CSO Perspectives (Pro) 8.31.20
Ep 20 | 8.31.20

Identity management and cybersecurity first principles.


Rick Howard: One of my favorite hacker movies of all time is the classic social engineering movie "Sneakers" that debuted in 1992. It's classic for a number of reasons. And first, it came out just three years after Dr. Clifford Stoll published his seminal book "The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage." That book convinced many of us old-timer network defenders you see walking around the community today to pursue cybersecurity as a career, myself included. Second, to go from "Cuckoo's Egg" to a major motion picture with not one, but three Academy Award-winners - Sidney Poitier for "Lilies of the Field," and, by the way, the first Black actor to ever win the best actor category, Ben Kingsley for "Gandhi" and Robert Redford as director for "Ordinary People" - and an alumnus from "Saturday Night Live," Dan Aykroyd, after "Ghostbusters" and after "The Blues Brothers," and River Phoenix, who had just recently played the young Indiana Jones in "The Last Crusade" - it felt to all of us that cybersecurity had hit the big time.


Sidney Poitier: (As Crease) It's called a Mantrap. I borrowed this demo from the manufacturer. 

David Strathairn: (As Whistler) It's a digital voice recognition monitor hooked up to an access booth. 

Sidney Poitier: (As Crease) NSA uses the same technology to keep people out of restricted areas at Fort Meade. Now speak right into this box. 

Robert Redford: (As Bishop) My name is Martin Bishop. My voice is my passport. Verify me. 

David Strathairn: (As Whistler) And you can't pass through unless your voiceprint matches the one encoded on the card. 

Robert Redford: (As Bishop) So we need someone's card. 

Sidney Poitier: (As Crease) And their voice. 

Robert Redford: (As Bishop) Can we beat this with tape? 

David Strathairn: (As Whistler) Has to be up close and personal. 

Sidney Poitier: (As Crease) Otherwise you'll be caught in a steel reinforced booth where the guards with the shotguns are called. 

Rick Howard: In the movie, the characters social engineer their way through various obstacles to stop Ben Kingsley from using his McGuffin to control the world. They do this by messing with each of their victims' sense of identity and authentication. 

Rick Howard: Now, the concept of identity is fascinating. What are the things that we value about ourselves that show others who we are? Your name, hacker alias, address, favorite Dungeons and Dragons character alignment, job, past jobs, volunteer committees, art, politics, recreation, and many, many other activities and things we belong to or support make up our personal identity. And that doesn't even cover personas. I mean, I have my business persona, my family persona, my neighborhood persona and my gaming persona. I share my identity personas with those communities that I belong to, but I might not want to share them with my other communities. Like, I may not want to share the persona for my level 47 chaotic-neutral tiefling warlock named Abigail (ph) with the CyberWire CEO. He might not understand. If you're listening, Peter, no offense. 

Rick Howard: My name is Rick Howard. You are listening to CSO Perspectives, my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. This is the 11th show in our series that discusses the development of a general purpose cybersecurity strategy using the concept of first principles to build a strong and robust infosec program. We are straying from the path here just a bit to talk about the evolution of identity and authentication. Next week I'll bring in some subject matter experts to sit around the hash table and discuss identity management within an organization. But this week, the evolution of identity and authentication since the early '60s has been so convoluted and filled with so much internet drama that I thought we should spend some time discovering how we got here. 

Rick Howard: At some level, the internet is a series of transactions, some important, like moving money from your checking account to your ATM card. Some are not quite as important, like watching the host of the daily podcast dance inside his studio during the pandemic on Twitter. Now, things like that are essential, like chicken soup for the soul, but in terms of transactions, maybe not that important. In this important transactional world, though, we need to find things to attach to our identity that authenticate who we are. It is one thing to get on Twitter and broadcast to the world your love of Dave's dancing, but you can't use that love to get money out of an ATM machine. Now, I personally think that should be a law, but it's not a law today. So we find ways to prove to our transactional partners that we are who we say we are and not some AI bot impersonating us. 

Rick Howard: In the 1850s, the British started using birth certificates to authenticate citizenship. People could present their birth certificate to a bank to get a loan, for example. In 1903, Missouri and Massachusetts became the first states to require a driver's license to operate a car. After World War I, the League of Nations championed the use of passports for international travel. We forget that, before the war, people just kind of went through Europe like there was no boundaries at all. In 1935, the United States Congress passed the U.S. Social Security Act that assigned exclusive numbers to citizens. Social Security numbers became the de facto attribute for many years to uniquely distinguish the John Smith who lived in Albuquerque compared to the John Smith who lived in Fresno. 

Rick Howard: In the 1960s, when computers started to become essential tools for big business and government, the late, great Fernando Corbato, one of computing's founding fathers, introduced the idea of using passwords to gain access. Unbeknownst to him, Dr. Corbato provided a long list of cyber ne'er-do-wells a never-ending attack vector to break into computer systems. In fairness to him, though, passwords really didn't start to break down as an authentication system until the internet started humming for online transactions - say, circa mid-1990s. As the internet scaled, the passwords just didn't cut it anymore. Astonishingly, passwords are still the thing that most people use to authenticate themselves today, a technique that now is over 50 years old. 

Rick Howard: In 1993, Tim Howes, Steve Kille and Wengyik Yeong collaborated to invent LDAP or the Lightweight Directory Access Protocol. And according to Juliet Kemp over at ServerWatch, LDAP lets administrators organize information on the network and provide users access to it. Howes and team designed LDAP to facilitate authentication over a distributed TCP/IP network. By 2000, Microsoft included LDAP into its backbone authentication system called active directory that uses both LDAP for user lookup and Kerberos for authentication. Kerberos was created at MIT in their Athena Project in 1988. 

