Root Causes 70: Identity Is the New Perimeter

Tim Callan

Today, we want to talk about a phrase, though it’s not new is gaining a lot of traction right now and I think it resonates a lot with both you and me, which is why we want to talk about it and that phrase is Identity Is the New Perimeter.

Jason Soroko

I really like that phrase, Tim. I have been in this field a long time and ten years ago we were almost getting tired of the term identity because of how often we used it and now it’s just blossomed to be even that much more important, and I could see that coming but here we are. It’s so meaningful, Tim, because of the way that things are architected, because of the changes going on in enterprise IT environments, and the fact that even so many systems are non-human based. We are seeing IoT and DevOps. I could go on and on as always on this topic, Tim, but it’s because there’s so many changes going on right now.

Tim Callan

Yeah. And so, if you go back in time, right? Imagine the year 2000 or the year even let’s say 2005, right? What did your IT infrastructure look like and the main word I can come up with or the two words I could use to describe it would be monolithic and homogenous. So, you owned the hardware. You owned the facilities. You owned the client machines that the employees were using and those might not even be leaving the building although certainly there were a lot of laptops in use in that world but, you know, a lot of desktops as well. There was no mobile. There were no BYOD devices. You did not have non-employees accessing your systems. Right? You didn’t have a consultant or contractor or customer coming into my systems. Development was waterfall. Right? You could start a project and it would be done in a year or, you know, 18 months, or maybe if you were lucky six months. It would go through a long QA process and there would be a single release. It was very homogenous, right? It was all Microsoft stack, and everything was controlled by a single department. Every person who was allowed to touch it ultimately rolled up to the CIO, right?

Jason Soroko

Yeah. Tim, you are so right. I mean, for those of you who have been around long enough, you might have worked in a department where there was two, three, four, major ERP/CRM systems that were fat client based sitting in a server rack and everything was Microsoft. Everything. Everything. Whereas there has now been an entire generation of developers since then who now are building applications that are not monolithic. They are not just big ERPs. They are just small discrete bits of code that are accessed by an API sitting in some cloud somewhere and those developers might not even be employees, they could be contractors and it’s just such a different world.

Tim Callan

And all these systems are touching each other. Right? So, I’m building something that’s touching systems that I had never had anything to do with and vice versa. Who knows where this stuff is physically located? Who cares? Right? I might not own it. It might be owned. It might be rented. It might be moving around. It might be on VMs. I have different, like we said, the employees - - like you said, the employees might not be doing it. It might be non-employees. Then we got DevOps environments. We got BYOD. We got mobile employees, remote employees, machines of unknown quality. Like even the desktops I have, those might be Mac, might be Linux, might be Windows and, again, or the biggest one – this diversified responsibility. All kinds of groups out there developing key applications that ultimately could be anywhere in the company, could be reporting to anyone, anyone could be paying for them. Like you said, they might not even be employees. They might be some consultancy that is, or some vendor that is being paid for from somebody’s budget and all of this stuff needs to work and if it doesn’t work, not only can you have failure and outages, but you can also have breaches, you can have cascading failures and it's a big interwoven, interdependent web of unknowns.

Jason Soroko

So, Tim, with everything you just - - you painted a heck of a picture. I’m gonna ask you a question I think gets to the heart of what we are talking about. So, where’s the edge to that? Where do I stick my 1990s firewall?

Tim Callan

Sure. Exactly. I want to put a fence around my boarders, and I want to say that inside the fence everybody is benevolent, and everything is understood and outside the fence is the DMZ. Right? Where’s the fence? There isn’t one. At best, it is shifting and unclear and at worst, it is entirely non-existent.

Jason Soroko

It is pretty much non-existent, Tim, especially when you are talking about server-less functions which might be working in partner clouds that you are accessing. Like the lines are so blurred now that essentially, I guess the way to think about this – how we rationalize this incredible change because the one we haven’t said yet, Tim, is all this change has been for the positive.

