Security and Trust

July 23, 2013
Peter Alterman

Peter Alterman, PhD., Chief Operating Officer, SAFE Bio-Pharma Association

Given front-page preoccupation with privacy and trust, this is a good time to look at the relationship between cyber security and cyber trust. Each is a key component of the other, and each deserves to be understood in order to assure a secure and protected system.

Broadly defined, cyber security comprises a body of behaviors and implementations whose goal is to protect the enterprise and its digital resources – including content – from harm.

These days, enterprise firewalls do a fair job of excluding known threats.  Your network devices have had their default passwords reset to something more than “password” and all software security patches are implemented in a timely fashion. You require staff to take an annual refresher in proper online security, such as never clicking on attachments from addressees they don’t know and never disclosing personal information online. Passwords are changed every ninety days. Your CISO may have deployed network sniffers to search for more advanced threats and behaviors (e.g., employees logging into websites of questionable reputation or downloading files from dubious sites at home and transferring them to the office computer on an unprotected thumb drive). On the surface it might appear that the enterprise is secured. But deep down, the enterprise will still be at risk from a variety of threats, not the least trusted employees.

Cyber trust is a category of cyber security. It’s the ability to trust that the user accessing your systems online is authorized to do so. It’s also the knowledge that certain sites outside your domain can be trusted. Accomplishing these levels of trust requires credentialing and authenticating users seeking access to your systems. Credentialing and authenticating are separate functions. If your enterprise can be accessed by external users who are credentialed and authenticated by third parties, it’s essential to require that the vetting and credentialing practices of the third parties — and the appropriate handling of personally identifiable information – are acceptable to the enterprise.

Perhaps the greatest overlap between cyber trust and cyber security occurs in the issuance, management and revocation of credentials. Among others, credential management cyber security  targets include: how the proofed identity assertion is sent to the credential issuing service; how the device issuing the credential is protected from hacking or other disruption; how the personnel managing the operation are themselves vetted, and how the credential is transferred to the subscriber.

All of these issues become more complicated when factoring for anonymity, which exists in two forms — trustworthy and untrustworthy. Use of trustworthy anonymous credentials – those vouched for by a trusted entity — increases cyber risk by adding another element that the cyber security strategies must address. These assertions have a place in the ecosystem but not in e-commerce or e-government domains.

Cyber security and cyber trust are separate and intertwined enterprise issues. . They remind me of the M.C. Escher print where the white fish turn into black fish as foreground and background merge and separate.



April 3, 2013
Peter Alterman

Peter Alterman, PhD., Chief Operating Officer, SAFE Bio-Pharma Association

The eCommerce and eGov Services cyber-world currently use two  models for secure trusted transactions. One, the credential model, presumes a user with one or more credentials of various degrees of trustworthiness using an appropriate credential to log on to a web, telnet, or online app.  In the social media world, it’s the Google or Facebook userID/password pair. In the eGov world, it’s the SAFE-BioPharma-compliant digital certificate. The online app (or its proxy) receives the credential, validates it, and then grants the user access.

The other, the transaction model , looks pretty much the same to the user: user logs on to app but instead of validating the credential, the app starts a series of tests and challenges. Banks tend to use other, more robust methods to ensure that users logging on to their portals are who they claim to be. Credential? They hardly need one and they certainly don’t rely much on the trustworthiness of the actual credential.

It’s worth looking at how trust is determined in each model. In the credential model, the credential carries the trust, and its trustworthiness  comes from the credential issuer. In the transaction model, the extent to which users are deemed to be who they say they are depends on factors and tests that the application applies. In other words, the app makes the decision.

The credential model allows the trust and data contained in the credential to be used by many apps at many sites. The transaction model allows each app to determine trust and reliability each time the user goes to a different app.

 In the credential model, the cost of assigning trust and aggregating attributes is borne by the issuer, once (and passed along to one customer or another). In the transaction model, the cost  is borne repeatedly by each app. Finally, in the credential model, all the apps must trust the credential issuer as much or more than the credential user, while in the transaction model the app must be responsible for that trust by creating and managing its own trust architecture.

At some point, the app owner needs to make an informed decision on where to spend scarce resources: running a trust infrastructure for each online app or trusting credentials that carry high assurance everywhere. Unless what’s in the app can threaten world destruction, the answer to business should be clear. A dollar or euro saved in the trust phase is free money.

How Cheap is Cheap?

January 5, 2013
Peter Alterman

Peter Alterman, PhD., Chief Operating Officer, SAFE Bio-Pharma Association

I’d like to talk about a dirty little secret in the cyber world: most system owners/operators want to do authentication and signing on the cheap. Fact is, the userID/password model in use since generation 1 of the computing lifetime is viewed by many of the online services as sufficient to their needs, while improved identity management for authentication is considered by these same managers as overly complex and expensive. Furthermore, most of the systems managers say they’ve never been attacked and don’t think they’re likely to be attacked.

