five minutes later. Now what?
Or I go to update a device where I gave consent, but my spouse didn’t – what does that mean?
The only data that anyone ever gets in a breach is data that [has been collected and hasn’t been deleted], so what is the retention policy?
Sometimes you hear, “We’re recording this phone call for training purposes”. Training who? Why do you need to record everybody’s call?
How can organizations migrate to cloud infrastructure without sacrificing security?
TM: When someone talks about ‘digital transformation’, about the technology stack becoming ‘cloud-enabled’, which aspects of cloud-enabled technology are not [already] part of existing best practice?
Most organizations have a patching policy to shell into the system using an approved patching mechanism that is authenticated and audited, and so forth.
In a container environment, adhering to that policy increases the attack surface – needlessly. The container paradigm has something deploying replicas of a golden master, so the correct answer is to create a new golden master and redeploy those replicas.
So it’s a different way of thinking that creates challenges for organizations that say, “This is our policy and we must adhere to it”.
Organizations adopting new technologies should always follow new paradigms and make that decision matrix about improving security and agility in [both] development and operations.
What is your advice on assuring supply chain security?
TM: Today, software is built up out of a supply chain with open source elements, vendor APIs, and hardware entities from other vendors.
Truly security-conscious organizations need to recognize that the earlier they become aware of potential issues within their development and engineering teams and communicate that to the deployment and operations teams, the better off they will be.
I’m starting to see some emerging capabilities, particularly in the cloud space, that will [help to make that] a reality. Some standards are [about] six months old, so not yet widely adopted, but hold a lot of potential.
So that is [how you can decide how to] invest your proverbial million-dollar budget and get an acceptable outcome.
What interesting security or data protection challenges are IoT developers grappling with?
TM: Because the lifespan of an IoT device can be measured in years, oftentimes designers will add hardware elements in anticipation of future functionality.
This could be a microphone, camera, or sensor that is latent for some time and then enabled when feature ‘X’ arrives.
A perfect example was when a Google executive said he discloses to guests at his home that his Google Nest may record them – which begs the question: why does Google Nest have a microphone? Who knew that it had a microphone?
What are the primary barriers to improving IoT security?
TM: One of the bigger challenges we’re seeing is effectively a land grab.
Take, for example, the many vendors seeking market dominance in sensor-based systems, which requires them to be agile, but agility is oftentimes antithetical to security.
How do you create that balance – particularly when someone is buying the least expensive device on Amazon?
Might the younger generation be more security-conscious?
TM: My sense is that the younger generation has grown up in a world where their data is everywhere, so they’re starting to almost not care.
So if the general public aren’t prioritizing data security, how can we expect businesses to do so?
TM: This is where regulators come in.
One nice thing about GDPR was that it had such a long run-up that careful consideration was given to the interplay of various attributes.
However, I wish they had been more prescriptive on the process for enquiring about what information is held and the format it comes back in.
Organizations must recognize their fiduciary responsibility to customers. But unfortunately, market valuations for listed companies [often] quickly [rebound] after data breaches, so they [sometimes] feel like they only got a slap on the wrist.
YOU MIGHT ALSO LIKE New Years Resolution: Organizations push for proactive approach to security