Tim Callan

Oh! So positive. I mean agility, responsiveness, you know, again, we talked about waterfall releases. It used to be you spec what you want and you have a big argument about it and everybody is cashing their chips in because, you know, whatever gets going now is going to be delivered in 12 months and there is no changing course, right? Now, we do two-week sprints, and we release. Right? So, it’s an entirely different thing. Much closer association of projects to outcomes. Much more agility. Right? I don’t need to know what it needs to look like in a year. I need to know what it needs to look like in a month.

Jason Soroko

You know what’s so funny, Tim, is back in the - way back in the day, Frederick Brooks wrote the book Mythical Man-Month, which I’m sure a lot of listeners to this podcast have heard of.

Tim Callan

Great book.

Jason Soroko

And this is exactly what he was calling for. Ok. So, these aren’t actually new ideas. This is just the new reality that we are living in because it was the best idea and I think from a security practitioner, because that is what this podcast is about, how do we deal with this? I think we have to really take stalk of where the edge is and the edge is actually at every single discrete piece of logic.

Tim Callan

Right.

Jason Soroko

So, that’s the atomic level. So, what’s a way in English to say that? What it means is everything needs its own identity. That’s where you draw your boundary.

Tim Callan

Yeah. It’s like instead of saying I have a single, you know, country and there is a border around the country, and you can see where it is, imagine if your country was made up of thousands and thousands of islands and what it is is every island, its borders are the borders and that’s the same thing here. But now, once that’s the situation, you gotta ask yourself how do I know who is in and who is out?

Jason Soroko

Even another way to say that for those of you who think a little differently that’s a perfect analogy. Each island is essentially working in hostile waters.

Tim Callan

Right.

Jason Soroko

So, in other words, you guys who are listening to this, everybody knows what a VPN is, I hope. Right? Like that’s a concept that’s been with us for a long time and it was very useful. The problem is it was you as a human being that was authenticating into an entire network. Therefore, the trust model of that was you now, however you were credentialed and provisioned and privileged on that network, you had full privileges not just to an individual discrete piece of logic but to all the pieces of logic within that network that you were privileged to actually touch. That’s not going to work in a world of DevOps. That’s not gonna work in the world of IoT. So, therefore, what do we do? What we have to do is every single DevOps container has its own mutual TLS authentication. Every single IoT device has its own mutual TLS authentication. Therefore, a simpler way of saying that is every IoT device needs its own identity. Its own secured, strong identity that can assert itself through hostile waters, through hostile network environments and to its ultimate destination so that the destination can be absolutely assured who it is talking to, who it’s receiving data from and with a meaningful integrity of that data that’s going between those two points.

Tim Callan

Yeah. So, to get brass-tacks-y about it, if I didn’t have reliable identity in let’s say my DevOps environment then it would be possible for somebody to inject a container into my cloud of tasks that would not belong there and it might steal information or provide other access or disrupt my processes in one way or another or cause processes to do the wrong thing and go the wrong way and that would be caused by this insufficiently strong identity. Or another example – in an IoT environment, if I could get into that network communications and pretend to be a device or pretend to be a server that’s talking to the devices then I could the same thing. I could steal information. I could disrupt operations. Again, because the identity was insufficiently strong.

Jason Soroko

Those are the kinds of weaknesses that the bad guys are looking for right now and they found them. The Mirai Botnet was insufficiently strong authentication mechanism for IoT devices which came about because old-fashioned should have been deprecated decades ago. Authentication mechanisms such as using your passwords were being used for IoT devices which are headless. They are not human beings.

Tim Callan

Or not even that, right? I mean if you go back to Mirai Botnet some of these devices people just kind of said, well, you know, what is this thing. It’s a children’s toy, right? There’s no security risk here. I’m not gonna put anything on it.