There’s no arguing with the fact that the userID/password implementation is less expensive and simpler than implementing a high assurance trusted credentialing solution for authentication and signing. That said, there is a substantial hidden or overlooked cost for maintaining this rudimentary solution . The operational cost of managing a database of userIDs and passwords is buried in the overall cost of maintaining the system that houses it, but it’s real enough. As is the cost of helpdesk support (human or automated). Additionally, the risk of attack is real, and the probability of attack is getting greater, not smaller. Still, it’s hard to quantify the cost of the risk at budget time when the manager is going up against the rising cost of everything from electricity to toilet paper.

Risk calculations are part of the toolset of the cybersecurity folks, and higher assurance credentialing is one of the mitigating technologies they can deploy. But cybersecurity folks get very little respect at budget time themselves. So the usual model finds the IdM guy and the cybersecurity guy fighting over the crumbs left on the table. But I digress.

As governmental services, including the workflows of the regulatory agencies, move online, the risk assessment math changes. The formula stays pretty much the same but the numbers change. The cost of a breach goes up logarithmically.  The fines for privacy breaches are just the beginning. There’s loss of credibility among customers and business partners, opportunities for competitors to steal the cheese and the negative effects on other project budget lines when the victim is forced to spend unbudgeted funds on security consultants, repair services and new software tools to address the damage. On top of all of that, the new security practices disrupt most of the workflows in the victim’s business processes.

So what’s the cost of all this to the firm? Until the spit hits the fan, nobody wants to know. But it’s a good bet that one of the costs is the head of the underfunded cybersecurity guy, who gets to be the corporate scapegoat. In the TV drama world, he or she would find happiness in a new career selling toilet paper to industry at a higher income. In the real world, things aren’t so happy.

Report from the Attribute Management Vortex: How Things are Currently Swirling

September 9, 2012
Peter Alterman

Peter Alterman, PhD., Chief Operating Officer,
SAFE Bio-Pharma Association

Authentication? A Done Deal:  Contrary to some of the wheel-reinventing heard around the rooms at the recent Identity Ecosystem Steering Group kickoff meeting in Rosemont, electronic authentication was solved about four years ago.  The InCommon-NIH “Tao of Attributes” workshop officially signaled that the new frontier was attribute management in all its fuzzy dimensions.  Often overlooked by the Usual Suspects (of which I am one) has been the banking and online retail industries’ highly successful use of non-credential-based, sort of-two-factor transactional trust models for authenticating users to online services.  Another sign that the authentication problem has been successfully resolved is the plethora of proposed International Standards efforts in this area.  .  To the extent that the Identity Ecosystem Steering Group eschews standards-setting and drives for implementations, we will be able to gauge its potential for success.  But I digress…

A Fun Time for the Meeting Addicted:  The current frontier, on which the Usual Suspects have been laboring like Dr. Frankenstein on his Creature, is how to authorize user access to relying parties without the messy involvement of carbon-based life forms.  To do this, we are harkening back to a process addressed by NIST years ago, which they called Role-Based Access Control.  Of course, since everything old is new so long as its name is changed, we’re not calling this effort Son of RBAC, we’re talking XACML or metadata profiles or Rex the Wonder Dog.  Nonetheless, it’s all the same: how to format an attribute, how to exchange it, how to know how to trust it, how to know who to trust for an attribute and finally, how to make calculated, real-time authorization decisions that will stand up to appropriate risk management review.  My last count shows there are four “community of interest” working groups chewing on this piece of rawhide: one OIX work group, two FICAM work groups and at least one Internet2/InCommon group.  Kantara is debating starting up yet another one and is likely to do so.  And this count doesn’t even include agency-internal initiatives related to health IT and whatever the telecom industry, the SmartGrid folks, and their regulatory colleagues are talking about to themselves.  Oh, it’s a Fun Time for those addicted to meetings.

The Rush to be Second:  Nobody questions the need to bring attribute assertions and attribute management into play to further e-services and e-commerce.  Nobody who’s part of the discussion pileup questions the ROI for deploying authentication and attribute management services, but the business operators who run those services, both in the private sector and in the government sector, are generally less than enthusiastic.  Why, even when a positive ROI can be demonstrated?  First of all, most (not all) of the business operators don’t believe the analyses.  They see two things only: first, the burden of jumping into the unknown and changing business processes with the usual attendant risks  including substantial upfront costs; second, this stuff is pretty arcane to the average business operator, especially one who’s still struggling to understand online risk assessments and risk mitigation, identity management and electronic authentication.  That said, these folks are generally willing to be third in line to adopt, so long as they can see at least two comparably-sized implementations, sniff them, examine their books and get the nod from senior management.

Silly Season…Again: This is where federal agencies can have the most impact, as what the National Strategy calls “early adopters.”  A few are out there, but it isn’t more than a handful, and some of those are huddled in a self-made silo.  Mostly, agencies are ignoring Office of Management and Budget direction and hoarding their cash against possible Congressional sequestration in January.  Agency managers are also waiting to see what the outcome of the November elections will be before doing anything more than keeping the motors idling.  For those not familiar with the  Washington, DC, climate, this is the Season of Paralysis.  It happens every four years about this time, which by itself is a good reason why the private sector needs to offer up “early adopters” instead of waiting for government.

That said, some important government initiatives in this space continue to make themselves felt.  More about some of this next time.

%d bloggers like this: