During the VMorld 2017 conference this week VMware threw its support behind a bipartisan cybersecurity hygiene introduced by Sens. Orrin Hatch (R-Utah) and Ed Markey (D-Mass.) and Congress representatives Susan Brooks (R-Ind.) and Anna Eshoo (D-Calif.)
If passed The Promoting Good Cyber Hygiene Act instructs the National Institute of Standards and Technology (NIST), in consultation with the Federal Trade Commission (FTC) and the Department of Homeland Security (DHS), to establish a baseline set of voluntary best practices for good cybersecurity hygiene. The bill also instructs the agencies to consider the cyber hygiene benefits of standard cybersecurity measures such as multi-factor authentication and data loss prevention (DLP).
As rudimentary as that may seem the bill introduced earlier this summer is already being criticized for adding another layer of confusion on top of existing cybersecurity recommendations that already exist. Regardless of whether this particular piece of legislation passes or not the Trump administration has made it clear that tougher cybersecurity requirements are an important element of its overall political agenda.
Both Senator Hatch and Congresswoman Eshoo sent video messages that were shared with VMworld attendees during the main keynote on the first day of the conference. Cyber hygiene is becoming a higher priority because the governments are finally starting to think of malware as they would a virus in the real world. A cholera epidemic is contained, for example, by making sure the water supply is clean. That approach, however, shifts the burden of responsibility for protecting the water supply on to the local community that depends on it to survive.
VMware CEO Pat Gelsinger told attendees that when it comes to security the IT industry has failed its customers. He noted that $100 billion a year is spent on IT security, much of which goes to products and technologies that are too hard and too complex to implement.
Gelsinger also observed that every major recent IT security breach could have been minimized or prevented altogether if the affected organizations have been practicing basic cybersecurity hygiene. Gelsinger said to help organizations identify best cybersecurity hygiene practices the company this week published a Core Principles of Cyber Hygiene in a World of Cloud and Mobility white paper covering issues such as least privilege access management, micro-segmentation of networks, encryption, multi-factor authentication, and patch management.
The VMware decision to publish that white paper coincided with the launch of VMware App Defense, a suite of IT security software through which VMware is applying analytics to applications deployed on its stack of software to establish the known good. The idea is that instead of spending all their time hunting for potential threats IT organizations would be better off if they didn’t let any code that did not exactly match a manifest for that application execute in the first place. VMware App Defense includes an open application programming interface (API) through which VMware plans to share information about malware it discovers in applications with, for example, third-party providers of application firewalls. Gelsinger says this approach will effectively flip the traditional model for IT security on its head.
It’s too early to say to what degree that will actually occur. But the one thing that is for certain is that IT organizations that don’t practice good cybersecurity hygiene should one day soon expected to be both penalized and publicly shamed in much the same way any other entity that pollutes the local water supply.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.