Identification can no longer be just identity. Authentication can no longer be just authenticating. Compromised identity remains a foundational component for most attacks today. To overcome these vulnerabilities, organizations must step up their defenses around identification and authentication.
I’ve a guest article on ZDNet covering the problem and providing steps for a good defense.
It was the early nineties when I first saw the photograph of a small robot wandering the desert. I would go on to buy the Robo Sapien book which featured photographs from the same shoot, along with more from Peter Menzel. Iconic. Simple. Inspiring and, most of all, achievable.
Robotics in the 1980s and 1990s were incredibly complex and costly. Significant computing power and sensor tech was needed to move a limb. The idea of walking robots was a dream, to some, a fantasy. Rodney Brooks had made some advances with Genghis and Attila. But these were still tens of thousands of dollars. Such robots were available to grad students and researchers, but out tantalizingly of reach for the rest of us.
Enter Mark Tilden. The robot in the Menzel’s photograph, and the rest of Tilden’s menagerie in the 1990s, had a price tag of a few hundred dollars. Many were built from scrap parts and recycled electronics. This allowed for rapid prototyping, which in turn facilitated rapid innovation. End result? Simple robots that worked. Inexpensive robots that walked.
The real lesson I took from Tilden, which I applied both when I built his style of robots and when I designed IT systems, was how to copy an idea. It works like this:
Identify the features are providing the value
Deconstruct those into underlying principles and tasks
Emulate those tasks using the people and technology you have on hand
Act on those tasks to reproduce the effect, prototype and iterate, to develop your own way of providing the value
Tilden called his process biomimicry because the stated goal was to mimic biological systems. More broadly, applying Tilden’s process to my framework, you can envision the steps as follows:
Identify = Insects walk with legs controlled by a core set of neurons oscillating in a loop
Deconstruct = an oscillator with feedback
Emulate = two, four, or six inverter oscillators, or in BEAM nomenclature, Bicore, Quadcore, or Hexcore
Act = Unibug 1.0, seen in the photograph below
I wager this is the same process Tilden used to build unthinkable robots for a fraction of the cost using parts he had lying around. Meanwhile, in security, we’re challenged to build security capabilities with little budget using what we have on hand. This is where my IDEA method shines.
Implementing any capability reference model or framework is beyond the capacity of most organizations. So? Don’t.
In October 2019, I was in Haifa visiting the Technion. There I saw robots which mimicked the snakes which populate the deserts of Israel. The same movements that facilitate movement through the deserts of Israel are useful in navigating the rubble of fallen buildings and industrial accidents, in order to find survivors. My mind was instantly transported back to Mark Tilden and his spare-part creatures. It struck me that Alon Wolf’s bio-inspired snakes are the technological children of Tilden’s early experiments.
By following a process that closely mirrors my IDEA model, the engineers at the Technion had created a simple, efficient, and focused device which literally saves lives. They identified an unlikely source of inspiration and deconstructed that down to its most iconic element: the serpentine wiggle. They iterated until they were able to emulate this wiggle. Then they put their invention into action: rescuing folks who would otherwise perish.
We can do the same thing in our cyber security work.
Select your reference model. (Say, for an Identity and Access Management or IAM platform.) Use the process above to see where the value is coming from. (Let’s say, on-boarding and off-boarding.) Deconstruct these down to a few core objectives. Then, see what’s available in your organization in terms of tools and techniques. Run inexpensive and quick pilots to try out the ideas and form a plan.
Don’t act on all the things. Act on the right things.
Mark Tilden’s Unibug, photography by Peter Menzel.
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
We landed a man on the moon before we had wheeled suitcases. Wait. I’ll do one better. We were orbiting space shuttles before we had wheeled suitcases. I heard this fact years ago and it blew me away. I asked, why?
It took an inside guy solving his problem his way. Picture modern travel luggage. Wheels on the bottom, telescoping handle on the top, right? Robert Plath invented this in 1987 in outside of his day job as a Northwest Airlines pilot. (United States patent 4,995,487, if you’re interested.) It was a classic garage inventor success story. Plath developed and tested the prototypes, the idea took off, and he founded Travelpro and began selling the suitcases under the label Rollaboard.
The first design lesson: the person doing the job is the right person to ask about how to improve the job. Good security is usable security.
A while back, I was consulting on a privileged access management (PAM) security capability. The security objective was that all administration be performed from a dedicated laptop, using a separate credentials, through sessions that were monitored and recorded. Try selling that level of control, that level of friction, and that level of change to the administrators. Yeah. Good luck with that approach.
Instead, we found the Robert Plath of systems administration. Instead of pitching security, we asked him how heavy his bags were to carry. The team approached PAM as an admin productivity project. Wheels on bottom. Telescoping handle on top. The resulting privileged access workstations (PAWs) reduced access time and simplified systems administration tasks. While the PAM controls added friction, due to the insights and efforts of Plath the systems admin, these were offset by time savings. This is the inside edge that collaboration can bring.
