Thursday, July 30, 2015

Invisible Identity

My Name Was Michael & The Rest Is History
Photo source: Michael Shaheen - My Name Was Michael & The Rest Is History
In my previous post, I promised to explain the following:
Organisations should care about identity so they can stop caring about it. Identity needs to disappear, but only from sight; it needs to be invisible.
If you've been to any of Disney's theme parks recently, you may have noticed they now have something called the MagicBand. It cost them a lot of money. Disney calls it "magic". The technology powering the MagicBand infrastructure was complicated to build, but they've done it and have the increased revenue to show for it. They've also managed to turn what is effectively a security device into a new revenue stream by making people pay for them, including charging a premium for versions that have Disney characters on them.

While it does many things, arguably the key benefit of the MagicBand is in delighting Disney's customers by providing seamless, friction-less, surprising experiences without being creepy. For example, when you walk up to a restaurant, you can be greeted by name. You will then be told to take a seat anywhere. Shortly after, your pre-ordered meal will be brought to you wherever you chose to sit, just like magic. If you understand technology, you can inherently figure out how this might work. But the key in all this is the trust that the consumer places in the company. Without the trust, Disney steps over the "creepy" line.

How does Disney ensure trust? Through security of course. Sure, the brand plays a part, but we've all lost trust in a supposedly trusted brand before because they screwed up their security.

The key pieces of that security? Identity proofing, authentication, access control and privacy, none of which is possible without a functional, secure identity layer.

Conveniently (for me), Ian Glazer recently delivered 2 presentations that go into a little more depth around the points I'd otherwise have to laboriously make:

  1. Stop treating your customers like your employees
  2. Identity is having its TCP/IP Moment
If you have some time, do yourself and favour and follow those links - you might just learn something :)

What Disney has managed to achieve within their closed walls is exactly what every organisation trying to do something with omni-channel and wearables would like to achieve. Disney is a poster child for what is possible through an identity-enabled platform, particularly in bringing value to the business through increased revenue and customer satisfaction. Identity truly is the enabler for Disney's MagicBand.

The reason it works is because no one notices the identity layer. Not every organisation will be able to achieve everything Disney has managed, but even going part of the way is worth the effort. Only by ensuring the identity layer is there, can you really make it invisible.

Until people stop noticing the identity layer, you need to keep working on it. Only then will the business see the full potential and value that identity brings to increasing revenue.

Thursday, May 28, 2015

Identity needs to disappear

The disappearing machine
Photo source: Paul Chapman - The disappearing machine
In recent years, security vendors, including ones that don't sell Identity & Access Management (IAM) products, have been pontificating about how identity needs to be the focus for all things security. They (my current and previous employers included) continue to be on-message, each beating everyone to death with their own version; identity-centric-security, identity-powered-security, identity-defined-security, identity-is-the-perimeter, identity-is-the-foundation, identity-is-the-intelligence, and on and on.

Yeah, we get it. Identity is VERY important. Enough already.

The problem with rolling out the same message for years is that people stop listening. It's like the age old line in press releases: "the market leader in"; sure you and every other vendor out there. The market leader. Yeah, right.

Ok, so I'm being a little cynical. But the fact that as an industry, we've had to go all broken-record on this means:
  1. We've not been very effective in explaining what we mean. AND/OR
  2. No one gives a crap.
The truth is probably a combination of the two.

From the 10,000 foot marketing message, we have a habit of diving too deep too quickly, skipping the middle ground and heading straight into explaining, debating and architecting how everything needs to hang together. For example: "You need to federate between the identity provider and service providers using standards like SAML, OAuth or OpenID while maintaining a translatable credential that can be trusted between partner domains. Which OAuth do you mean? 1.0? 2.0? Can't we just go with OpenID Connect? Doesn't that cover the use cases? We're effectively supporting OAuth right?"

Errr, yeah. Sure. Hey, architect person, I'm not entirely sure what all that means, but we do that, right? And why do we do that again?