Jason Soroko

Yeah, Tim. And that’s such an important point because if you are the manufacturer of any, whether it’s software or hardware of any kind, this idea that you are protected because you are the underdog or you are protected because you can’t figure out why a bad guy might come after you, that’s not a - - ignorance is not a defense here. The people who made the closed-circuit television cameras that the first wave of Mirai Botnet took advantage of, those folks who very well meaningly were building closed-circuit television cameras had no concept of geez, these devices are gonna be used in the millions for a botnet to do DDOS attacks.

Tim Callan

That’s a great example. I’ve got, you know, a camera looking at the parking lot, the parking lot is right there on the street, there is nothing proprietary there. If somebody were to steal the signal coming from the camera, I wouldn’t care in any way and what they were neglecting to think about is other ways that those devices could be weaponized.

Jason Soroko

Unfortunately, I think even the connected teddy bear scenario that you were talking about, Tim, that to me is even scarier because anything that can connect into that and start listening in or actually communicate to a child, I mean that’s - -

Tim Callan

Yeah. And we’ve seen examples of that just within the last few months, right, where people were using these baby monitors to talk to kids when they are alone in their rooms, which is ultra-creepy, right? Definitely we don’t want that.

Jason Soroko

But you know, I talk to customers on a daily basis that it’s not just the connected toasters and stuff that you think about in your home, the consumer-level stuff, this problem extends itself into the industrial space, Tim, where really critical things that are happening in critical, critical infrastructure, controller devices that are now connected to the public internet with, I would say, not so great authentication, sometimes very weak, it’s a scary thought. So, for people to think that this problem is only in the consumer space, it’s not true. This extends across everything.

Tim Callan

Right. Lest we belabor the obvious. What are the reasons that passwords aren’t adequate to this need?

Jason Soroko

There’s a few really, really good reasons, Tim, and some of them have to do with the fact that the weak ones are just, those make it just too easy to guess.

Tim Callan

Yeah.

Jason Soroko

But even the ones that are of a given length, there are such things as rainbow tables that make words easy to guess at but even if it’s completely randomized, the ability to do a guessing attack is still possible but if I am a bad guy, I’m gonna try to steal that password outright and there are many mechanisms to do that. Key logging on a desktop and computers, etc. and also on networks themselves where passwords are actually used past in the clear those can be harvested quite easily by a bad guy who is actually listening in on that network.

Tim Callan

Or if I breach. Right? If I breach your enterprise and your systems, one of the things I might still is the log in credentials and now I have that. There is a big database of log in credentials, and I just grab them all and now I have them all. And then from there, we run into the problem of credential stuffing, right? In the real world, I don’t know how many different systems our average listener has to go to where they put in a name and password if you include online social media accounts and things like that but it’s lots and lots and lots. So, a very routine response to that is to reuse usernames and passwords and so once you are doing that and once I have stolen this database of passwords from one property I turn around and I go to the world’s 300 largest banks and I try to log in. Right? And any one that I get into now I’ve stolen that account. So, that is absolutely a real thing that really happens quite a bit.

Jason Soroko

Here’s a real thing that’s happening for people who really should know better, too, which is developers who are creating scripts that will push code into the cloud and this could be for purposes of DevOps or other purposes and those scripts are actually hard coded with these new passwords.

Tim Callan

Yeah. There you go.

Jason Soroko

And quite often that’s done because people have to connect to a database. These pieces of logic that are being pushed to the cloud they are doing some complex things and they have to access other systems. Those systems have their own means of authentication. Quite often, those means are weak. There are best practices such as to use key vaults and things like this but quite often, Tim, we are seeing developers who are making big, big mistakes not using best practices and so, therefore, it just becomes human nature. Perhaps 5-10 years down the road, people won’t be making those mistakes anymore but, in the meantime, technology has moved so fast and yet means of authentication that are being chosen are some of the weakest possible just because they are easy and that means it’s gonna be easy for the bad guy, too.

