CSO Perspectives (Pro) 10.21.24
Ep 123 | 10.21.24

Identity 3.0.

Transcript

Rick Howard: Hey, everybody. Welcome back to Season 15 of the "CSO Perspectives" podcast. This is Episode 5 where we turn the microphone over to our regulars who visit us here at the N2k CyberWire Hash Table. You all know that I have a stable of friends and colleagues who graciously come on the show to provide us some clarity about the issues we are trying to understand. At least, that's the official reason we had them on the show. In truth, I bring them on to hip-check me back into reality when I go on some of my more crazier rants. We've been doing it that way for almost four years now, and it occurred to me that these regular visitors to the Hash Table were some of the smartest and well-respected thought leaders in the business. And in a podcast called "CSO Perspectives," wouldn't it be interesting and thought-provoking to turn the mic over to them for an entire show, to see what's on their mind? We might call the show "Other CSO Perspectives." So, that's what we did. Over the break, the interns have been helping these Hash Table contributors get their thoughts together for an entire episode of this podcast. So, hold on to your butts. >> Hold onto your butts, butts, butts--. This is going to be fun. [ Music ] My name is Rick Howard and I'm broadcasting from the N2K CyberWire's secret sanctum sanctorum studios, located underwater, somewhere along the Patapsco River near Baltimore Harbor, Maryland, in the good, ole U.S. of A. And you're listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. [ Music ] I just recently met Kim Jones, and to my astonishment, he's almost exactly my career doppelganger. He's a West-Pointer, graduated a year after I did, and served ten years in the U.S. army as an intel officer, became a serial CSO in the commercial world, taught at various universities, and is on the advisory board of several start-ups. When I met him, it was like looking in the mirror, only he's way better looking than I am. So, I asked him to take a new look at my First Principle Zero Trust Strategy, and the tactic of identity. He calls it Identity 3.0. Here's Kim.