We often explain the "why should we care" answer by saying "you need security because you do, and identity is the key". And therein lies the problem. The "why should we care" question is difficult to answer in a meaningful, tangible way.

In addition, the reasons tied purely to security and risk no longer resonate. It's arguable that they ever did at all, but we could always pull out the audit, risk and compliance stick to metaphorically beat people with (oops, did I say that out loud).

Today, we often pull out the data-loss card. But we can do better:
Organisations should care about identity so they can stop caring about it. Identity needs to disappear, but only from sight; it needs to be invisible.
I'll explain in the next post.

Update: The next post is up.

Monday, September 15, 2014

Hey security managers, go hire some marketing people for your team

This is not a plea for organisations to start actively hiring people away from vendor product marketing teams. But if you want to look for people to point the finger at and explain why you aren't getting the budget required to actually secure your environment, product marketing is a good place to start.

There were 2 key messages attendees should have taken away from the Gartner Security & Risk Management Summit in Sydney a few weeks ago:
  1. Security priorities tend to be set based on the threat du jour and audit findings.
  2. Security teams need to get better at marketing.
Here's the problem:
  1. Sensationalist headlines sell stories, which attracts more advertisers. This means the threat du jour will get the most airtime.
  2. People who hold the keys to budgets read headlines, which perpetuates the problem.
  3. Product marketing teams know this. So, to get more inbound traffic to their websites, the content creation and PR teams craft "stories" and "messages" around the threat du jour.
  4. Publications notice that vendor messages are in line with their stories, which fuels the hype.
It's like how seeing something on fire makes us think about checking whether our insurance covers fire damage. Meanwhile, the front gate's been broken for the past week but we've left it alone because no one's stolen anything from the house yet.

How can an internal marketing campaign driven by the security team help? You won't be able to stop the hype that builds up around the threat du jour. But as an internal team, you should know what the organisation you work for really cares about in business terms. Take audit findings as an example. While rather boring, translate audit findings into tangible, financial implications for the business and you suddenly have something worth talking about as an overall program instead of a checkbox to tick (which is unfortunately how a lot of internal security budgets get signed off).

As a starting point, take a look at my tongue-in-cheek post about contributed articles. While laced with sarcasm, the structure of my "meaningless contributed article" template works (because it's a structure many are subconsciously used to) if the content holds up. Ensure you have the following points covered:
  • Detail the industry trends that are affecting the organisation.
  • What are independent sources (both internally and externally) saying about them?
  • Why should the business care (don't use technical terms)?
  • Outline some meaningful metrics (an interesting metric does not necessarily mean it's useful - ask yourself if anyone in the organisation will care).
  • What does it mean in financial terms for the business if something is not done?
  • What have other organisations done to solve the problem?
  • What are the steps the organisation you work for need to take and what are the benefits (again, don't use technical terms)?
The mistake many of us make is in thinking marketing is easy; it's not. And it takes good marketing to sell security internally. Crafting an article can help hone in on what really matters and justify budget allocation, which makes it easier to ignore the noise.

Great marketing focuses on what matters by simplifying the messages and communicating the value, be it emotional or financial. This is what most security teams do not know how to do, which is why budgets are not allocated to fix that lock on the front gate. Instead, budgets are spent on fire insurance.

I know this is ironic coming from me as I work for a security vendor. But if security teams hired marketers to communicate the things that matter to an organisation's security instead of the threat du jour, we as an industry will benefit from it.

As an aside, ever notice how many security companies have the word "fire" in their name?

Friday, August 29, 2014

How to spot a meaningless contributed article

What is a contributed article? They're the ones where the author works for a vendor or solution provider and not the publication. In other words, their day job is not as a journalist. I'm speaking from first hand experience as I've written a number for various publications and understand the process.