Tim Callan

Right. We are doing things that still go back to the 1980s. How many other things in the world of computing are we doing that still go back to the 1980s? And yeah. And then it’s also just a horrible user experience. You know. You forget passwords. You don’t know what they are. If you get these strong password requirements, they are never the same. So now, I don’t remember on this one. Did I need to use an exclamation point on that one? Am I forbidden from using an exclamation points and then this one is forcing me to change it every 45 days and so now I don’t know what it was because 45 days have passed and I don’t remember and it’s just horrible and it breaks people’s work flow. It causes a terrible user experience. It reduces productivity. It creates support tickets. So, these are all problems that exist with passwords as well.

Jason Soroko

Yeah. So, we came up with multi-factor authentication, right, as an industry?

Tim Callan

Right.

Jason Soroko

And that was great. It added to that user experience, unfortunately. So, not only are you having to deal with that cumbersome password but now you have to carry around a hard token. You have to carry a smartphone and enter in some codes. You know. Whatever your method of second-factor authentication is.

Tim Callan

God-forbid I leave my phone in the Uber. I’m locked out of everything.

Jason Soroko

Yeah. And so, that’s all great. I think MFA was a great idea in reality. The fact of the matter is not all multi-factor authentication is created equal. That’s a whole podcast onto itself.

Tim Callan

Sure.

Jason Soroko

But what I would say is, ok, now let’s talk about the autonomous systems, Tim. Let’s talk about DevOps and IoT, robotic process automation, all those kinds of hot topics that are big, big, big right now. Ok. Something you have, something you know, something you are. Alright, um, something you are for a DevOps container, Tim. Does a DevOps container have eyeballs to use as a biometric?

Tim Callan

Right. Yes. To use my favorite example – no. Absolutely it does not.

Jason Soroko

Right. And I’ve never been able to teach any IoT device how to use an MFA device. So…It really has to come down to something you possess, something you have. And, because that’s all that these things can do. And, in fact, even myself as a user, can’t my laptop with my trusted platform module with TPM secure element just possess a secret that could log in for me? PKI has been around a long time and these x.509-based certificates which as a business that we reporting into in as many places as possible, that’s something that you can possess that is not passed in the clear. It is not easy to steal. It’s all these properties that weak authentication has, PKI flips that on its side and completely makes those things as difficult as possible for the bad guy and makes your authentication mechanism, that user experience so much better and so much stronger. So, this whole idea that we talked about at the beginning, which is these islands of logic or islands of whatever it happens to be in hostile waters. If every one of these islands can possess the means of authentication so that it can traverse those hostile waters very, very securely, Tim, I think we get a lot closer to the solution.

Tim Callan

Yeah. So, I think it’s very compelling. You think it’s very compelling. Let me ask you this. What are the reasons why? Certainly, a lot of people have embraced PKI for this kind of identity but, obviously, it’s not universal. So, what are the reasons why it hasn’t been embraced so far?

Jason Soroko

The reason why static tokens, right, sorry - - symmetric type of shared secrets, which is what a username and password is.

Tim Callan

Right.

Jason Soroko

Shared secrets have always been the go-to mechanism because they are so cheap to provision. Having somebody walk into your corporate office as a visitor or even as an employee and handing them a piece of paper that discloses the password for the wi-fi access point, as an example. Well, that’s a shared secret. Right?

Tim Callan

Yeah.

Jason Soroko

That’s a secret that’s known to the piece of paper. It’s known to you now and, in fact, it’s known to probably the whole world but heck, who cares.

Tim Callan

Yeah, because it’s sitting on the conference table.

Jason Soroko

It’s sitting on the conference table and it’s sitting on my sticky note now so that I don’t forget it. It’s the weakest form of security possible but it’s so darn easy isn’t it, Tim?

Tim Callan

Right. Right.

Jason Soroko

I think the reason why PKI in terms of all these use cases never really took over, even though it should have, was because of this problem of provisioning. Getting those certificates into your mobile device, getting them into your laptop, getting them to where they needed to be, getting them into your DevOps container, getting them into your IoT device. I think that that was a whole range of technologies that early PKI just wasn’t - - I mean it was busy just trying to solve the biggest problems. Right?

