CSO Perspectives is a weekly column and podcast where Rick Howard discusses the ideas, strategies and technologies that senior cybersecurity executives wrestle with on a daily basis.
Identity 3.0.
Rick Howard, N2K CyberWire’s Chief Analyst and Senior Fellow, turns over hosting responsibilities to Kim Jones, the Managing Director at Ursus Security Consulting. He takes a first principles look at the idea of identity.
The latest Verizon Data Breach Investigations Report cites stolen credentials as a core component in almost one-third (31%) of breaches. As increased scrutiny and liability continues to mount around data breaches, a concurrent upswell around how to improve identity and access management (IAM) within the industry is occurring. Many of these discussions have centered around how artificial intelligence might create new opportunities to improve the existing IAM paradigm. While I’m happy these discussions are taking place, so far they’re mere updates to what’s come before. Just as technological improvements (such as cloud technologies and wireless connectivity) have for the most part simply migrated old problems into new technology arenas, applying new technologies to the existing identity construct will at best represent a speed bump to our adversaries. If we as a cybersecurity community are serious about reengineering identity, then it’s time to have a principles-based discussion that questions the assumptions around our existing approach to the problem.
I intend to start that discussion here.
My intention is not to convince you that my principles are the only right answer. Rather, I want to achieve two things:
1. I hope to help the community step back and reassess the challenges of digital identity by taking a principles-based approach, and
2. (Most importantly) I hope to spark a dialogue that takes us in a different direction, beyond just making “tint control” changes to existing toolsets and technologies.
If you disagree with my proposed principles, that’s perfectly fine; if the discussion below prompts you to think about the problem even just five percent differently than you did before, I’ve succeeded.
Definition and current state.
For my purposes here, Identity is the unique set of characteristics that can be used to distinguish an entity as itself and as nothing and no one else. More importantly, though, is its purpose – Identity is the primary basis of a relationship. What comes to mind when you think Mother? Spouse? Boss? Friend? Coffee? Those words —and the Identities they represent — convey relational information instantaneously. We make presumptions and draw conclusions based solely upon Identity. If you’ve had positive relations with your parents, for example, then the Identities of “mother” and “father” may invoke positive emotions when you hear those terms. Identity forms the beginning of that relationship experience.
Sticking with the relationship analogy, say you receive a text from someone claiming to be your father asking how your date went last night. You verify that the phone number is your father’s; you remember you mentioned the date to him a few days before. While your relationship with your father is cordial, he’s no longer the intimate confidant he was when you were nine or ten. Thus, instead of a detailed account of the evening, you tell him the date went well and that you’re going on a second date soon. Within the space of a few seconds, your personal central processing unit performed the follow-on tasks associated with Identity: authentication (verifying the phone number and the fact that your father did indeed know about the date), authorization (deciding that your father is allowed to know about the date and should receive an answer to his query), and access (determining how detailed an answer you are going to give). These decisions start with the relationship represented by the Identity of the entity with whom you are interacting.
This is where things begin to get tricky.
With in-person interactions — which I’m calling atomic interactions — the establishment and authentication of Identity can be relatively simple. I see my friend Stash, I recognize Stash, I buy Stash a cup of coffee and we catch up. When atomic interactions are limited or removed altogether – on a Zoom call where video can be disabled, through emails or texts, or with phone calls – things can become ambiguous quickly.
Uniqueness requires complexity.
Here are some of the reasons why. Consider four pictures:
- A Filipino Influencer
- Lil’ Kim
- An NFL Reporter
- A Supermodel
Each of these individuals is also known as Kim Jones. It is not the differences between these individuals that I’m emphasizing, but their similarities. Specifically, with atomic interactions, any of these individuals could claim to be me if only a name was used as an Identity. It would still be difficult for Kim Jones the Filipino Influencer to masquerade as Kim Jones the Old Security Guy to someone who knows me. Conversely, anyone who has heard me sing would know that, gender notwithstanding, I could never pretend to be the rapper Lil’ Kim. Online, though? Any of these individuals could begin the process of accessing data that is restricted to my personal use by honestly and truthfully providing their names. One of the ways the traditional model of identity attempts to solve the uniqueness model is by adding complexity. Instead of just using a name, for example, it adds layers of non-sensitive yet unique data to the transaction, e.g., geolocation data in authorizing financial transactions. If someone attempts to buy a television in (for example) Phnom Penh using my debit card number, my bank will most likely flag the transaction as fraudulent given that I live in Phoenix. As we provide more data to organizations, it’s theoretically possible to create a unique Identity using seemingly innocuous, non-regulated information.
Atomics break complexity.