Contributed articles do not typically involve any form of payment. When they do, reputable publications will disclose this fact. More commonly, they are freely given to a publication based on a brief that was provided. For example, a publication may say they are interested in a contributed article about a new smartphone's features and the implications on digital security. A vendor's marketing and public relations team will then work with a subject matter expert (SME) on crafting such an article for submission. Of course, if the SME isn't really one, then nothing will save the article.

Naturally, the process results in content of varying quality. The worst ones are typically not written by the individual, but ghost-written by someone else (usually without sufficient domain expertise). The vendor spokesperson/SME simply gets the byline. These end up sounding generic and the reader learns nothing.

More commonly, the resulting article is an equal and collaborative effort between everyone involved. While this is marginally better, it still sounds unauthentic, somewhat generic and provides little value. Why? They keyword here is "equal". The SME needs to be the main contributor instead of simply providing their equal share of input.

The best contributed articles are the ones written by someone:
  1. With the necessary domain expertise.
  2. That knows how to write.
  3. That has the time to do it.
  4. Willing to allow an editor/reviewer to run their virtual red pens through it without getting offended.
  5. That is not blatantly trying to sell something.
Unfortunately, contributed articles tend to be mediocre or just terrible and that is a real shame, because there are lots of really smart people that could produce great content (with some help and editing) if they weren't under corporate pressure to be 100% "on message". The art of course, is to be "on message" subtly while still being able to contribute to the conversation in a meaningful way.

So how do you spot a meaningless contributed article? They usually look like this...

Meaningless headline that was put here for click-baiting purposes

You know that issue that's been in the news this week? And that other bit of similar news from last week? Oh, and those other countless ones from the past few months? They're only going to get worse because of buzzword 1, buzzword 2 and buzzword 3. Oh, don't forget about buzzword 4.

That large analyst firm, their biggest competitor and that other one that tries really hard to be heard all agree. Here's some meaningless statistic and a bunch of percentages from these analyst firms that prove what I'm saying in the previous paragraph is right. I'm adding some independent viewpoints here people, so it's not just about what I'm saying, even though it is.

So what to do about all this? You should be really worried about solving the problem you may or may not have had but now that I've pointed it out, you definitely have it. You aren't sure? Well, then listen to this.

Here's an anecdote I may or may not have made up about some organisation that shall remain nameless but is in a relevant industry relating to what I'm trying to sell you, oh wait, that I'm providing advice on because you've got this really big issue that you're trying to solve but just don't know you need to solve it yet but will do once you've read this.

So how do you solve your problem? Well, the company I work for happens to have a solution for this problem that you've now got. I won't be so blatant as to tell you this, but you will no doubt look me or my company up that search engine thing and see what we do and put it all together and then contact our sales team who will then sell it to you so I can get paid.

Here is another anecdote I may or may not have made up about how an organisation has solved the issues I've so clearly laid out for you that can so easily be solved, as shown by this very real (or fictitious, nameless) organisation.

My word-limit is almost up so I'll tell you what I've already told you but just in a slightly different way. In conclusion, you're screwed unless you solve this really generic issue with the silver bullet that organisation x used. So, buy my stuff.
I'm not saying every article with these characteristics is terrible. But very often, the "I have a hammer to sell, so everything is a nail" articles are structured this way. They are generic and leave the reader with the feeling that they just read a bunch of random words. I for one, stop reading an article when it starts to smell like this.

For the record, I NEVER allowed my articles to be ghost-written, much to the frustration of the people managing the whole process. The problem this introduced was that content could not be churned out as quickly because I became the bottleneck. I wouldn't even agree to have someone else start the article for me. I had to start it from scratch and have final approval on it (once my drafts were run past a set of editors and reviewers of course). This made for more authentic, balanced content while still maintaining some level of being "on message", which kept marketing happy.

Sunday, April 06, 2014

Doing business in Asia: five etiquette tips

I contributed a piece in Australian BRW late last month that had nothing to do with IT Security, but I thought this may be of interest to those of you out there new to doing business with Asia and would like somewhere to start.