Tim Callan

Right.

Jason Soroko

PKI is ubiquitous. It has provisioned itself into many, many places, especially those of higher risk – finance, industry, etc. but the enterprise-level authentication use cases, certificates did penetrate to a point but then it dropped off and it’s because of the problem of provisioning, the cost of provisioning. I think what we’ve seen now, Tim, in the last very small handful of years is that provisioning technologies and the management of those certificates which are now flourishing with this concept of everything has its own identity, as an industry PKI has had to modernize and thankfully it has and I could tell you on a daily basis the number of really cool provisioning technologies that I see to make life easier has really now finally caught up.

Tim Callan

Just in the last couple or three years. Like literally that recently we’ve seen that aspect of certificate management get much, much better. For sure.

Jason Soroko

That’s been the big change, Tim. So, S/MIME certificate, we had a whole podcast on this, right? The challenge of not only do I have my laptop anymore, but I might have multiple mobile devices and other things in the cloud perhaps and I want to - - if I lose my certificate what do I do? I want to be able to search my emails, but they are encrypted. What do I do? This has all been solved.

Tim Callan

Yeah.

Jason Soroko

For IoT, my goodness, I have different operating systems, real-time operating systems, very constrained devices. How do I provision those things? Well, thankfully, by working in the supply chain, by developing some cool lightweight technologies, we can provision those as well. And for DevOps, they’ve solved that as well with very lightweight CAs. Management I think still must catch up but even we are working on that. So, things have changed, Tim.

Tim Callan

Yeah. And that’s big and, you know, public cloud. Right? SSH case is another need.

Jason Soroko

Yeah. And recently, Tim, I heard you talking about Windows 10 laptops, for example, have been - - I think since 2016 are now mandated to have a TPM. So, what a great, safe place to put your key material. Things have changed.

Tim Callan

Yeah. Absolutely. I mean that’s just a perfect example. If I might once upon a time, the last time I investigated this I might have said, well, I don’t feel good about these keys being on these laptops because if one of these laptops is stolen out of the trunk of somebody’s car then somebody could actually take the key off it and now, no. I feel good. There is a TPM, and I feel good about the fact that in that kind of scenario, that machine is - - all I’ve lost is the value of the machine. Right? So, much better for me to turn around and say I’m gonna use PKI on these devices. Absolutely.

So, ok. So, and it really is everything, right? I mean when you talk about PKI, I’m hard-pressed to think of a part of our digital environment, if you will, a component that can’t be secured with PKI. Where identity can’t be established let me say, with PKI.

Jason Soroko

Yeah, Tim. I would argue if I’m talking to customers right now in the industrial space, they might point to old devices and go that’ll never handle as x.509 certificate. And that’s probably true. The fact of the matter though is you could probably put that behind a gateway and guess what folks? If you take a look at some of the latest guidance coming out of NIST, micro segmentation is part of this concept and micro segmentation is this whole idea of putting a gateway in front of devices that don’t have these capabilities in order to do things such as control the addressing using means of PKI, controlling the methods of authentication, so, it’s funny; a lot of places where people might point and go, well, PKI can’t fit there. Well, yeah, but if you take the wider scope of micro segmentation and the means to get to that point you probably can. So, Tim, I think this calls for a series of podcasts as guidance matures, as we get feedback from customers and people talk to us in feedback to this podcast, we are gonna talk more and more about exactly what you just said is – how does PKI fit in those use cases where you don’t even think it does?

Tim Callan

I think you’ve got a good point. Like every one of these things could be blown up, you know, go into more detail on that itself could be a whole 20-minute discussion right there. So, that’s a good thing. Maybe we should do that.

Jason Soroko

Exactly, Tim. Looking forward to it.

Tim Callan

Alright. Cool. So, maybe that’s a good place to leave it today. As always, thank you, Jay.

Jason Soroko

Thank you, Tim.

Tim Callan

And thank you, Listeners. This has been Root Causes.