This summary report on the Enterprise Data Center Transparency and Security Workshop represents a summary of the workshop itself and does not necessarily represent the views of the Center or any of the participating organizations. Future work is planned to continue this initiative.
On September 24th, 2019, The Center for Cybersecurity Policy and Law(“Center”) hosted a multi-stakeholder meeting to discuss the implications of evolving protocols on the normal operations of both public and private sector enterprises. Protocols designed to address security concerns across the public Internet are also used in enterprise networks, and these security improvements can negatively impact an organization’s visibility into its network traffic. This loss of visibility reduces the effectiveness of network tools and approaches, such as deep packet inspection, which in turn limits their usefulness as security and troubleshooting tools.
Workshop participants represented a cross-section of companies from multiple sectors, including financial services, healthcare, and telecommunications, as well as government agencies from the UnitedStates and the United Kingdom.
Participants also included software vendors and members of civil society who provided insight into some of the concerns that have driven the protocol evolutions.
The goals of the workshop were to arrive at consensus around a problem statement, identify potential near- and longer-term solutions, and discuss next steps to continue the discussion.
The meeting was held under the Chatham House Rule, so this report will not detail those who promoted certain ideas. However, we did receive permission to publish the names of the following individuals who participated in the workshop:
- John Banghart, Venable LLP
- Tommy C, NCSC
- Joseph Lorenzo Hall, Center for Democracy & Technology
- Russ Housley, Vigil Security LLC
- Parthenia Youngblood, DoD/CIO/CS
- Ron Sulpizio, PKH Enterprises, supporting DoD CIO
- Donna Dodson, NIST
- Murugiah Souppaya, NIST
- Tim Polk, NIST
- Paul Barrett, NETSCOUT
- Ari Schwartz, Venable LLP
- Paul Turner, Venafi
- Andrew Kennedy, BITS-BPI
- Michael Ackerman, Industry Network Technology Council
- Avesta Hojjati, DigiCert
- Darrin Pettis
- Additional participants not listed.
The Center made every effort to ensure representation from as many viewpoints as possible while still keeping the attendance size manageable to hold the discussion. However, we recognize there are additional stakeholders across government, industry, and civil society whose positions may not have been captured, in whole or in part. We look forward to continuing the discussion while ensuring all viewpoints are considered.
To ensure that the discussion could remain appropriately focused, the scope was limited to enterprise data centers. In the context of the workshop, the term data center was used generically to refer to a physical data center owned and managed by an application or service owner, a co-location facility owned by a third party, or a virtual private cloud hosted by a public cloud provider.
The decision to limit the scope in this way was necessary as the protocols at the heart of the issue are themselves applicable across a wide range of technical implementations and contexts. In particular, the intention was to avoid discussions of the public Internet, where political, social, and economic issues are influenced by different requirements than many of those faced by individual enterprises in their own Center for Cybersecurity Policy and Law 4 environments. This limitation was not intended to suggest that the issues facing the public Internet are not important, only that they were not within our scope.
Based on the talking points within the privacy and security communities, the Center recognized two primary viewpoints shared in whole or in part by all stakeholders, both inside and outside the workshop. Despite those differences in views, there were a few points on which everyone was able to agree at the outset:
- Data privacy is essential in order to:
- Address regulatory, contractual, or other forms of compliance
- Establish and maintain user trust.
- Encryption helps protect sensitive information from unauthorized access.
- Loss of network visibility negatively impacts various types of operational functionality.
One starting viewpoint was that the loss of data center visibility does not, by itself, warrant any alteration of the encryption protocols or deployment models being promoted. Those same participants also suggested that alternative technologies, such as host-based logging and monitoring, were adequate substitutes that could and should be deployed today.
The prevailing starting counterpoint to the above was that the loss of visibility is not just a matter of security and privacy, but also introduces significant limitations to an organization’s ability to use network inspection to troubleshoot and maintain the availability of its applications, potentially creating exponential delays in correcting mission-impacting technical problems.
While these two views represented the starting point for the workshop discussion, significant progress was made in aligning the viewpoints of all participants, based largely on improved understanding and an acknowledgment that enhanced and continuing dialogue on both near- and long-term solutions and protocol evolutions is in everyone’s best interest.
Hacking Policy Council Comments to New York State Department of Health on Proposed Hospital Cybersecurity Requirements
The Hacking Policy Council (“HPC”) submits the following comments in response to the New York Department of Health’s proposed addition to Section 405.46 to Title 10 NYCRR (“Hospital Cybersecurity Requirements).
Vulnerability Management Under The Cyber Resilience Act
Companies should begin preparing now for the EU’s Cyber Resilience Act, a significant development in product security regulation and will apply to software and connected device manufacturers in and outside EU borders.
Cybersecurity Predictions for 2024
The Center for Cybersecurity Policy & Law staff offer their predictions on what's to come in 2024 and the season finale of the Distilling Cyber Policy podcast offers some additional commentary on what's ahead.