It's quite general, but large mainstream publications want content that will appeal to the masses, not niche pieces that few people will care about. So, if you're an expert on Asia, none of what I've written will be new.

Here's a teaser:
"Business etiquette in western countries is similar enough that we get away with most things. The little quirks are normally overlooked or forgiven, using the “not from around here” explanation. Asia however, is a slightly different animal."
Check out the full article on BRW. 

Monday, March 17, 2014

RSA Conference 2014 redux

If you follow me on Twitter, you probably noticed a heightened volume of Tweets from me during the RSA Conference in San Francisco. It was great catching up with many of you based stateside that I rarely get to see in person. I was also fortunate enough to be allowed to attend sessions and live-Tweeted the ones that were interesting. Therefore, I'm not going to regurgitate/organise my Tweets into thoughts here. I will however, highlight a few key points that I felt were important.

NSA, NSA, Snowden, NSA

This was an RSA conference where everyone was talking about the NSA. First, there were the well-publicised boycotts from speakers. Then came the competing conference. Then there were the protesters. RSA Chairman Art Coviello opened the conference and addressed it up front (right after William Shatner's song and dance). Stephen Colbert closed the conference with an NSA-heavy keynote (incidentally, he was hilarious). And in a show of courage or stupidity depending on your perspective, the NSA even had a booth on the expo floor.

There were many stories written about this during the conference, so just use your search engine of choice. But if you don't feel like searching, check out the New York Times' Nicole Perlroth and her blog post detailing some of the NSA-focused activities. My Tweet stream was also relatively NSA-heavy, so go check that out too.

Damage control

There were many US Government speakers from various departments and they all had one thing in common: they were in damage control mode. Essentially, it boiled down to these points:

  1. We assumed everyone knew we do the whole electronic surveillance thing. We didn't know it would be such a big deal and we're sorry, but we have to do it. And by the way, better it be the US Government than some foreign hostile nation. They're all just pissed that we're so much better at it than everyone else.
  2. We must work on collecting only what we need instead of absolutely everything. But if you've ever tried to do this, you know it's easier to collect everything instead of being selective.
  3. We, the US Government, want to work more closely and cooperatively with US companies on making the Internet, technology and the real world safer for all.


How do we make life more difficult for governments to spy on us? Encryption. Sure, governments have quantum computers working at cracking encryption measures, but they really don't like having to do it. It was a topic of discussion during the cryptographer's panel and made in relation to the NSA. Bruce Schneier has mentioned it on many occasions and reiterated his sentiments during his session at the conference.

I said it in my IT security predictions for 2014 and I've mentioned it on television.
Start with encryption. It won't fix all your security issues, but it's a good start and a good countermeasure for issues beyond the NSA and government spying.

Privileged user controls

Despite the fact that Snowden's been the poster child for the fact that privileged users can do a lot of damage, there wasn't a great deal of noise (compared to the NSA and government spying), except in sessions relating to industrial control systems. In every session I attended where industrial control systems were a topic of interest, privileged users came up as a primary focus area. Often, industrial control systems are tied to users directories (usually Active Directory) and most attacks simply aim to compromise an account within the directory. Once compromised, an attacker will escalate privileges until they have sufficient access. In other words, the more "administrative" the account, the quicker the compromise. In short, at the very least, organisations must secure and monitor privileged accounts in directories and operating systems.

Internet of Things (IoT)

You didn't need to attend the conference to know IoT is big in 2014. While I don't believe many are doing anything in terms of IoT, I don't discount the fact everyone wants to talk about it. It became clear in listening to some IoT-focused sessions that the biggest challenge in securing the IoT at the moment lies with the ignorance and complacency in the manufacturing process, particularly with device manufacturers.