Rick Howard: In 2002, the United States Congress passed the famous Sarbanes-Oxley law, which, among other things, held companies liable for bad access control. By 2006, we started seeing the first managed services for identity management, and by 2010, we started seeing the first SAS identity management services. By 2014, organizational data started to distribute across multiple data islands, like, still in the traditional perimeter but also in private data centers, personal devices, SAS providers and cloud providers, both IAAS and PAAS. It was clear that on-prem identity solutions were on their way out in favor of SAS identity services. 

Rick Howard: One of the problems with digital identity and authentication is that our current systems are site-centric. Users of systems have to present the same credential information to multiple digital silos like Amazon, Netflix, eBay and the like, and these silos don't talk to each other. And there's little granularity for access control. It's difficult to give only a partial credential set to a site-centric portal. It is usually all or nothing. And, like I said, these sites are silos. If I routinely use, say, Amazon and Barnes & Noble, I can individually log into each separately, but I can't ask Amazon to share the books I purchased on their site with their competitors, even though it's my information, because they are all walled gardens. 

Rick Howard: If Fernando Corbato invented the beta version of identity and authentication back in the 1960s, Dick Hardt, an internet identity evangelist, says that by the mid-2000s we had finally reached identity and authentication version 1.0 with our site-centric systems. When the idea of identity federation emerged sometime after, that probably moved us to identity and authentication version 1.5. According to Helen Patton, The Ohio State University CISO, federation is the idea that if two partners trust each other, they trust each other's users. If Helen travels to her trusted partner's campus, say, the University of Michigan, she is able to log on to the campus Wi-Fi network without any coordination hassles. From my perspective, federation is the associative property of trust. If the University of Michigan trusts Ohio State University and Ohio State University trusts Helen, then the University of Michigan trusts Helen, too. 

Rick Howard: That's all fine, but it's not yet a perfect solution. One-off partnerships don't scale. What we need is identity and authentication version 2.0, where we move away from site-centric solutions to a user-centric solution. In other words, I create and store my identity and associated personas with a trusted, authorized broker. When I visit Netflix and Amazon, I direct them to authenticate me through the broker, and I only give them access to the bare essential credentials required and nothing more. 

Rick Howard: In the early 2000s, two technologies emerged that would move us closer to that goal, SAML and OpenID combined with OAuth. SAML stands for Security Assertion Markup Language and refers to a heavyweight XML variant language that facilitates one computer to perform both authentication and authorization on behalf of other computers. The OpenID/OAuth pair is a set of competing technologies to SAML that have a crazy and confusing history of Internet drama. Don't worry if this all sounds confusing. It is. 

Rick Howard: For example, OAuth stands for open authentication. The crazy thing is that OAuth doesn't authenticate anything. It simply authorizes a machine to log into another machine on behalf of a human. OpenID does the authentication for humans. By 2014, though, this at all settled down. Today, according to CSO Magazine, most network operators use SAML for enterprise applications and OAuth for open internet situations. At this point with SAML and the combined pair of OpenID/OAuth, we have probably reached identity and authentication version 1.7, up from version 1.5 that we got with federation, but still not quite 2.0. 

Rick Howard: To get to 2.0, a user-centric solution, I would direct your attention to a paper written by Kim Cameron when he worked for Microsoft back in 2005 called "The Laws of Identity." That might be a good place to start. He lists seven characteristics that any modern identity system should have. No. 1, user control and consent - in other words, the user is in charge, not the portals. No. 2, minimal disclosure for a constrained use - this is basically Zero Trust for authentication data. Only give the bare essentials. No. 3, justifiable parties - this is also Zero Trust but for the transactional parties. Only authorize those that need authorization and nobody else. 

Rick Howard: No. 4, directed identity - this is the ability to send information in one direction or in multiple directions, including exchanging information amongst all the transactional partners. No. 5, pluralism of operators and technologies - this is the ability to operate with multiple technologies and multiple entities. No. 6, human integration - this means that the interface should be easy for humans to negotiate securely. And finally, No. 7, consistent experience across contexts - in other words, with all the things we have to do with authentication and identity, each individual thing should not feel like it is something completely different from all the other things that we are trying to do there. 

Rick Howard: The bottom line is that the concept of identity and authentication is probably the most important thing to get right for the future of transactional Internet business. We can have all the first principle strategies in place that you want, like resilience, Zero Trust and intrusion kill chains. But being able to know precisely that Abigail, the level 47 chaotic neutral Tiefling warlock, is really Rick Howard and not the owner of a Russian influence operation run out of Novosibirsk, Siberia, is key to everything. Without it, we will have no confidence in any future system like online voting, census-taking, or really any transactional interactions with our governments, commercial business, or academic institutions. 

Rick Howard: You would be right to point out that the way we do identity and authentication today, the version 1.7 that I have described, kind of works. And it does. I'm able to watch Netflix and buy books from Amazon and order hamburgers from my local Five Guys all relatively hassle-free. But these site-centric systems were designed by commercial firms for the purpose of making money, which I'm not against in principle, but maybe there is a loftier design goal that we should pursue. Maybe we should design our identity and authentication systems to benefit the people. I'm just saying 

Rick Howard: And that's a wrap. If you agree or disagree with anything I have said, hit me up on LinkedIn or Twitter and we can continue the conversation there. Next week I have invited our pool of CyberWire's experts to sit around the Hash Table with me to discuss identity management within an organization. You don't want to miss that. The CyberWire "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design and original score. And I am Rick Howard. Thanks for listening.