Returning to the actual Robert Plath, there’s one more lesson in designing capabilities. Surely, you must be thinking, other people thought to add wheels to suitcases in the first six decades of commercial air travel. You’re right. Bernard Sadow came up with a design decades before Plath. (United States patent 3,653,474, again, if you’re interested.) It’s effectively a traditional suitcase with castors on one side. I have one. Let’s just say it isn’t the easiest luggage to use. But that wasn’t the main problem. Adoption and culture was.
Bernard Sadow made luggage. Robert Plath flew planes. Sadow had to sell into the market. This ran into cultural issues because, back then, one sure way to show your strength as a man was to carry luggage. Plath just handed his prototypes to flight crews. Not only was Plath’s luggage better, suddenly, it was the cool kids’ luggage. In other words, Sadow pitched safety glasses and Plath offered Ray-Bans.
The final design lesson is planning for adoption is planning for success. Good security takes flight when widely adopted.
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
Things to know about passwordless security: no, criminals will not cut off your thumb or peel the skin off your face to steal your biometrics and hack your network. And yes, C-suite executives always ask Wolfgang Goerlich, advisory CISO at Cisco Duo, this question.
“Everybody does,” he said. “We’ve seen so many ‘Mission Impossible’ movies — we know the risk. But here’s the thing: if a criminal is able to clone my biometrics, get ahold of my phone, get ahold of my computer, and bring those both into my home office, and then authenticate as me, and then only open up the applications that I normally open up during business hours, at that point I may just hire him as a contractor.”
He encourages CISOs to “bundle” passwordless with other zero-trust security tools such as identity and access management. “Partnering identity with passwordless is very appealing because we can establish that strong user identity with strong authentication factors without requiring more user effort. So this is a rare opportunity where it can actually reduce the amount of work that they need to do to establish that strong authentication.”
As part of the design series, I have put forth the idea that being ahead of the curve is being ahead of the criminal. The early adoption of a control — doing something right but rare — has surprising stopping power against common attacks. I expect organizations who are early adopters of single strong factor authentication, passwordless, will have this sort of surprisingly strong defense.
Well, for a while. When adoption reaches critical mass, the criminals will be highly motivated to work around passwordless authentication. We have seen this with strong second-factor authentication and criminals adopting phishing and proxying to bypass this control.
Therefore, my strong recommendation is pairing passwordless with additional anti-fraud measures. Include the device identification in the authentication. Include behavior analytics (where, when, how) to further bolster trust in the authentication. We can predict criminals will work around these authentication methods, so let’s move now to put in place compensating controls to detect and prevent their next move.
This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.
A piece of advice at the outset: “Don’t do too much too fast,” says Wolfgang Goerlich, CISO Advisor with Cisco. “Have specific goals, meaningful use cases, and measurable results.”
To build momentum, start with a series of small Zero Trust projects with deliverable milestones, and demonstrate success every few months by showing how risk has been reduced.
“We need to show the board progress. With specific initiatives aimed at specific use cases, we can demonstrate progress towards Zero Trust,” Goerlich says. “You build momentum and a track record for success.”
This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.
Zero Trust is not one product or solution. Better to think of it as an approach, says Goerlich.
“Zero Trust is trusting someone to access something from somewhere,” he says. “Is it an employee, an application, a device? What is it accessing? What was can we determine if we trust this request? At the end of the day, Zero Trust means providing a consistent set of controls and policies for strong authentication and contextual access.”
The term was coined by Forrester Research in 2010. It was established as an information security concept based on the principle of “never trust, always verify.” Since then, the National Institutes of Standards and Technology (NIST) has produced comprehensive explanations and guidelines toward the implementation of Zero Trust architecture framework.
“NIST has a draft standard that dictates their view of Zero Trust — what the principles are, and what an architecture looks like,” Goerlich says. “The U.K. NCSC has done the same. Zero Trust has matured, and the need for it is now in sharp relief due to changes in the market and the way we use technology.”
I am leading a series of Zero Trust workshops this year. One concept I always stress: we’re applying existing technology to a new architecture. If you think back to Role Based Access Control (RBAC) was first being standardized, we used off-the-shelf x.509 directories and existing Unix/Windows groups to do it.
Now of course, better products offer better solutions. But the point remains. The application of existing standards to realize the principles of Zero Trust brings the concept beyond hype and into reality. Moreover, it makes it much easier to have confidence in Zero Trust. There’s no rip-and-replace. There’s no proprietary protocol layer. We’re simply taking authentication and access management to the next logical level.
Want to know more? Watch my calendar or subscribe to my newsletter to join an upcoming workshop.
This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.
“We are moving into a world which we’re calling passwordless, which is the ability for our applications, devices and computers to recognize us by something other than the old-fashioned password,” says Wolfgang Goerlich, advisory chief information security officer for Cisco-owned security firm Duo.
Goerlich estimates that within five years, we could be logging into most of our online accounts the same way we unlock our phones. And then we will be able to finally break up with passwords for good.
What will replace them? That’s a bit more complicated.
This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.