Once created, organizations store and secure Identity in an“atomic” fashion. In other words, they give Identity a level of pseudo-physicality by capturing it in a file or a database of some sort. Our model of Identity requires this in order for a user to enter into the enterprise and begin the relationship. Unfortunately, once Identity is given an atomic dimension, that Identity becomes a type of token...and tokens can be tampered with or stolen.
In my above example, what would happen if my Identity token was modified to remove the geolocation flags? Possibly one or more Cambodian families would be enjoying new big-screen TVs as gifts from me. Further, repositories of these Identity tokens (such as Active Directory) represent high-value targets for bad actors.
Exposure is forever.
Our tokenized atomic Identity also has the challenge of being universal within the enterprise. Our Identity token defines all interactions within the given enterprise, without exception. A compromised or stolen token grants authorization and access to all predefined repositories for all predefined transactions, unless or until I change out the token. Until that token is changed/revoked, the possessor of that token now has all of the relationship access associated with that Identity.
Reimagining identity.
Our atomic-based Identity paradigm is insufficient for a digital world. As we become more digitally connected and less personally connected it becomes easier to impersonate anyone, and therefore take over the associated relationship. As processing speeds improve, practical AI leaves its infancy, and the specter of quantum computing looms, it’s time to reconsider the fundamental principles upon which Identity should be built. Bluntly, we need to eschew the atomic model altogether. I suggest the following principles:
Principle 1: Identity should be bidirectional.
The current identity paradigm reminds me of Peter Steiner’s 1993 New Yorker cartoon. Today’s identity schema is configured to force the user to prove that they aren’t a dog...but nowhere does Identity require the other party to prove they are who or what they claim to be.
Think about the implications. I communicate with an entity online that claims to be my bank. I’m required to enter my personal details to prove that I’m the right Kim Jones, but at no time in the initial establishment of the relationship is the bank required to validate that it is who it claims to be. It is this flaw within the Identity paradigm that allows web spoofing to occur. The latest IC3 report shows that approximately 300,000 people fell victim to phishing and spoofing attacks, with a financial loss in excess of 3.5 billion.
In many of these cases, otherwise intelligent and knowledgeable individuals were fooled into providing their information to a site that looked and felt like one with which they were used to interfacing.
Principle 2: Identity should be secretless.
The current Identity paradigm relies on the exchange of secrets between entities. The term “exchange” is used loosely, as it is currently unidirectional (as per Principle 1 above). That secret — be it a password, a userID, or some hashed combination of otherwise innocuous data — exists in the targeted ecosystem in an atomic state for adversaries to crack, steal, or manipulate. Rather than creating atomic identities that we store and exchange, what if we establish a relationship based upon a different paradigm? What if, for example, we establish a cryptographic relationship between sender and receiver, thus forming a non-repudiable relationship for the purpose of conducting operations? Technologists will recognize that I am describing a public key infrastructure (PKI) communications framework. Unfortunately, PKI can be overhead-intensive, with the need to implement and maintain certificate authorities (CA).
But what if you didn’t need to do that?
What if you could establish a cryptographic relationship with another entity without establishing a CA? In 2019, a company in Australia patented technology that purports to do just that. While I’m not aware whether or not a viable platform was developed based on this concept, the point I am making is that “secretless” Identity is (at least theoretically) possible.
Principle 3: Identity should always be transactional.
For many, this last principle is a given. Each discrete transaction should involve a unique interaction that only occurs once, and is therefore not subject to manipulation or theft. You, the owner of your own personal data, should exclusively have the right to determine who knows what, when, and how much, just like you decide how many details to share with your father about your date. The point, though, is that true transactionality requires a secretless state. If an atomic Identity token exists within the environment, it becomes possible to hijack and misuse that token to initiate an unauthorized transaction, as in my television example above. In a secretless paradigm, Identity must be transactional, with the owner of the Identity (versus the custodian of the Identity token) able to determine and/or throttle the sensitivity of the transactional approvals. Top of head, an Identity paradigm based on these principles has several advantages:
- The bidirectional nature of Identity makes it impossible for spoofed websites to be effective.
- Capturing a password or other sensitive information has minimal impact, as such secrets are not the basis of the relationship with the other entity.
- Should a transaction be compromised via a replay or man-in-the-middle attack, the compromise is limited to that single transaction.
Imagine a world where these risks and threats no longer existed. What would that mean to your business, technical infrastructures, and customers? In our ever-more-interwoven digital world, cybersecurity paradigms and principles need to evolve. Rehashing or even complexifying old models doesn’t address the real needs of our data-driven world. It’s time to reevaluate the assumptions and principles we’ve taken for granted around Identity so that we can develop truly innovative (and effective solutions). My challenge to you is to start thinking outside the box, and to push our solutions providers to do the same.
My two cents...
References:
Staff, 2024. Data Breach Investigations Report [Report]. Verizon Business.