Far too many do not implement (or care about) basic security practices in delivering a product. Many use default settings, which are often insecure. In addition, they often reuse the same insecure software components in updated versions. Beyond this, there is difficulty patching existing devices, particularly in trying to figure out how to do this without user intervention. We can't even get this right for existing computing devices. How are we expected to get it right for devices with in-built computers most are not aware of and cannot access easily through a usable interface? This is why it's relatively easy to hack cars.

Wednesday, March 12, 2014

Australia's new Privacy Principles - things to consider

Effective today (12th March 2014), Australia's Information Privacy Principles and National Privacy Principles will be replaced by 13 Australian Privacy Principles (APPs). Here are the important points to note:

  • Applies to all organisations that turn over more than $3 million per year and collect personal data.
  • Fines up to $1.7 million for breaches.
  • Organisations must be transparent about how they collect, use and store personal data.
  • Organisations cannot collect data “just in case they need it”.
  • If personal data is disclosed to a 3rd party, the organisation disclosing the data is responsible for ensuring the 3rd party understands their obligation and that the consumer knows about the disclosure.
This effectively gives the Office of the Australian Information Commissioner (OAIC) teeth as the fines are now significant when compared to previous legislation. For example, Australian Telecommunications giant Telstra has only been fined a measly $10,200 AUD for their recent violation.

Mindful collection and sharing

The days of "we'll ask for the information in case we need it" are gone. Organisations need to think about what they really need to achieve the task at hand and collect only what they need. As consumers, we should be able to sign up for online services in a shorter amount of time instead of frustratingly getting stuck on a submission form which constantly complains we haven't filled in certain fields.

Marketing programs and processes need to be reviewed to ensure personal data is not being inappropriately shared with 3rd parties. Many companies disregard the flow of information and the lack of visibility & understanding around how this is done, sometimes through no fault of their own. The number of technology integration points involved is challenging, but as privacy is now tied to financial penalties, this is a huge risk to businesses and should be addressed urgently through the involvement of IT departments and potentially external assistance.

If information is justifiably shared outside of the organisation, they will need to have the ability to determine if an overseas 3rd party they are disclosing personal information to also complies with the privacy act. This is a function many organisations will not have and will need to be included as part of their risk management program.

Personal information

In all things privacy-related, things tend to be up for debate, none more so than the term "personal information". The safest way for organisations to tackle this ambiguity is to assume data can be tied together from various sources, even when not immediately obvious as to how, to form context that can be tied to an individual. For example, an IP address is a potential identifier of an individual when combined with information from the relevant Internet service provider.

Personal data can also be stored in unexpected locations that organisations may be unaware of, the most obvious being application logs. IT departments need to perform an internal audit of the information applications use and ensure they are not subject to inadvertent personal data leakage through logs as a result of log file settings.

There is also additional administrative overhead in dealing with personal information and its access. The right technologies and a properly implemented reliance on external information providers can help. For example, power can be given to individuals to have complete control over the information stored about them through self-service portals. In addition, there may not be a need to store certain pieces of information. Standards exist (e.g. pick your favourite federated identity standard) that allow a relying party requiring information about an individual to ask for it from an identity (or attribute) provider and use it in flight without having to store the information on disk.

Beyond the more mature federated identity standards, there are emerging ones such as User Managed Access (UMA) that place more power in the hands of consumers (i.e. the rightful owners of the data). While not yet supported in many technology stacks, the concepts are sound and organisations would do well to adopt the thinking behind what UMA is attempting to achieve in the longer run.


Australian organisations need to treat personal data like they would financial information. For example, there are a raft of measures dictated by the PCI-DSS standard regarding the storage and usage of credit card numbers. While the number of credit card data breaches have proven PCI-DSS alone does not prevent breaches, existing data protection standards are a good start for organisation struggling to deal with the implications of the new privacy principles. Organisations would do well to adopt many of the same measures dictated by security standards in protecting personal data as a start. As they understand the requirements and data flows over time, more sophisticated security and access management measures can be implemented to round out an evolving security program.