Kim Jones: Rick, thank you for having me on. It's been a pleasure and a privilege to get to know you. Thank you again for allowing me to speak on a topic that's near and dear to my heart. The latest Verizon data breach investigations report cites stolen credentials as a core component in almost one-third of breaches. As increased scrutiny and liability continues to mount about data breaches, there's been a concurrent upswell in the industry around how to improve Identity and Access Management, or IAM for short. Many of these discussions have centered around how artificial intelligence might create new opportunities to improve the existing IAM paradigm. While I'm happy these discussions are taking place, so far, they're mere updates to what's come before. Just as technological improvements such as cloud technologies and wireless connectivity have for the most part simply migrated old problems into new technology arenas, applying new technologies to the existing identity construct will at best represent a speedbump to our adversaries. If we as a cybersecurity community are serious about reengineering identity, then it's time to have a First Principles discussion that questions the assumptions around our existing approach to the problem. I intend to start that discussion here today. Now, please understand that I'm not here to convince you that my principles are the only possible right answer. Rather, I want to achieve two things. Number 1, I hope to help the community step back and reassess the challenges of digital identity by taking a First Principles based approach. And Number 2, and most importantly, I hope to spark a dialogue that takes us in the different direction, beyond just making tint control changes to the existing tool sets and technologies. And yes, for you old timers out there, tint control is a direct reference to the old comic strip, "Bloom County." If you disagree with my proposed principles, that's perfectly fine. If this discussion prompts you to think about the problem even just 5% differently than you did before, then I've succeeded. So, let's get into it. [ Music ] For my purposes here, identity is the unique set of characteristics that can be used to distinguish an entity as itself and as nothing and no one else. Most importantly though is its purpose. Identity is the primary basis of a relationship. Step back for a second. What comes to mind when you think of mother, spouse, boss, friend, coffee? Those words and the identities they represent convey relational information instantaneously. We make presumptions and draw conclusions based solely upon identity. If you had positive relations with your parents for example, then the identities of mother and father may invoke positive emotions when you hear those terms. And by the way, if you're a coffee drinker like I am and it's morning, then the identity coffee may elicit equally strong reactions. Identity forms the beginning of that relationship experience. Now, sticking with the relationship analogy, say you receive a text from someone claiming to be your father, asking how your date went last night. You verify that the phone number is indeed your father's. You remember you mentioned the date to him a few days before. And while your relationship with your father is cordial, he's no longer the intimate confidant he was when you were say, nine or ten. This, instead of a detailed account of the evening, you tell him the date went well, and that you're going on a second date soon. Within the space of a few seconds from the time you receive that text, your personal central processing unit performed the follow-on tasks associated with identity. Authentication, verifying the phone number or the fact that your father did indeed know about the date, authorization, deciding that your father is allowed to know more about the date and should receive an answer to his query, and access, determining how detailed an answer you intend to give. These decisions start with the relationship represented by the identity of the entity with whom you are interacting. Now, this is the point where things begin to get tricky. With in-person interactions, which I'm calling atomic [phonetic] interactions, the establishment and authentications of identity can be relatively simple. For example, I see my friend Stash [phonetic]. I recognize my friend Stash. I buy Stash a cup of coffee and we catch up. When atomic interactions are limited or removed altogether, on a Zoom call for example, especially where video's disabled, through emails or through text or even with phone calls, things can become ambiguous fairly quickly. Here are some of the reasons why. Reason 1, uniqueness requires complexity. Consider four pictures you'd find on the internet if you searched for my name, Kim Jones. One might be a picture of a female, Filippino influencer, one might be a picture of the female rap artist Lil' Kim. A third would be of a female NFL reporter working for a major sports network. And a fourth would be of a male, British fashion designer. It's not the differences between these individuals that I want to point out here, but their similarities. Specifically, any of these individuals could claim to be me if only a name was used as an identity. It would still be difficult for Kim Jones, the Filippino influencer to masquerade as Kim Jones the old security guy to someone who knows me. And let's be honest, why would she want to? Conversely, anyone who's heard me sing would know that gender notwithstanding, I could never pretend to be the rapper Lil' Kim. Online though, any of these individuals could begin the process of accessing data that is restricted to my personal use, by honestly and truthfully providing their names. One of the ways the traditional model of identity attempts to solve the uniqueness problem is by adding complexity. Instead of just using a name for example, it adds layers of nonsensitive yet unique data to the transaction, like for instance geolocation data in authorizing financial transactions. If someone attempts to buy a television in say Phnom Penh, using my debit card number, my bank will most likely flag the transaction as fraudulent, given that I live in Arizona. As we provide more data to organizations, it's theoretically possible to create a unique identity using seemingly innocuous nonregulated information. Some organizations have taken to calling these identities fingerprints and the process fingerprinting. Reason 2, atomics breaks complexity. Once created, organizations store and secure identity in an atomic fashion. In other words, they give identity a level of pseudo-physicality by capturing it in a file or a database of some sort. Our model of identity requires this in order for a user to enter into the enterprise and begin the relationship. Unfortunately, once identity is given an atomic dimension, that identity becomes a type of token, and tokens can be tampered with or stolen. In my debit card example, what would happen if my identity token was modified to remove the geolocation flags? Possibly one or more Cambodian families would be enjoying new big screen TVs as gifts from me. Further, repositories of these identity tokens such as active directory represent high value targets for bad actors. Now, as a quick side note, I want to note that I am not going to discuss adding complexity to the authentication process such as multi-factor and/or [inaudible 00:11:18] band authentication, because first, such methods are merely attempts to compensate for the fundamental weakness in the identity construct that I am discussing, and second, despite their own complexities, these efforts are also breakable and bypass-able with effort. Our tokenized atomic identity also has the challenge of being universal within the enterprise. The identity to find all interactions within the enterprise without exception. A compromise for stolen token grants authorization and access to all predefined and preauthorized repositories for all predefined transactions, unless or until I change out the token. Until that token is changed or revoked, the possessor of that token now has the same relationship associated with that identity as I did. Think about that for a second. When someone proposes biometrics as the solution to the identity conundrum. [ Music ] So, our atomic based identity paradigm is insufficient for a digital world. As we become more digitally connected and less personally connected, it becomes easier to impersonate anyone and therefore, take over the associated relationship. As processing speeds improve, practical AI leaves its infancy and the specter of quantum computing looms, it's time to reconsider the fundamental principles upon which identities should be built. Bluntly, we need to eschew the atomic model altogether. I suggest the following principles. Principle 1, identity should be bidirectional. The current identity paradigm reminds me of Peter Steiner's 1993 New Yorker cartoon. It's a drawing of two dogs, one sitting at a desk with a computer on it, the other sitting on the floor looking at the dog on the chair. The dog on the chair says, "On the internet, nobody knows you're a dog." Today's identity schema is configured to force the user to prove that they aren't a dog, but nowhere does identity require the other party to prove they are who or what they claim to be. Think about the implications for a moment. I communicate with an entity online that claims to be my bank. I'm required to enter my personal details to prove that I'm the right Kim Jones, but at no time during that transaction is the bank required to validate that it is what it claims to be. It's this flaw within the current identity paradigm that allows web spoofing to occur. The latest internet crime report from the FBI's Internet Crime Complaint Center, or IC3, shows that approximately 300,000 people fell victim to phishing and spoofing attacks with an aggregate financial loss in excess of $3.5 billion. In many of these cases, otherwise intelligent and knowledgeable individuals were fooled into providing their information to a site that looked and felt like one with which they were used to interacting. Principle 2, identity should be secretless. The current identity paradigm relies on the exchange of secrets between entities. The term "exchange" is used loosely here, as it is currently unidirectional like I explained in Principle Number 1. That secret, be it a password, a user ID or some hashed combination of otherwise innocuous data, exists in the targeted ecosystem in an atomic state for adversaries to crack, steal or manipulate. Rather than creating atomic identities that we store in exchange, what if we established a relationship based upon a different paradigm? What if, for example, we establish a pictographic relationship between sender and receiver, thus forming a non-reputable relationship for the purpose of conducting operations? Technologists will recognize that I'm describing a Public Key Infrastructure or PKI communications framework. Unfortunately, PKI can be overhead intensive with the need to implement and maintain Certificate Authorities, or CAs. But what if we didn't need to do that? What if we could establish a cryptographic relationship with another entity without establishing the CA? In 2019, a company in Australia patented technology that purports to do just that. While I'm not aware whether or not a viable platform was developed based upon this concept, the point that I am making is that secretless identity is, at least theoretically, possible. Principle 3, identity should always be transactional. For many, this last principle is a given. Each discreet transaction should involve a unique interaction that occurs only once and is therefore not subject to manipulation or theft. You, the owner of your own personal data, should exclusively have the right to determine who knows what, when and how much, just like you decide how many details to share with your father about your date. The point though is that true transactionality requires a secretless state. If an atomic identity token exists within the environment, it becomes possible to hijack and misuse that token to initiate an unauthorized transaction, as in my television purposing example. In a secretless paradigm, identity must be transactional with the owner of the identity versus the custodian of the identity token or secret able to determine and/or throttle the sensitivity of the transaction approvals. So, top of head, an identity paradigm based upon these first principles has several advantages. Number 1, the bidirectional nature of identity makes it impossible for spoofed websites to be effective. Number 2, capturing a password or other sensitive information has minimal impact, as such secrets are not the basis of the relationship with the other entity. And Number 3, should a transaction be compromised via a replay or a man in the middle attack, the compromise is limited to that single transaction. Imagine for a second where these risks and threats no longer existed. What would that mean to your business, your technical infrastructures and to your customers? In our evermore interwoven digital world, the cybersecurity paradigms need to evolve. Rehashing or even complexifying old models doesn't address the real needs of our data-driven world. It's time to reevaluate the assumptions we've taken for granted around our zero-trust strategy and the underlying paradigm of identity so that we can develop truly innovative and effective solutions. My challenge to you is to start thinking outside the box, and to push our solutions providers to do the same. [ Music ]

Rick Howard: So, the first question I have for you Kim, was this the first time you've done an audio podcast all on your own before?

Kim Jones: Absolutely. This is a first, and I've decided that you are now my eventual goal of what I want to be when I grow up, man. I had a blast. This was a lot of fun.

Rick Howard: It's a lot of fun. I can't believe people let us do this, right? And [inaudible 00:19:40].

Kim Jones: Yes.

Rick Howard: So, well fantastic. Let's jump into the episode. I thought it was really interesting and I love that you have advanced our thinking, okay, on what exactly identity is. You know, you and I are both old timers in the cybersecurity space.

Kim Jones: Yes.

Rick Howard: From the very beginning, and I'm talking about in the 1960s here. Not that we were doing it in the 1960s but from the very beginning, the onus of identity has always been on the user, you know, getting access to a service. But your idea is that identity should be more transactional, more two-wayed. Is that right, or am I -- am I misunderstanding that?

Kim Jones: No, no, no. You've hit two of the three principles that I talked about. You know, on one hand, we can argue that in some respects identity is somewhat transactional because I present my secret in order to perform a certain function. But let's start with the two-way piece. You know, for me, we've always based identity on me validating or verifying to another individual or service, etcetera, that I am who I say I am. But we've never mandated that that service needs to validate that it is who or what it says it is. And--

Rick Howard: That is so obvious. I can't believe you never thought of that before.

Kim Jones: I'm just you know, hey, you know, I'm just a poor, dumb, wet-behind-the-ears and a [inaudible 00:21:05] former CSO. I'm lucky to get my shoes on the right foot. So, you know, I'm sorry.

Rick Howard: No, I just mean, usually, I don't know, we're what, 40 years into this and--

Kim Jones: Yes.

Rick Howard: -that's the first time someone said that.

Kim Jones: Well, it -- you know, I like to tell people, you know, I know two things. One is that my wife and son love me unconditionally, and the other is I can be wrong about everything else. And you know how it is because you and I are a lot alike like this.

Rick Howard: Yes.

Kim Jones: It's the -- it's -- I always assume that, hell, if this schmuck, meaning me, can think of it, there's got to be somebody else out there who's thought of it and doing something about it. As I've gotten older, I've realized that you know, maybe not.

Rick Howard: Maybe not.

Kim Jones: And if they are -- and if they are, we're still not talking about it yet. And I don't know if that's just because you know, it's too radical, or people are trying to just understand the paradigms that we're in, but you know, I'm an OSG. I'm an old security guy. It's like, "Okay, you don't like it, I can live with that, but at least let's think about it differently." So, yes. That bidirectional piece for me, is huge. And think about it. It's like I said in the podcast, what does that do to spoofing? What does that do to being vicious email compromised? What does that do to that, you know, that scenario we all talk about with Grandma who gets a notice that says, "Hey," her bank account's compromised. Click here on the, insert bank here. Don't want to offend any of the banks. And clicks on the site and all of a sudden, her money is gone. You know, that sort of stuff can go away if bidirectionality were a part of the identity paradigm. You know, the transactional nature for me gets to, if I've got a secret that is shared in the environment, then that secret becomes the basis of what we do. And as long as that secret is there, that the permissions, the authorization, stay with that secret. And you're not really dealing with transactional identity. You know? It's truly based upon, you know, roll-based access, for lack of a better term. So, getting it down to the point where you're authorized to do this thing with your bank when you're there, and that's it, because there's no secret to be shared, I think that's huge.

Rick Howard: So, in the piece, you talked about three different principles but in your second principle, you called "Identity should be secretless," and you were just talking about it there, but you asked this question, "What if we establish a cryptographic relationship between sender and receiver, thus forming a non-reputable relationship for the purpose of conducting operations?" So, when I read that, I was thinking, "That sounds very similar to something we already have kind of." You know, basically single sign-on. Instead of me logging into every internet thing somehow with a different user ID and password, I log in once during the day to somebody like Google or Facebook or Apple, somebody that I trust--

Kim Jones: Yes.

Rick Howard: -and then later, when I need to log into another internet thing, I tell the internet thing to go ask Google to verify that I'm legitimate. Is that kind of what you're talking about, or at least close to what you're talking about?

Kim Jones: See, I love that -- I love that you asked the question, and I love people who force me to think. When I teach my college classes at Berkeley, I tell my students, "Your job's to fight me with." So, it's a great question, and it may leave me to changing my descriptor, but my answer to your question is no.

Rick Howard: Okay.

Kim Jones: And the answer is because single sign-on is not secretless. Say that ten times fast. All you've done--

Rick Howard: Yes.

Kim Jones: -is broker who the owner of the secret is. I love the Google example. You know, and how Google, you know, I could sign onto third-party websites using my Google identity. So, while Google may have established a, and I'm going to call it with big air quotes here, a "cryptographic relationship" with that third-party website, that relationship is based upon the secret that I have shared with Google. So, Google is now the master and owner of that secret. So, what we can do on this third-party website or hell, the fact that we can get to this third-party website is still based upon a shared secret. So, I am no longer the geek that I was, once was, to talk about the particulars as to how SSO will work and whether it's truly cryptographic or not, but it's not secretless. And the point of that second -- that second principle is I don't, ideally, no secret should be shared and maintained by any organization for this to work because that becomes a high-value target and is capable of being compromised because you've tokenized that in some form by storing it somewhere within that environment. So, the answer is yes, kind of, but it doesn't meet the principle.

Rick Howard: So, here we are at the end of your episode. What's a listener take away from all of that, right? If there's one thing you want them to learn from this discussion, what would it be, Kim?

Kim Jones: One thing I want them to learn versus what I want them to do. I would say it's more what I want them to do, Rick, than learn. And it gets to where I started the conversation. I meant what I said earlier regarding the two things that I know. So, this is just me thinking about the problem and saying, "Let's take half a step back and let's try to make sense to me." I -- I want people to think about the problem differently. I don't want people to apply new tech to an old paradigm as if that's the only solution. So, if I can get people to think about the problem just 5% differently, then I think I've succeeded. And for those, and I want to -- you asked one. I'm going to give you another one. And for those who say, "Yes, that kind of makes sense," I want us to start collectively as a community, pushing our vendors to say, "How does your solution meet these principles?" Because we should be driving that vendor space if we believe this is the solution. And not have the vendor space drive us. So, if we don't believe this is the solution, great. Then pick the right principles and let's go forth. If you believe that this has value, how is your solution driving the vendor space? Let's ask that question and see if we can't push the market to make it better and actually start winning, because you know, you're like me. I hate to lose, man. You don't go -- you know, you don't go to Mid-Hudson University like we did if you -- if we don't like to win, man. So, I hate to lose.

Rick Howard: Well, good stuff, Kim. Thanks for doing this for us. And we'll have you back soon to do more of this kind of thing.

Kim Jones: I hope so. This was a lot of fun. Thank you for having me. [ Music ]

Rick Howard: And that's a wrap. I want to thank Kim Jones, the Managing Director of Ursus Security Consulting and my personal career doppelganger for taking over the hosting duties for this episode and giving us a new way to think of the zero-trust first principle strategy and the associated tactic of identity. "CSO Perspectives" is brought to you by N2K CyberWire, or you can find us at thecyberwire.com. For this episode, I've added some helpful links in the Show Notes to help you do more of a deep dive if that strikes your fancy. And don't forget to check out our book, "Cyber Security First Principles: A Reboot of Strategy and Tactics," that we published in 2023. Identity is a key concept that runs all through that book. And by the way, we'd love to know what you think of our show. Please share a rating and review in your podcast app, or if that's too hard, you can fill out the survey in the Show Notes or send an email to csop@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's pre-eminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com. One last thing. Here at N2K, we have a wonderful team of talented people doing insanely great things to make me and this show sound good. I think it's only appropriate that you know who they are. >> I'm Liz Stokes. I'm N2K's CyberWire's Associate Producer. >> I'm Tre Hester, Audio Editor and Sound Engineer. >> I'm Elliott Peltzman, Executive Director of Sound and Vision. >> I'm Jennifer Eiben, Executive Producer. >> I'm Brandon Karpf, Executive Editor. >> I'm Simone Petrella, the President of N2K. >> I'm Peter Kilpe, the CEO and Publisher at N2K. >> And I'm Rick Howard, thanks for your support, everybody. >> [In unison] And thanks for listening. [ Music ]